Blocky teaches us not to reuse our credentials everywhere. It begins with a simple enumeration. Then we have to decompile some jars. Finally, it ends with the simplest and easiest Linux enumeration. Still fun!
- Get the username from the WordPress post.
- Decompile jars to find find the password.
- Use found username and password to log in to the ssh.
nmap -n -sV -p- -T 5 -Pn 10.10.10.37
PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
http://10.10.10.37 is a WordPress website.
There is only one post on the website, but it gives us admin’s username which we’ll need later.
Simple enumeration reveals two interesting directories;
ffuf -u http://10.10.10.37/FUZZ -w /usr/share/dirb/wordlists/common.txt
wiki doesn’t contain anything interesting, but
plugins does! It contains two
I have decompiled both of them using jd-gui and found some credentials in
After a bit of trial and error, I found out that I can log in to SSH using the password I found in the jar file. Remember the username from the WordPress post?
Wait… really? We have permission to
sudo su and we have a root!