DIGITALWORLD.LOCAL: MERCY V2
MERCY is a machine dedicated to Offensive Security for the PWK course.
MERCY is a machine dedicated to Offensive Security for the PWK course.
MERCY is a name-play on some aspects of the PWK course. It is NOT a hint for the box.
Enumeration
More Enumeration,
- 53
- 139/445
S-1–22–1–1000 Unix User\pleadformercy (Local User)
S-1–22–1–1001 Unix User\qiu (Local User)
S-1–22–1–1002 Unix User\thisisasuperduperlonguser (Local User)
S-1–22–1–1003 Unix User\fluffy (Local User)
Users: pleadformercy, qiu, thisisasuperduperlonguser, fluffy
- 110/143 require password
- 8080 HTTP
It gives hint about weak password.
Password Cracking
- Tried brute-forcing the /manage/html →No luck
- Tried brute-forcing SMB → Found some credentials.
thisisasuperduperlonguser:123456
but, could not access the share.
3. So, tried brute forcing creds for the share and found the credential:
qiu:password
Let’s login:
Exploring the New ports
Let’s go to /etc/tomcat7/tomcat-users.xml,
thisisasuperduperlonguser:heartbreakisinevitable
Ref: https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager
Get into fluffy,
Privilege Escalation
timeclock:
chmod +s /bin/bash