I'm sitting on an airplane reading:  "How to Hack Like a LEGEND: A hacker's tale breaking into a secretive offshore company" and I'm taking notes.  As I'm reading through the book realizing there are more real-world tools I should be exploring versus playing on HackTheBox and Vulnhub, I write myself a note stating:  "Less hack-y things, more real-world".  That lasted a day, maybe two, and then I could feel the challenges calling me back.  It's not that the CTF challenges don't hone your skills, it's that there are some recent tools that are worth exploring as well.  Perhaps some more useful for current work projects.  

I'm starting to like the CTF challenges as I learn more of the esoteric techniques used for those particular style boxes.  So as I'm perusing Vulnhub, I come across Mercy:  "MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-)"

Mercy definitely has that PWK feel except that I think the Offsec folks would have made the privilege escalation more challenging.  

Knowing that Mercy won't be straight forward, I still follow my same path -- first we perform an nmap scan:





As I'm sitting here typing this, I realize the actual name of this server on Vulnhub is:  digitalworld.local MERCY

In my enumeration process, I attempted to retrieve information from DNS which is running on TCP but I was unsuccessful.  Thinking that perhaps I missed something because I didn't enumerate digitalworld.local, I went back and poked around a bit more but still nothing of value there.

Without a web port, I look at SMB:




I find a share but I can't mount it as guest.

Let's look at 8080:




I attempt to access the manager pages but I don't have credentials.  I try the various known creds but can't get in.  I do notice that tomcat-users.xml is in /etc.  I think it's typically under /usr/share/tomcat7/conf/ or maybe that's another version.  Anyway, I can't access that right now so I need to look for a way in.

Scanning port 8080 with Nikto:




Checking robots:




Accessing /tryharder/tryharder:




That looks like base64, let's try to decode it:




I'm able to decode the message and that second part feels like a clue so I'll circle back to the SMB share:




It was a clue!  Downloading everything and hunting through, I find this config file:




Ok.  We're getting somewhere.  I see two sets of port knocking sequences, one for HTTP and the other for SSH.  Let's do some knocking:





A little Bash to help us out:




One script for each, here's the second:




Now let's do another nmap scan to see if it worked:




Excellent!  Now we have more ports to enumerate:




Troll.  :)

Let's scan port 80 with Nikto:




Let's check out /mercy:




And let's check out /nomercy:




I don't know RIPS so let's look it up on Exploit-DB:





Cool!  I look through the exploit and I decide to write up something in Python to hit this LFI in a loop in order to enumerate quickly:


#!/usr/bin/python3
import requests as req
import re

host='http://192.168.90.104/nomercy/windows/code.php?file=../../../../../../../../..'

while True:
    command=raw_input("file: ")
    combined=host+command
    resp = req.get(combined)
    content = resp.text
    stripped = re.sub('<[^<]+?>', '', content)
    clean = re.sub('<?', '', stripped)
    print(clean)


As I'm writing the script, I'm thinking about what I'm going to go after.  I think about /etc/passwd, possibly some keys in .ssh directories, all the while forgetting about the Tomcat users file.  After a few minutes of not finding what I want, I clue in on Tomcat and I go after the tomcat-users.xml file:





Nice!  We have uids and passwords.  Prior to hitting Tomcat, I try to SSH, no joy.  Moving to the Tomcat UI:




Only the one user has rights, thisisasuperduperlonguser -- I login:




I've been down this road a time or two.  I generate a .war file with msfvenom:




Now it's time to deploy it:




With the file uploaded, let's execute it:




Our listener setup:




And we have a shell.  Some quick enumeration and I've got that DirtyCow kind of feeling:




So far so good.  I've already got another session opened with a low privilege shell and I attempt to su as firefart:




Success!  

#rootdance

Definitely a puzzle box along the lines of Offsec's PWK!