# Vulnhub-Mercy ## Rustscan ```bash PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 64 ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu 110/tcp open pop3? syn-ack ttl 64 |_ssl-date: TLS randomness does not represent time 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap syn-ack ttl 64 Dovecot imapd |_ssl-date: TLS randomness does not represent time 445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 993/tcp open ssl/imaps? syn-ack ttl 64 |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3s? syn-ack ttl 64 |_ssl-date: TLS randomness does not represent time 8080/tcp open http syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1 | http-methods: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS |_ Potentially risky methods: PUT DELETE |_http-open-proxy: Proxy might be redirecting requests | http-robots.txt: 1 disallowed entry |_/tryharder/tryharder |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 ``` ## PORT 139/445 (SMB) We can check for smb share and see if we have access or not So we cannot access any share , we can try to use `enum4linx` to enumerate for users on the machine ## PORT 8080 (HTTP Apache Tomcat 7) From the nmap scan we can see an entry in `robots.txt` This looks like a base64 encoded text , so let's decode and see what it says ``` It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list. Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her. No fluffy bunnies for those who set insecure passwords and endanger the enterprise. ``` This message tells us that user's password is set to `password` so we know there are 4 users and we saw a smb share named `qiu` which is a username so we can try if this password fits for that user And it is the password for this user so we can read the share Going to `.private/opensesame` folder we can see a config file This config file is for smb and we can see port knocking configuration in here So let's do port knocking for http ## PORT 80 (HTTP) We can check `robost.txt` file Found nothing here We found RIPS and we have a version 0.53 so we look for exploits on `exploit-db` There's a LFI exploit in two files `code.php` and `function.php` , we can look at the source code for these two files since there's a repo on github https://github.com/bizonix/rips-scanner We confirmed that LFI exists now let's take a step back , we know there's apache tomcat so we could look `tomcat-users.xml` file which includes a username and password to login into `/manager` but we need to the installation path , so I did a little goolge search ``` http://192.168.1.9/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xml ``` We can login to `/manager` with user `thisisasuperduperlonguser:heartbreakisinevitable` since he as admin role Here we can upload a WAR reverse shell payload so let's generate a WAR payload And we got a shell so let's just stabilize it We had already found the password for fluffy so let's switch the user There's a timeclock file By reading it's content we can see it just stores time in a file But we can see it belongs to `root` user so we can check if it's running as a schedule task But we cannot see this file to be running as a `system-wide` cronjob so this would be running as root user cron job to verify it we can use `pspy` which is a unprivileged process monitor , since 64 bit version of pspy wasn't I uploaded 32 bit version and ran it We can see that this script runs as root so we could either include a reverse shell in there or make bash as SUID (which is a easy way) so let's modify the bash script `chmod +s /bin/bash` will make bash a SUID means it will be executed as root if we supply `-p` parameter when executing it After waiting for some time we can check if it's been made a SUID or not so to verify it run `ls -la` on bash And it looks like it's now a SUID We can add a password to get a `root` prompt (not really necessary to do this)