HTB : Blocky


  • Directory enumeration leads to a folder that contains valid credentials
  • phpadmin page lists users available
  • Password is reusable


Run nmap scan to find for open ports.

Unable to login via FTP anonymously.

Run a gobuster scan

There is a phpadmin page.

Wpscan shows no results.

The plugins directory have 2 files inside.

Use a java decompiler like jdi-gui to open up the file.

Found some mysql credentials.

The 2nd file has a whole bunch of functions, let’s put this aside for now.

Let’s login with the credentials via the phpmyadmin page.

Access gained.

In the wordpress section page there is a credential found.


SSH login via the user notch and the password found in the jar file.

First flag is found

Privilege escalation

Check sudo -l

We are able to sudo everything.

Change to root user and get the final flag.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s