Hello everyone I hope you are doing well , in this post I will be sharing my walkthrough for Vulnhub Mercy which is for preparing for OSCP , and this was a fun machine where you would have to enumerate users from smb share and find message on website afterwards you would need to do port knocking for http service and on that port you would need to exploit a vulnerability which would grant you access to apache tomcat.
Rustscan
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 64 ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
110/tcp open pop3? syn-ack ttl 64
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 64 Dovecot imapd
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imaps? syn-ack ttl 64
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s? syn-ack ttl 64
|_ssl-date: TLS randomness does not represent time
8080/tcp open http syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4PORT 139/445 (SMB)
We can check for smb share and see if we have access or not
So we cannot access any share , we can try to use enum4linx to enumerate for users on the machine
PORT 8080 (HTTP Apache Tomcat 7)
From the nmap scan we can see an entry in robots.txt
This looks like a base64 encoded text , so let’s decode and see what it says
It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.No fluffy bunnies for those who set insecure passwords and endanger the enterprise.
This message tells us that user’s password is set to password so we know there are 4 users and we saw a smb share named qiu which is a username so we can try if this password fits for that user
And it is the password for this user so we can read the share
Going to .private/opensesame folder we can see a config file
This config file is for smb and we can see port knocking configuration in here
So let’s do port knocking for http
PORT 80 (HTTP)
We can check robost.txt file
Found nothing here
We found RIPS and we have a version 0.53 so we look for exploits on exploit-db
There’s a LFI exploit in two files code.php and function.php , we can look at the source code for these two files since there's a repo on github
https://github.com/bizonix/rips-scanner
We confirmed that LFI exists now let’s take a step back , we know there’s apache tomcat so we could look tomcat-users.xml file which includes a username and password to login into /manager but we need to the installation path , so I did a little goolge search
http://192.168.1.9/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xmlWe can login to /manager with user thisisasuperduperlonguser:heartbreakisinevitable since he as admin role
Here we can upload a WAR reverse shell payload so let’s generate a WAR payload
And we got a shell so let’s just stabilize it
We had already found the password for fluffy so let’s switch the user
There’s a timeclock file
By reading it’s content we can see it just stores time in a file
But we can see it belongs to root user so we can check if it's running as a schedule task
But we cannot see this file to be running as a system-wide cronjob so this would be running as root user cron job to verify it we can use pspy which is a unprivileged process monitor , since 64 bit version of pspy wasn't I uploaded 32 bit version and ran it
We can see that this script runs as root so we could either include a reverse shell in there or make bash as SUID (which is a easy way) so let’s modify the bash script
chmod +s /bin/bash will make bash a SUID means it will be executed as root if we supply -p parameter when executing it
After waiting for some time we can check if it’s been made a SUID or not so to verify it run ls -la on bash
And it looks like it’s now a SUID
We can add a password to get a root prompt (not really necessary to do this)
