Hi, today I will share a walkthrough of the Mercury machine from The Planets series. You can find the series and the machine here : https://www.vulnhub.com/series/the-planets,362/

When it comes to how to set up your virtual lab, I strongly recommend using this guide made by NudeSystems. Super comprehensive, detailed guide, you can’t go wrong with that, what is more at the end it is shown on how to create intranet to make sure the vulnerable VMs are not exposed to the network.
The guide: https://nudesystems.com/how-to-setup-a-virtual-hacking-lab-virtual-box/ When you have the setup, you just need to download the machine you like and extract it, then readjust the Internet settings within Oracle VM App.

That’s it. Let’s start hacking

The main steps for this vulnerable box

Find the vulnerable machine IP
Scan the ports to see what is open
Use dirb to enumerate the HTTP Service
Find the SQL vulnerability and exploit it
Log into SSH and get the flags

Find the vulnerable machine IP

run the command :
netdiscover — this command will look for other active devices within your network. In this case the target machine is 192.168.10.12

netdiscover

Scan the ports to see what is open

run the command:
nmap -sV <ip_addr>

This will give you the open ports and the version of these.

As you can see we have 2 open ports : ssh and http services running on them.

Let’s open a browser and go to the http://<ip_addr>:8080

We got the main page and the information that this is under development.

Use dirb to enumerate the HTTP Service

In the Kali distribution we have dirb as well as the common wordlists that can be used with it.

In this case we will run the common list.

run the command:dirb http://<ip_addr>:8080/loaction_of_txt_file

The dirb did find one record that can be exploited more.

this is http://192.168.10.12:8080/robots.txt

Let’s explore that robots.txt page

As you can see, there is nothing interesting here. However in this case let’s explore different sites. What will be done is just simple fuzzing. Put some random directory to see if we can produce an error.

In this case I used /admin, so put in the address bar: http://<ip_addr>:8080/admin . This is what will appear:

Page not found but with some useful information. In this case the service have the DEBUG option turned on, that shows very detailed information that can be exploited.

There is another url worth looking at /mercuryfacts/

When you go to Mercury Facts, the facts will be displayed one by one.

The address bar will look like this for fact 1
htttp:<ip_addr>:8080/mercuryfacts/1

The address bar will look like this for fact 2
htttp:<ip_addr>:8080/mercuryfacts/2

But what if we fuzz the address bar next to the number? Let’s try with 1' to see what kind of error we can produce. This is the error page. This is SQL error that can be exploited more.

Once we know that there is a potential SQL Injection vulnerability, how to exploit it?

In this case we will use SQLMap tool to find vulnerabilities. To start the SQLMap you can either run command sqlmap or open it from the kali menu.

the -u is the parameter that we need to provide in order to supply the SQLMap with the target URL

Get WiktorDerda’s stories in your inbox

Join Medium for free to get updates from this writer.

Run the command :
sqlmap -u http://<ip_addr>:8080/mercuryfacts/1then if asked proceed with Y until the end of the tests run for /1 parameter.

From the output of the sqlmap terminal we can see that the site is vulnerable for SQL Injection. Now we can dump the whole Database on our system to look for more information. Below is the information, that /1 is injectable.

run command :
sqlmap -u http://<ip_addr>:8080/mercuryfacts/1 --dump-all

We can see that the mercury database with its own records is displayed and dumped by SQLMap.

Log into SSH and get the flags

Now we have the login credentials. We need to try one by one to see if you can log with these by ssh to the target machine.

run command:

ssh username@<ip_addr> and give the password.

the webmaster account is vulnerable and we can access the target with the leaked credentials.

Let’s explore the target machine.

The user_flag is in the main folder. However that is just the beginning of our exploration of the targeted system. Check if the user can run a command with sudo permissions
run command :sudo -i

User webmaster is not a sudoer and can not anything with root privileges.

We need to explore more to get some hints on what to do next. There is a folder mercury_proj and below are the contents of this folder :

In the notes.txt file we have two accounts with encrypted passwords, one is webmaster, the other is linuxmaster. We can decode the passwords with simple kali command

run:
echo 'encodedpw' | base64 --decode below is the decoded password for linuxmaster account.

We can then try to ssh into the machine with that credentials. It worked, now we are in the target system with linuxmaster credentials.

Now we can try if linuxmaster account is a root account. However after trying sudo su we can see that the /bin/su can not be executed by linuxmaster.

However there is a specific command that can show which command can be run by sudo for linuxmaster account

run command

sudo -l

Look — /usr/bin/check_syslog.sh can be run with root privileges. Let’s see what is within that file. The cat command shows that it is a bash script and the file permissions, which shows that it has executable permission to all user groups but no write permission.

We do not have permission to modify the file. Let’s try a different technique to execute the shell successfully and gain root access. Let us run the following commands to get root access.

Run these command :

ln -s /bin/vi tail export PATH=.:$PATH sudo --preserve-env=PATH /usr/bin/check_syslog.sh

What happened there?
1. Link tail command with another executable “vim”, which will spawn a bash script in the first command
2. Run the bash shell in preserved environment
3. This will open a vim editor and allow us to edit _syslog.sh file
4. Once file is edited and saved, the /bin/sh command is executed and you are a root!

When the file open, type :!/bin/sh

Once that file is edited, you have become a root user!

Now you have obtained the root_flag from the root directory

Congratulations and thanks for sticking up with me on this one. More to come, stay tuned!