Misdirection

 

MISDIRECTION

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Misdirection, from the VulnHub pentesting platform.

- Misdirection can be downloaded from here:

https://www.vulnhub.com/entry/misdirection-1,371/

- Once downloaded Misdirection and extracted with VmWare:

2 - ENUMERATION

- netdiscover helps to identify Misdirection's IP 192.168.1.28:

- Scanning with Nmap:

- Browsing ports 80 and 8080:

- Dirbusting  web server at port 8080:

- After browsing some webpages we find a management shell at webpage /debug:

3 - EXPLOITATION

- Setting a Netcat listener at port 5555:

- Sending a reverse shell command from Misdirection to Kali:

- Finally a remote shell is triggered:

- Improving the shell:

- Going to folder /home we discover the user brexit:

4 - CAPTURING 1st FLAG

- Trying to read user.txt the access is denied:

- Checking www-data's sudoer privileges we discover he can run /bin/bash as user brexit:

- Switching to user brexit:

- Now we can read user.txt:

5 - PRIVILEGE ESCALATION

- Finding that file /etc/passwd is writable:

- Creating an encrypted password for a new user:

- Adding this new line to /etc/passwd:

- Now switching to newuser we have a root shell:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

Mercy v2

MERCY v2 

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Mercy v2, from the VulnHub pentesting platform.

- Mercy v2 can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/

- Once downloaded Mercy v2 and extracted with VirtualBox:

2 - ENUMERATION

- netdiscover helps to identify Mervy v2's IP 192.168.1.25:

- Scanning with Nmap:

- Scanning deeper port 8080 we notice the existence of robots.txt and /tryharder/tryharder:

- Going to robots.txt:

- Going to /tryharder/tryharder we find a Base64 encoded text:

- Decoding from Base64:

- Let's enumerate the SMB server running at port 445:

- So we have found 4 users.

- Remembering the text decoded with Base64:

- Trying credentials qiu:password to access the SMB server we are successful:

- Examining content:

- After downloading content and not finding anything of great interest, we go to folder .private and download its content:

- Reading the 3 files:

- So we can read references to Port Knocking Daemon Configuration and sequences of numbers to open ports both 80 and 22:

- Using command knock to open services HTTP and SSH:

- Now port 80 is working normally:

- From Nmap we learn that there is robots.txt and two available directories: /mercy and /nomercy:

- Browsing /mercy:

- Browsing /nomercy we find RIPS, a popular static code analysis tool to automatically detect vulnerabilities in PHP applications:

3 - EXPLOITATION

- Looking for exploits related to RIPS we find that it is vulnerable to Multiple Local File Inclusions:

- Taking advantage of the vulnerability and reading /etc/passwd:

- From enumeration we know that there is a Tomcat server running:

- So let's try to access Tomcat's tomcat-users.xml, where we can find interesting credentials:

- Metasploit helps to get a shell using these Tomcat credentials:

- Improving the shell:

- Trying to switch to the first user is unsuccessful:

- However we can switch to user fluffy:

4 - PRIVILEGE ESCALATION

- Looking into the folder .private there are some interesting files:

- Reading .secrets:

- File timeclock is owned by root, and it seems to be a script to read time hosted at web page /time:

- So one idea to get a remote root shell could be to add a bash command to timeclock:

- Now, setting a Netcat listener at port 3333:

- After timeclock is run, we have a remote root shell:

5 - CAPTURING THE FLAG

- Reading proof.txt: