HackTheBox | Crafty

In this walkthrough, I demonstrate how I obtained complete ownership of Crafty on HackTheBox
HackTheBox | Crafty

Initial Foothold Hint:

  • You're going to need a client application for this server
  • Find the version of the server, which CVE is this server vulnerable to?
  • The CVE is quite old by now, but was first discovered in the application running on the server

Privilege Escalation Hint:

  • Decompile the file to find some interesting info
  • How might you be able to use this information to log in as a privileged user?
  • Are the ports needed to log in accessible from the outside?

Nmap Results

# Nmap 7.94SVN scan initiated Mon Feb 12 16:23:27 2024 as: nmap -Pn -p- -sT --min-rate 2000 -A -oN nmap.txt 10.10.11.249
Nmap scan report for 10.10.11.249
Host is up (0.011s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE   VERSION
80/tcp    open  http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://crafty.htb
25565/tcp open  minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   10.33 ms 10.10.14.1
2   10.52 ms 10.10.11.249

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 12 16:24:48 2024 -- 1 IP address (1 host up) scanned in 81.07 seconds
💡
Note the HTTP redirect to http://crafty.htb. Let's go ahead and add that to our /etc/hosts file.
echo '10.10.11.249        crafty.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.