In this post, I would like to share a walkthrough of the Crafty Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Crafty machine?


For the user flag, you must exploit a Minecraft server, which is particularly vulnerable to the Log4Shell exploit due to its use of the Java Log4J package, I will connect using a free Minecraft command-line client. By sending a Log4Shell payload, I will gain shell access to the system.


As for the root flag, you need to locate and analyze a plugin for the Minecraft server to uncover the administrator password.

Information Gathering on Crafty Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/crafty]
└──╼ $nmap -sV -sC 10.10.11.249 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-14 17:00 EDT
Nmap scan report for 10.10.11.249
Host is up (0.28s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://crafty.htb
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.57 seconds
┌─[darknite@parrot]─[~/Documents/htb/crafty]
└──╼ $

Let’s access the website interface


It looks like a website that hosts a game online


At the bottom of the website, it provides one subdomain that doesn’t show any valid interface.


At this point, I was stuck on the machine for almost 3 hours, and I didn’t receive any useful information

CVE-2021-44228 vulnerability on Crafty machine


After thinking hard, I did remember that Minecraft system is been vulnerable to log4j and that’s thanks for John Hammond’s video a long time ago


Therefore, let’s exploit that vulnerability from John Hammond’s video and apply it here. To use the exploit, you can download the exploit here to proceed further


Therefore, let’s install the exploit payload into our attacker’s machine


The screenshot above show the content of the file inside the github


As a result, we need to modify the content on “String cmd” with cmd.exe because the victim’s machine is based on the Windows Operating System.


We need to fulfil the required which need to install jdk1.8.0 181 on our attacker’s machine


However, we need to rename the directory from jdk1.8.0.1_181 into jdk1.8.0.1_20


Next, we need to start our listener on the attacker’s machine

A computer screen with green and blue text

Description automatically generated

Aside from that, we also need to run the log4j-shell payload as shown above


We also required to download pyCraft on our attacker’s machine


To be cautious of the tools, let’s run it within the docker environment



It will take a few minutes to fully configure the requirement


We can paste the command that we found earlier here which it will provide back the reverse shell connection to us


At last, we have successfully retrieved the reverse shell

A computer screen with green text

Description automatically generated

A computer screen with green text

Description automatically generated

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access on Crafty machine

A black background with green text

Description automatically generated

We need to download one file from plugins directory into our attacker’s machine

Analysis using Java decompiler


For this purpose, we need to use jd-gui to read the content within the .jar file format


We can start the java decompiler with the command above

A screenshot of a computer

Description automatically generated
A screenshot of a computer

Description automatically generated

At last, we managed to obtain the password for the next step


Let’s upload the malicious exe file and RunasCs.exe into the victim’s machine


We can use the command above to retrieve administrator’s shell


We can read the root flag by typing the “type root.txt” command