In this post, I would like to share a walkthrough of the Crafty Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the Crafty machine?

For the user flag, you must exploit a Minecraft server, which is particularly vulnerable to the Log4Shell exploit due to its use of the Java Log4J package, I will connect using a free Minecraft command-line client. By sending a Log4Shell payload, I will gain shell access to the system.

As for the root flag, you need to locate and analyze a plugin for the Minecraft server to uncover the administrator password.

Information Gathering on Crafty Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

└──╼ $nmap -sV -sC -oA initial
Starting Nmap 7.93 ( ) at 2024-06-14 17:00 EDT
Nmap scan report for
Host is up (0.28s latency).
Not shown: 999 filtered tcp ports (no-response)
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://crafty.htb
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 34.57 seconds
└──╼ $

Let’s access the website interface

It looks like a website that hosts a game online

At the bottom of the website, it provides one subdomain that doesn’t show any valid interface.

At this point, I was stuck on the machine for almost 3 hours, and I didn’t receive any useful information

CVE-2021-44228 vulnerability on Crafty machine

After thinking hard, I did remember that Minecraft system is been vulnerable to log4j and that’s thanks for John Hammond’s video a long time ago

Therefore, let’s exploit that vulnerability from John Hammond’s video and apply it here. To use the exploit, you can download the exploit here to proceed further

Therefore, let’s install the exploit payload into our attacker’s machine

The screenshot above show the content of the file inside the github

As a result, we need to modify the content on “String cmd” with cmd.exe because the victim’s machine is based on the Windows Operating System.

We need to fulfil the required which need to install jdk1.8.0 181 on our attacker’s machine

However, we need to rename the directory from jdk1.8.0.1_181 into jdk1.8.0.1_20

Next, we need to start our listener on the attacker’s machine

A computer screen with green and blue text

Description automatically generated

Aside from that, we also need to run the log4j-shell payload as shown above

We also required to download pyCraft on our attacker’s machine

To be cautious of the tools, let’s run it within the docker environment

It will take a few minutes to fully configure the requirement

We can paste the command that we found earlier here which it will provide back the reverse shell connection to us

At last, we have successfully retrieved the reverse shell

A computer screen with green text

Description automatically generated

A computer screen with green text

Description automatically generated

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access on Crafty machine

A black background with green text

Description automatically generated

We need to download one file from plugins directory into our attacker’s machine

Analysis using Java decompiler

For this purpose, we need to use jd-gui to read the content within the .jar file format

We can start the java decompiler with the command above

A screenshot of a computer

Description automatically generated
A screenshot of a computer

Description automatically generated

At last, we managed to obtain the password for the next step

Let’s upload the malicious exe file and RunasCs.exe into the victim’s machine

We can use the command above to retrieve administrator’s shell

We can read the root flag by typing the “type root.txt” command