search

[VulnHub] digitalworld.local MERCY

VulnHub Linkarrow-up-right

hashtag
Port Scanning

We start with a simple port scan and we discover a bunch of open ports:

PORT     STATE SERVICE     VERSION
53/tcp   open  domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
110/tcp  open  pop3        Dovecot pop3d
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
995/tcp  open  ssl/pop3    Dovecot pop3d
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| http-robots.txt: 1 disallowed entry 
|_/tryharder/tryharder
|_http-title: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Potentially risky methods: PUT DELETE
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

After enumerating http and dns we found nothing but we can still try finding useful info in smb. After a bit enumerating we found four users:

There was an http page which was telling us about a story of a weak password so we can try connect to smb with the password as same as the user: smbclient \\\\digitalworld.local\\qiu -U qiu We foud a entrance! After a bit enumerating we found that port knocking is activated.

Now we can use knockd for open the ports:

As we can see we opened the ports!

As soon as we open the http server on port 80 we discovery that there is nothing useful, after we tried /robots.txt we saw that 2 entries are disallowed:

One of the disallowed entries (/nomercy) is a "Rips 0.53" service where we found that there is a LFI vulnerability (https://www.exploit-db.com/papers/12886). After a bit of enumeration on the system i tried: http://digitalworld.local/nomercy/windows/code.php?file=../../../../../../etc/tomcat7/tomcat-users.xml because on the first page in the server on the port 8080 there was a string that i remembered: NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui". The host-manager webapp is restricted to users with role "admin-gui". Users are defined in /etc/tomcat7/tomcat-users.xml.

Now we have 2 another users and passwords! thisisasuperduperlonguser:heartbreakisinevitable fluffy:freakishfluffybunny

With this combination we can access http://digitalworld.local:8080/manager/html and upload a malicious .war file, we now have a shell!

hashtag
Privesc

As soon as we enter we privesc on fluffy with the found credentials. In the "/home/fluffy/.private/secrets/" we have a "timeclock" shell file, maybe is a hidden cronjob. We can try because we can write into it:

As we said, we now have a root shell! uid=0(root) gid=0(root) groups=0(root)

hashtag
That's was a really cool box and thanks for the reading.

hashtag
Hope to see you soon!

Pedio Zaki

Previous[VulnHub] digitalworld.local DEVELOPMENT

Last updated