HackTheBox: Blocky Walkthrough

Today’s HTB writeup is about Blocky, a server that hosts both a webpage and a Minecraft server. Not much more to explain, so let’s get into it.

Enumeration

As always, I began with a staged Nmap scan:

The scan revealed a number of available services. I attempted a few logins over FTP using common credentials, but got nothing out of it. The path to root via Sophos and Minecraft was not necessarily clear, so I pursued the web app route. To kick this off, I ran gobuster on the page:

It quickly became clear that this was a Wordpress site, so I ran wp-admin against it, but got nothing of interest. I decided to poke around in the directories I found. In doing so, I found a few plugins:

I found this both interesting and unusual, so I downloaded them and tried to get some more information.

BlockyCore seemed quite interesting upon inspection, especially looking at its class file:

Decompiling it yielded some (not perfectly deconstructed but still helpful) comments:

These credentials allowed me to log in to a number of services.

Exploitation

My first inclination was to log in to the phpMyAdmin panel using the found credentials:

The password for the Wordpress login was hashed, so I chose to explore other alternatives before attempting to crack it. Seeing that there was a user named ‘Notch’, I tried logging in to the server via SSH using that username along with the password found in the .class file:

It worked! Ran ‘id’ and…

Notch was a sudoer!

All in all, this was an easy box. Wish there was more to say, but I’ll take it anyways.