mercury-vulnhub-walkthrough

Mercury Vulnhub CTF Walkthrough

Hello everyone, Welcome to Pentestguy. In this post, we will see the walkthrough of the Mercury Capture the Flag (CTF) challenge available on Vulnhub. In this Mercury vulnhub walkthrough, we will cover the initial port scanning, enumeration, sql injection, dunp the credentials, and privilege escalation to the root user (this ctf contains two flags). Let’s dive into the process.

Download Mercury VM from vulnhub – link

Port Scanning

Start by performing a port scan using Nmap to identify open ports on the target machine. The command used is:

nmap 192.168.X.X -sV -oN nmap.txt
nmap-scan

The above scan reveals two open ports: port 8080 (HTTP) and port 22 (SSH).

SQL Injection/Dump Credentials

Proceed with directory enumeration since port 8080 runs the HTTP service by default. Using dirb which used the default wordlist, and found only robots.txt.

dirb http://192.168.X.X
dirb-enumeration

After random searches on Google about the service version, tried /data, and it showed hints.

enumeration-mercuryfacts

Checked mercuryfacts and found two links to it, from Website Todo List got a hint of SQL injection where the Mercury Facts has the vulnerable parameter.

mercury-facts-vulnhub

Tried a single quote to check whether it was vulnerable to SQL injection or not and bingo! got an SQL error.

sql-injection

Without wasting time used sqlmap to dump the credentials.

found-credentials
User flag

Tried all of the credentials and webmaster:mercuryisthesizeof0.056Earths works via SSH

found-user

In the webmaster home directory, found the user flag.

mercury-vulnhub-user-flag

There was one more folder named mercury_proj in that found notes.txt which contained the password of the linuxmaster user

mercury-proj-vulnhub-folder

As the password of linuxmaster was in base64 encoded, decoded it with one of the online services – https://www.base64decode.org/

decode-base64
Root flag

After logging in as a linuxmaster, checked for the privilege escalation with sudo -l and found that linuxmaster can execute /usr/bin/check_syslog.sh which is a bash script as root.

sudo-l-privilege-escalation

read the bash file using the cat command and script containing the tail program

cat-check-syslog-sh

Tried to make symlinking for vim through tail and then changed the environment variable and executed the bash file in preserve environment using the below command

create-link

As the script was running as root, run the below command to get the shell

bin-bash

After hitting enter, got the root shell where we checked the root flag.

mercury-vulnhub-root-flag

That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide valuable comments and let us know if you have any suggestions. Now, you can also collaborate with us. Please check our collaboration page. Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Social Media