Blocky machine on the hackthebox has retired which means writeups are allowed now. It was the linux VM which can be considered as the beginner level box. Getting the user flag was “Easy” and unlike the other HTB machines, privilege escalation was just a “Piece of cake”.

Note: In order to keep all my CTF write ups crisp and concise, I only mention the steps which led to positive results. There were lot of trial and error and hours or in some case even days of failed attempts before reaching to the correct solution. For this challenge, IP address of my machine was and blocky was


I started with nmap to check for all open ports (-p-), version of services running (-sV) and perform script scans using default set of scripts (-sC)

Finding the port 80 open and wordpress running on it, I started wpscan in the background to test for any vulnerable plugins and enumerate the users. In the mean time I manually navigated the web application.

The wpscan result didn’t gave any exciting result, but identified one of the wordpress user “notch” which later was found to be useful.

Running dirb against the web application found out some hidden directories


I navigated to all the directories. The plugins directory was found to be interesting. There were two jar files, one of which was  “Blocky.jar“. I downloaded it and used an online java decompiler to check its source code. Below is the screenshot of decompiled result

There was a hardcoded password into the jar file. Since the SSH port was open, I tried to login using the user notch (found earlier using wpscan) and the password obtained from jar and it worked !!! 😀
This gave the shell on the system and the user flag.

Privilege Escalation

The box didn’t had any security in place. The privilege escalation was indeed the “Piece of Cake”. I checked for commands which the user can run as sudo

The user can run any sudo command on the system which means the user is already root. I just ran sudo cat /root/root.txt to read the root flag.

Final note

Unlike the other HTB machines, Blocky was very easy both in terms of getting user flag as well as root flag. Proper enumeration of all the hidden web directory was the key takeaway from this machine.

I hope this write-up was helpful. Share this if you found it useful. If you have any questions or suggestions please leave you comments. Subscribe to the mailing list to get updates for my future CTF write-ups and blogs.

Happy Learning 🙂

The author is a security enthusiast with interest in web application security, cloud-native application development and Kubernetes.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.