# Blocky

## Blocky - 10.10.10.37

### Target Enumeration:

OS: Linux

IP: 10.10.10.37

User: 59fee0977fb60b8a0bc6e41e751f3cd5

Root: 0a9694a5b4d272c694679f7860f1cd5f

### Ports / Services / Software Versions Running

21/tcp   open ftp     ProFTPD 1.3.5a

22/tcp   open ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp   open http    Apache httpd 2.4.18 ((Ubuntu))

8192/tcp closed sophos

### Vulnerability Exploited:

Password was stored in a .jar file which was valid for ssh and phpmyadmin.

### Privilege escalation:

User was in sudoers group

### Exploiting the host:

Nmap

![](https://lh5.googleusercontent.com/ahJr7EjkN_ePWJj095KPgc1fMIl-aGHHsmtwQwz91Y_zzK0ypm6LXaxDDgPJNw0CBdaYPJ6txx3Y0YQHq-UjIu4mkVIZ6ueJUthzoZy0TgMt00CD7EmoCP7wbHJ19DTjx-41Q_Jf)

Port 80 appears to be running wordpress.

<div align="left"><img src="https://lh5.googleusercontent.com/0ZvH2EYQGOS_UxGu147yGjsCFjTvGNXXP6EICOztLGe33fc48lj0mfGo8nFSaGe-I2qynkYKY8oYk1kuUlw6s3JDmQjUoxCLBqXDg6hU8weVUk6tX9JMVfkjOQQPb2opTbFJbOdj" alt=""></div>

WPScan reveals a username

<div align="left"><img src="https://lh3.googleusercontent.com/JXsZReQ_MjhWyGPlcVp93Bi7AuVqGOGPpo85DXyDQjMm914GZ_8iObpezjGKI1BfrzB_UHppl_d582ruxSkDGr2_PdHVVGVCOc8JUnVWNZs_XgePnn-Aw5ulVTfbj8gSoxk_qFhq" alt=""></div>

Start bruteforcing with wpscan

![](https://lh6.googleusercontent.com/WL-YBeHmLSiVdkvJiTnf0yxOoPCeX_HPg7sD2olHKbcP6NxajYIhZQSDJWJ0cqZklJG4TTkSU54DU0T1lDrdr_Y5XsKRP2eiPfNiD83mTVkXNwi7NDoCHnB_qgyGGwsa-z_rYS2l)

This returned no results.

Dirb found the following pages

/phpmyadmin

/plugins

Under plugins we found blocky.jar file

<div align="left"><img src="https://lh6.googleusercontent.com/OmcN4C96uddDjb_SnWAN_Xsi60cVunJ6KDk6Vncwf9a9fDkO7L_Li9qupHSWvIZYaWNOE9n3Tf6TVIY2269KCWJY4mnfAerHkLqgVfztHmn0p2j6tbgHwcr_6SRCT0HIhsKkTwhY" alt=""></div>

We downloaded the file and decompiled it with an online tool which gave us some credentials

<http://www.javadecompilers.com>

<div align="left"><img src="https://lh5.googleusercontent.com/g6xeEigBurxCqlZsFOxg3o_FwEy_gX3rB7Eg5L__pjSnQAzLxlgx8iO63XuaXPUqzn9Boipv4aZ38IHstl9HBEMHXyTw79DMw7DTk1bLaM9F4N-p9ue3s4FiaVdPfP6-rlMZ1b62" alt=""></div>

We found the password was valid for the phpmyadmin login page

root:8YsqfCTnvxAUeduzjNSXe22

We now had access to phpmyadmin

![](https://lh4.googleusercontent.com/AkgCHhvTgLRtvppD9E6lKuHkUKY0xlIXxUE3-cJx1UdqBjrjLJK7Gv1ZFAXi9rSHAG17egE_Qzb4eB4kC5zqDu4zsoWq9lr-MamO4ELshFD7ffjg_abeAkWp0CdLxAPOzKT4fM0i)

We created a new user and uploaded a shell to the 404.php page but found we could not escalate privileges as the www-data user.

We then tested the password and username for notch via ssh and were given a shell.

We checked to see what we could do as the user notch and found they were part of the sudoers group.

![](https://lh6.googleusercontent.com/uXCPfkBHnftM8jaVTKrD03-gXrs3U5trXqMf6n4BLtv8OYDJeN2HiQnurG2rZrnSY4vhGQOCykgYMOZeLXuE8WrhunpTQ0PuQWQgSv6KGzYSK-Zrn2KKOsaBnAVHRS9tncPxJzCA)

Issuing sudo su gave us root access.

<div align="left"><img src="https://lh3.googleusercontent.com/uFBbyLVeJGA4npkIv1ZyMx72GKFVQvMb1boeuPtkcKp1cI2Vg-MCHMYGL3SMZJJXRIpPNW_1PFKqkmCgJgcVI3UX2l9jsp4rXfh0t9eNZSf_q8edyeL3A_OV2r45mNkX8odkZBoB" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/blocky.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.