MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)
MERCY is a name-play on some aspects of the PWK course. It is NOT a hint for the box.
Note: Some report a kernel privilege escalation works on this machine. If it does, try harder! There is another vector that you should try!
So; SSH (filtered), DNS, HTTP (filtered), mail with SSL, SMB and another HTTP port. Whew!
8080
Port 8080 is running Apache Tomcat 7, but it’s just the front page - we have no creds. There is a robots.txt pointing to:
http://192.168.1.169:8080/tryharder/tryharder
Here we find some base64 encoded text that decodes to a message warning about weak passwords, and specifically mentioning “password”.
We’ll come back to Tomcat later.
SMB
I didn’t do this whole thing without hints. Maybe 50% of it. I’ve been taking the attitude if I’m not getting anywhere after some time then get a hint; hopefully it will produce some learning rather than making me lazy. I’m not doing this for imaginary internet points.
Anyway; SMB. I could see the shares with smbclient and smbmap:
But I couldn’t log in without any creds. While I had used it before, I didn’t think to try enum4linux. But that’s what we need to do:
I tried running my users against POP, SMB and the http basic authentication on Tomcat with Hydra but wasn’t getting anywhere. I checked a hint and the SMB password for user qiu was literally password; this should have broken almost immediately. And in fact this does work with other wordlists:
I have no idea why it didn’t work with rockyou.
Anyway; we find a config file, partially reproduced here:
So we have port knocking enabled, and now we know the sequence.
Knock knock
I didn’t have knock installed on this box, so I installed it, ran it and then ran nmap again to see if we had an open HTTP port - success!
HTTP
On the website we can find robots.txt which shows us /mercy and /nomercy. At /nomercy with find an install of RIPS 0.53, which searchsploit tells us has Multiple Local File Inclusions.
It didn’t take me long to figure out this was the way to find out Tomcat credentials: