From c3e51406e82fbe8357389c23748f4cea1384bc2b Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Wed, 12 May 2021 19:01:09 +0500
Subject: [PATCH] Add files via upload
---
VulnHub/Mercy.md | 183 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 183 insertions(+)
create mode 100644 VulnHub/Mercy.md
diff --git a/VulnHub/Mercy.md b/VulnHub/Mercy.md
new file mode 100644
index 0000000..baad792
--- /dev/null
+++ b/VulnHub/Mercy.md
@@ -0,0 +1,183 @@
+# Vulnhub-Mercy
+
+## Rustscan
+
+```bash
+
+PORT STATE SERVICE REASON VERSION
+53/tcp open domain syn-ack ttl 64 ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
+| dns-nsid:
+|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
+110/tcp open pop3? syn-ack ttl 64
+|_ssl-date: TLS randomness does not represent time
+139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
+143/tcp open imap syn-ack ttl 64 Dovecot imapd
+|_ssl-date: TLS randomness does not represent time
+445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
+993/tcp open ssl/imaps? syn-ack ttl 64
+|_ssl-date: TLS randomness does not represent time
+995/tcp open ssl/pop3s? syn-ack ttl 64
+|_ssl-date: TLS randomness does not represent time
+8080/tcp open http syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
+| http-methods:
+| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
+|_ Potentially risky methods: PUT DELETE
+|_http-open-proxy: Proxy might be redirecting requests
+| http-robots.txt: 1 disallowed entry
+|_/tryharder/tryharder
+|_http-server-header: Apache-Coyote/1.1
+|_http-title: Apache Tomcat
+MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+Device type: general purpose
+Running: Linux 3.X|4.X
+OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
+```
+
+
+## PORT 139/445 (SMB)
+
+We can check for smb share and see if we have access or not
+
+
+
+So we cannot access any share , we can try to use `enum4linx` to enumerate for users on the machine
+
+
+
+
+
+## PORT 8080 (HTTP Apache Tomcat 7)
+
+
+
+From the nmap scan we can see an entry in `robots.txt`
+
+
+
+
+
+This looks like a base64 encoded text , so let's decode and see what it says
+
+
+
+```
+It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.
+
+Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.
+
+No fluffy bunnies for those who set insecure passwords and endanger the enterprise.
+```
+
+This message tells us that user's password is set to `password` so we know there are 4 users and we saw a smb share named `qiu` which is a username so we can try if this password fits for that user
+
+
+
+And it is the password for this user so we can read the share
+
+
+
+
+Going to `.private/opensesame` folder we can see a config file
+
+
+
+This config file is for smb and we can see port knocking configuration in here
+
+
+
+So let's do port knocking for http
+
+
+
+
+
+## PORT 80 (HTTP)
+
+
+
+We can check `robost.txt` file
+
+
+
+Found nothing here
+
+
+
+We found RIPS and we have a version 0.53 so we look for exploits on `exploit-db`
+
+
+
+There's a LFI exploit in two files `code.php` and `function.php` , we can look at the source code for these two files since there's a repo on github
+
+https://github.com/bizonix/rips-scanner
+
+
+
+
+We confirmed that LFI exists now let's take a step back , we know there's apache tomcat so we could look `tomcat-users.xml` file which includes a username and password to login into `/manager` but we need to the installation path , so I did a little goolge search
+
+
+
+
+```
+http://192.168.1.9/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xml
+```
+
+
+
+We can login to `/manager` with user `thisisasuperduperlonguser:heartbreakisinevitable` since he as admin role
+
+
+
+
+
+Here we can upload a WAR reverse shell payload so let's generate a WAR payload
+
+
+
+
+
+And we got a shell so let's just stabilize it
+
+
+
+We had already found the password for fluffy so let's switch the user
+
+
+
+There's a timeclock file
+
+
+
+By reading it's content we can see it just stores time in a file
+
+
+
+But we can see it belongs to `root` user so we can check if it's running as a schedule task
+
+
+
+But we cannot see this file to be running as a `system-wide` cronjob so this would be running as root user cron job to verify it we can use `pspy` which is a unprivileged process monitor , since 64 bit version of pspy wasn't I uploaded 32 bit version and ran it
+
+
+
+
+
+We can see that this script runs as root so we could either include a reverse shell in there or make bash as SUID (which is a easy way) so let's modify the bash script
+
+
+
+`chmod +s /bin/bash` will make bash a SUID means it will be executed as root if we supply `-p` parameter when executing it
+
+After waiting for some time we can check if it's been made a SUID or not so to verify it run `ls -la` on bash
+
+
+
+And it looks like it's now a SUID
+
+
+
+We can add a password to get a `root` prompt (not really necessary to do this)
+
+
\ No newline at end of file