MERCY
- Layout for this exercise:

1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine MERCY.
- MERCY can be found here:
https://www.vulnhub.com/entry/digitalworldlocal-mercy,263/
- Once downloaded and extracted with VirtualBox:

2 - ENUMERATION
- Discovering MERCY's IP:


- Scanning with Nmap:

- Going deeper within port 8080 HTTP, it seems that Apache Tomcat/Coyote engine JSP 1.1 is being run:

- Dirbusting the web server at port 8080:

- So we have some interesting folders to explore, like robots.txt, /tryharder/tryharder and /manager.
- Connecting with the browser:

- Reading robots.txt:

- Checking folder /tryharder/tryharder we find a string encoded with Base64:

- Decoding:

- From the message we can write down that it might be a use with password password.
- Going to /manager:

- Also, port 445 is open, so why not enumerating with enum4linux taking advantage of the Samba server?



- So there are 4 Local Users: pleadformercy, qiu, thisisasuperduperlonguser, fluffy.
- Launching Hydra over the Samba server with the text file usernames and the wordlist rockyou.txt:


- Connecting to the Samba server with credentials qiu:password" (remembering the Base64 decoded string):

- Listing contents:

- Getting .bash_history:

- Goint to folder .private:

- Getting readme.txt:

- Going to secrets there is nothing inside:

- Going to folder opensesame and getting configprint and config:

- Reading .bash_history:

- Reading readme.txt:

- Reading configprint, there are a lot of references to config:

- Reading config we find information about filtered services HTTP at port 80 and SSH port 22:

- Actually both ports 22, 80 are filtered:

- Because several sequences are quoted we can imagine that knock command must be used to open filtered services, for instance HTTP port 80:

- Same thing for SSH port 22:

- Now, connection with the browser is available:

- Dirbusting port 80:

- Reading robots.txt we discover two additional folders: /mercy and /nomercy:

- Going to /mercy:


- Going to /nomercy the RIPS 0.53 application is running:

3 - EXPLOITATION
- Searching for RIPS exploits we find a Multiple LFI exploit:


- Reading 18660.txt:

- Applying the LFI to /etc/passwd:

- However it doesn't work with /etc/shadow:

- Remembering the existence of a tomcat-users.xml file:

- Extracting tomcat-users.xml:

- Last lines give unvaluable information about 2 users and correspondent usernames:

4 - GETTING A SHELL WITH METASPLOIT
- Launching Metasploit:

- Using this exploit for Tomcat:

- Setting options and running the exploit we get a Meterpreter session:

- Spawning and improving a shell:

5 - PRIVILEGE ESCALATION
- Using credentials fluffy:freakishfluffybunny:

- Unfortunately fluffy is not a sudoer:

- Improving the shell for fluffy:

- Walking around into home folders and files until finding something useful:




- Finally it seems that timeclok could be interesting, because it is a root owned script:

- Creating an exploit with Msfvenom:

- Setting a Netcat listener:

- Appending the exploit to timeclock:


- After some minutes we've got a root shell:



6 - CAPTURING THE FLAG
- Reading proof.txt:
