My Attempt

User.txt

Enumeration

The Nmap scan is shown below.

Seems like the server is hosting a Minecraft server. Initially I actually tried to search for exploits on Minecraft servers, but there seems to be no result for this version. At the time of writing I am aware of the Log4Shell vulnerability that affects Minecraft server, but I have not learn the vulnerability in detail and I don't think it is the intended solution for this box anyway.

I then tried to login to FTP with anonymous but unsuccessful.

I moved on to port 80 and try to browse the website through Firefox. Judging by the layout of the page, the website seems to be hosted using Wordpress.

To confirm my assumption, I used gobuster to enumerate directories and found the following results.

As there are typical Wordpress directories in the result (e.g. wp-content, wp-login.php, wp-admin etc.), it can be confirmed that the website is using Wordpress to host the contents.

From here I decided to use wpscan to enumerate information about the Wordpress. The scan has identified 2 usernames "notch" and "Notch". I tried to guess the password of the 2 possible accounts but non of the common passwords work.

I started looking into some of the directories listed by gobuster ("some" is the keyword as I later realized that I made a blunder here). First the "/wiki" directory seems interesting.

Unfortunately it is just an incomplete page. The page mentioned that there will be a plugin that stores user information. I originally thought that this might be a hint to some in-progress testing page that I can leverage, but it turns out I was just wrong.

I also visited the "/phpmyadmin" page which is a typical login page for phpmyadmin. I also tried the username "notch" and some common passwords but still no luck.

After some more research on the Wordpress version, I am stuck as there seems to be not obvious vulnerability from the Wordpress core.

Following Writeup

In the writeup, the author has discovered the same directories as my gobuster scan. What I missed is that I skipped the typical Wordpress directories. It turns out that in the "/plugins" directory there were 2 files that seems to be related to the Minecraft service.

I downloaded the 2 files and used jd-gui to view the 2 .jar files. The jd-gui tool provides an easy way to read .jar files. From the BlockyCore.jar file, I discovered the credentials "root:8YsqfCTnvxAUeduzjNSXe22".

The credentials seemed to be for connecting the database. Therefore I first tried the credentials on the phpmyadmin page which leads to a successful login.

There was nothing interesting from the database. So I tried to reuse the password to login to the server vis SSH. I tried to use "notch:8YsqfCTnvxAUeduzjNSXe22" to login SSH and successfully get the user shell.

The user.txt file can be found on the home directory of "notch".

Root.txt

The first thing I did is to see if the user has any sudo privilege. Suprisingly the user actually has full sudo access.

This means that the user "notch" is pretty much the root user. The easiest way to get a root shell is just to switch to the root user with sudo. Honestly this was the easiest privilege escalation I have ever done.