CTF-Writeups/VulnHub/Mercy.md
2021-05-12 19:01:09 +05:00

6.6 KiB

Vulnhub-Mercy

Rustscan


PORT     STATE SERVICE     REASON         VERSION              
53/tcp   open  domain      syn-ack ttl 64 ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:                  
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu                        
110/tcp  open  pop3?       syn-ack ttl 64                
|_ssl-date: TLS randomness does not represent time          
139/tcp  open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        syn-ack ttl 64 Dovecot imapd                
|_ssl-date: TLS randomness does not represent time                        
445/tcp  open  netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imaps?  syn-ack ttl 64                             
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3s?  syn-ack ttl 64                                 
|_ssl-date: TLS randomness does not represent time                        
8080/tcp open  http        syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
| http-methods:                                                           
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS                   
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests                    
| http-robots.txt: 1 disallowed entry                                     
|_/tryharder/tryharder                                               
|_http-server-header: Apache-Coyote/1.1                                   
|_http-title: Apache Tomcat                                            
MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

PORT 139/445 (SMB)

We can check for smb share and see if we have access or not

So we cannot access any share , we can try to use enum4linx to enumerate for users on the machine

PORT 8080 (HTTP Apache Tomcat 7)

From the nmap scan we can see an entry in robots.txt

This looks like a base64 encoded text , so let's decode and see what it says

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.

This message tells us that user's password is set to password so we know there are 4 users and we saw a smb share named qiu which is a username so we can try if this password fits for that user

And it is the password for this user so we can read the share

Going to .private/opensesame folder we can see a config file

This config file is for smb and we can see port knocking configuration in here

So let's do port knocking for http

PORT 80 (HTTP)

We can check robost.txt file

Found nothing here

We found RIPS and we have a version 0.53 so we look for exploits on exploit-db

There's a LFI exploit in two files code.php and function.php , we can look at the source code for these two files since there's a repo on github

https://github.com/bizonix/rips-scanner

We confirmed that LFI exists now let's take a step back , we know there's apache tomcat so we could look tomcat-users.xml file which includes a username and password to login into /manager but we need to the installation path , so I did a little goolge search

http://192.168.1.9/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xml

We can login to /manager with user thisisasuperduperlonguser:heartbreakisinevitable since he as admin role

Here we can upload a WAR reverse shell payload so let's generate a WAR payload

And we got a shell so let's just stabilize it

We had already found the password for fluffy so let's switch the user

There's a timeclock file

By reading it's content we can see it just stores time in a file

But we can see it belongs to root user so we can check if it's running as a schedule task

But we cannot see this file to be running as a system-wide cronjob so this would be running as root user cron job to verify it we can use pspy which is a unprivileged process monitor , since 64 bit version of pspy wasn't I uploaded 32 bit version and ran it

We can see that this script runs as root so we could either include a reverse shell in there or make bash as SUID (which is a easy way) so let's modify the bash script

chmod +s /bin/bash will make bash a SUID means it will be executed as root if we supply -p parameter when executing it

After waiting for some time we can check if it's been made a SUID or not so to verify it run ls -la on bash

And it looks like it's now a SUID

We can add a password to get a root prompt (not really necessary to do this)