Thursday, January 6, 2022

Mercy v2


- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Mercy v2, from the VulnHub pentesting platform.

Mercy v2 can be downloaded from here:,263/

- Once downloaded Mercy v2 and extracted with VirtualBox:


- netdiscover helps to identify Mervy v2's IP

- Scanning with Nmap:

- Scanning deeper port 8080 we notice the existence of robots.txt and /tryharder/tryharder:

- Going to robots.txt:

- Going to /tryharder/tryharder we find a Base64 encoded text:

- Decoding from Base64:

- Let's enumerate the SMB server running at port 445:

- So we have found 4 users.

- Remembering the text decoded with Base64:

- Trying credentials qiu:password to access the SMB server we are successful:

- Examining content:

- After downloading content and not finding anything of great interest, we go to folder .private and download its content:

- Reading the 3 files:

- So we can read references to Port Knocking Daemon Configuration and sequences of numbers to open ports both 80 and 22:

- Using command knock to open services HTTP and SSH:

- Now port 80 is working normally:

- From Nmap we learn that there is robots.txt and two available directories: /mercy and /nomercy:

- Browsing /mercy:

- Browsing /nomercy we find RIPSa popular static code analysis tool to automatically detect vulnerabilities in PHP applications:


- Looking for exploits related to RIPS we find that it is vulnerable to Multiple Local File Inclusions:

- Taking advantage of the vulnerability and reading /etc/passwd:

- From enumeration we know that there is a Tomcat server running:

- So let's try to access Tomcat's tomcat-users.xml, where we can find interesting credentials:

- Metasploit helps to get a shell using these Tomcat credentials:

- Improving the shell:

- Trying to switch to the first user is unsuccessful:

- However we can switch to user fluffy:


- Looking into the folder .private there are some interesting files:

- Reading .secrets:

- File timeclock is owned by root, and it seems to be a script to read time hosted at web page /time:

- So one idea to get a remote root shell could be to add a bash command to timeclock:

- Now, setting a Netcat listener at port 3333:

- After timeclock is run, we have a remote root shell:


- Reading proof.txt: