Wednesday, December 26, 2018

MERCY


MERCY

- Layout for this exercise:






1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine MERCY.

- MERCY can be found here:

https://www.vulnhub.com/entry/digitalworldlocal-mercy,263/

- Once downloaded and extracted with VirtualBox:





2 - ENUMERATION

- Discovering MERCY's IP:







- Scanning with Nmap:




- Going deeper within port 8080 HTTP, it seems that Apache Tomcat/Coyote engine JSP 1.1 is being run:




- Dirbusting the web server at port 8080:




- So we have some interesting folders to explore, like robots.txt, /tryharder/tryharder and /manager.

- Connecting with the browser:



- Reading robots.txt:




- Checking folder /tryharder/tryharder we find a string encoded with Base64:




- Decoding:




- From the message we can write down that it might be a use with password password.


- Going to /manager:





- Also, port 445 is open, so why not enumerating with enum4linux taking advantage of the Samba server?









- So there are 4 Local Users: pleadformercy, qiu, thisisasuperduperlonguser, fluffy.

- Launching Hydra over the Samba server with the text file usernames and the wordlist rockyou.txt:






- Connecting to the Samba server with credentials qiu:password" (remembering the Base64 decoded string):




- Listing contents:




- Getting .bash_history:





 - Goint to folder .private:





- Getting readme.txt:





- Going to secrets there is nothing inside:





- Going to folder opensesame and getting configprint and config:




- Reading .bash_history




- Reading readme.txt:




- Reading configprint, there are a lot of references to config:




- Reading config we find information about filtered services HTTP at port 80 and SSH port 22:




- Actually both ports 22, 80 are filtered:





- Because several sequences are quoted we can imagine that knock command must be used to open filtered services, for instance HTTP port 80:




- Same thing for SSH port 22:





- Now, connection with the browser is available:





- Dirbusting port 80:





- Reading robots.txt we discover two additional folders: /mercy and /nomercy:




- Going to /mercy:










- Going to /nomercy the RIPS 0.53 application is running:





3 - EXPLOITATION

- Searching for RIPS exploits we find a Multiple LFI exploit:






- Reading 18660.txt:



- Applying the LFI to /etc/passwd:




- However it doesn't work with /etc/shadow:




- Remembering the existence of a tomcat-users.xml file:






- Extracting tomcat-users.xml:





- Last lines give unvaluable information about 2 users and correspondent usernames:





4 - GETTING A SHELL WITH METASPLOIT

- Launching Metasploit:



- Using this exploit for Tomcat:




- Setting options and running the exploit we get a Meterpreter session:





- Spawning and improving a shell:




5 - PRIVILEGE ESCALATION

- Using credentials fluffy:freakishfluffybunny:



- Unfortunately fluffy is not a sudoer:



- Improving the shell for fluffy:




- Walking around into home folders and files until finding something useful:













- Finally it seems that timeclok could be interesting, because it is a root owned script:




- Creating an exploit with Msfvenom:





- Setting a Netcat listener:







- Appending the exploit to timeclock:







- After some minutes we've got a root shell:







6 - CAPTURING THE FLAG

- Reading proof.txt: