Scribd
Upload
81 views9 pages

Mercury

Uploaded by

sanskritilinux
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
81 views9 pages

Mercury

Uploaded by

sanskritilinux
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

The Planets: Mercury Walkthrough

Mercury is the CTF challenge meant for entry level users. To start with this machine first we need to
download the machine from here , https://download.vulnhub.com/theplanets/Mercury.ova .

After downloading the machine, we will import this machine in VMware or virtual box

After that we will configure the network setting of both the VMs to Host-only adapter so that both the
VMs will run on same network.

Now we will first identify the IP address of the target machine. we will use the following command:

Netdiscover –r 192.168.56.101/16

Here 192.168.56.101 is the IP address of the attacking machine and from the results we can infer that
192.168.56.101 is the IP address of the target machine. Since the IP address of the machine is assigned
by DHCP, so it may vary.
The next step is to find the open Ports and services on the target machine. So we will use Nmap for this.

Nmap -v -sV 192.168.56.101

Here, -sV atempts to determine the version of the service running on port

And, -v is for more verbose scanning

Here we can see that ‘ssh’ and ‘http’ port is open , so we will now browse to the target IP at port 8080

http://192.168.56.101:8080/
As can be seen above, there are certainly some web application running on the target machine, but we
just got a message displayed on the screen that it is under development. So, we will check internal files
and folders by running a file enumeration tool for web applications.

We will use Gobuster tool for web directory scanner, and we can see the results below
From the robots.txt file, no further clues can be found. Thus,we will further try few random files on the
browser and this will display some error messages. The errors can be seen displayed on the browser
below.

let’s access the identified folder “mercuryfacts/” on the browser.


We have open a ‘Todo List’, which gives us an idea of what we have to do

Also we we got an idea that the target application is poorly configured, and it is under development. So,
we will enumerate the target application with common web application vulnerabilities which will give us
some interesting response.

Now test for SQL injection by adding a random URL parameter. The target application will respond with
a database error message, which hints that it could be vulnerable to SQL injection. So we will now use
SQLMap.

We will use the following command to exploit the vulnerability

Sqlmap –u http://192.168.56.101:8080/mercuryfacts/1
We can see that the target’ application is vulnerable to SQL injection and we can read the databases. So
let’s try :

sqlmap –u http://192.168.56.101:8080/mercuryfact/1 -D mercury -T users -dump


here -D DBMS database to enumerate
and, -T DBMS database table(s) to enumerate
Here it gives you the usernames and passwords, and now since we did not find any application where
we could use these credentials. But we know that SSH port is open so lets us try ssh login with these
username and passwords.
From all the credentials only one of them will work, i.e.Webmaster.
Login to the webmaster using:

ssh webmaster@192.168.56.101

by entering the corresponding password, we can log in as webmaster

On listing the directories using ‘ls’ command we have got the user flag

ls
cat user_flag.txt

On enumerating the ‘mercury_proj’ directory we found a text file ‘notes.txt’ which contains some
credentials which were seem to be base64 encoded.

cd mercury_proj
ls
cat notes.txt
Let’s decode the string given for linuxmaster using the command

echo “bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==” | base64 –decode

We got the password for linuxmater – mercurymeandiameteris4880km.

Now we will login as ‘linuxmaster’

Su linuxmaster

Sudo –l

We can check the current user privilege by running the “sudo –l” command and found that the current
user owns sudo rights for “check_syslog.sh” bash script. Let’s use this

From the above image we can infer that we can read the file contents, which shows that it is a bash
script, and by using the command ls ‘–l /usr/bin/check_syslog.sh’ we have identified that the file has
read and execute permission but doesn’t have write permission. So let us try to modify the file, using the
following command

ln -s /bin/vi tail

export PATH=.:$PATH

sudo –preserve-env=PATH /usr/bin/check_syslog.sh

:!/bin/sh
Create a link of tail command with other executables. And then create a symlink to vim command and
add the current path to the environment variables .Then we executed check_syslog.sh in a –preserve
environment which would link vim editor to tail program and open the syslog.sh script in vi editor mode.

After the execution of ‘:!/bin/sh’ in Vim editor we have got the root shell.
ls

cat root_flag.txt

You might also like