Thursday, January 6, 2022

Mercy v2

MERCY v2 

- Layout for this exercise:



1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Mercy v2, from the VulnHub pentesting platform.

Mercy v2 can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/

- Once downloaded Mercy v2 and extracted with VirtualBox:






2 - ENUMERATION

- netdiscover helps to identify Mervy v2's IP 192.168.1.25:


- Scanning with Nmap:













- Scanning deeper port 8080 we notice the existence of robots.txt and /tryharder/tryharder:


- Going to robots.txt:









- Going to /tryharder/tryharder we find a Base64 encoded text:


- Decoding from Base64:




















- Let's enumerate the SMB server running at port 445:










- So we have found 4 users.

- Remembering the text decoded with Base64:



- Trying credentials qiu:password to access the SMB server we are successful:







- Examining content:














- After downloading content and not finding anything of great interest, we go to folder .private and download its content:


















- Reading the 3 files:









































- So we can read references to Port Knocking Daemon Configuration and sequences of numbers to open ports both 80 and 22:




- Using command knock to open services HTTP and SSH:





















- Now port 80 is working normally:



- From Nmap we learn that there is robots.txt and two available directories: /mercy and /nomercy:









- Browsing /mercy:
























- Browsing /nomercy we find RIPSa popular static code analysis tool to automatically detect vulnerabilities in PHP applications:



3 - EXPLOITATION

- Looking for exploits related to RIPS we find that it is vulnerable to Multiple Local File Inclusions:



















- Taking advantage of the vulnerability and reading /etc/passwd:




























- From enumeration we know that there is a Tomcat server running:





- So let's try to access Tomcat's tomcat-users.xml, where we can find interesting credentials:


























- Metasploit helps to get a shell using these Tomcat credentials:

















- Improving the shell:







- Trying to switch to the first user is unsuccessful:



- However we can switch to user fluffy:




4 - PRIVILEGE ESCALATION

- Looking into the folder .private there are some interesting files:



- Reading .secrets:






- File timeclock is owned by root, and it seems to be a script to read time hosted at web page /time:















- So one idea to get a remote root shell could be to add a bash command to timeclock:



- Now, setting a Netcat listener at port 3333:



- After timeclock is run, we have a remote root shell:









5 - CAPTURING THE FLAG

- Reading proof.txt:







at