Today’s HTB writeup is about Blocky, a server that hosts both a webpage and a Minecraft server. Not much more to explain, so let’s get into it.
As always, I began with a staged Nmap scan:
The scan revealed a number of available services. I attempted a few logins over FTP using common credentials, but got nothing out of it. The path to root via Sophos and Minecraft was not necessarily clear, so I pursued the web app route. To kick this off, I ran gobuster on the page:
It quickly became clear that this was a Wordpress site, so I ran wp-admin against it, but got nothing of interest. I decided to poke around in the directories I found. In doing so, I found a few plugins:
I found this both interesting and unusual, so I downloaded them and tried to get some more information.
BlockyCore seemed quite interesting upon inspection, especially looking at its class file:
Decompiling it yielded some (not perfectly deconstructed but still helpful) comments:
These credentials allowed me to log in to a number of services.
My first inclination was to log in to the phpMyAdmin panel using the found credentials:
The password for the Wordpress login was hashed, so I chose to explore other alternatives before attempting to crack it. Seeing that there was a user named ‘Notch’, I tried logging in to the server via SSH using that username along with the password found in the .class file:
It worked! Ran ‘id’ and…
Notch was a sudoer!
All in all, this was an easy box. Wish there was more to say, but I’ll take it anyways.