DIGITALWORLD.LOCAL: MERCY V2

MERCY is a machine dedicated to Offensive Security for the PWK course.

MERCY is a machine dedicated to Offensive Security for the PWK course.

MERCY is a name-play on some aspects of the PWK course. It is NOT a hint for the box.

digitalworld.local: MERCY v2
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to…

Enumeration

More Enumeration,

  • 53
nothing critical
  • 139/445

S-1–22–1–1000 Unix User\pleadformercy (Local User)
S-1–22–1–1001 Unix User\qiu (Local User)
S-1–22–1–1002 Unix User\thisisasuperduperlonguser (Local User)
S-1–22–1–1003 Unix User\fluffy (Local User)

Users: pleadformercy, qiu, thisisasuperduperlonguser, fluffy

  • 110/143 require password
  • 8080 HTTP
looking into the robots.txt

It gives hint about weak password.


Password Cracking

  1. Tried brute-forcing the /manage/html →No luck
  2. Tried brute-forcing SMB → Found some credentials.

thisisasuperduperlonguser:123456

but, could not access the share.

3. So, tried brute forcing creds for the share and found the credential:

qiu:password

Let’s login:

files inside the share
knockd
new ports opened after knocking

Exploring the New ports

we have LFI for RIPS 0.53

Let’s go to /etc/tomcat7/tomcat-users.xml,

thisisasuperduperlonguser:heartbreakisinevitable

Ref: https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager

Get into fluffy,


Privilege Escalation

timeclock:

chmod +s /bin/bash