Hello everyone, Welcome to Pentestguy. In this post, we will see the walkthrough of the Mercury Capture the Flag (CTF) challenge available on Vulnhub. In this Mercury vulnhub walkthrough, we will cover the initial port scanning, enumeration, sql injection, dunp the credentials, and privilege escalation to the root user (this ctf contains two flags). Let’s dive into the process.
Download Mercury VM from vulnhub – link
Port Scanning
Start by performing a port scan using Nmap to identify open ports on the target machine. The command used is:
nmap 192.168.X.X -sV -oN nmap.txt
The above scan reveals two open ports: port 8080 (HTTP) and port 22 (SSH).
SQL Injection/Dump Credentials
Proceed with directory enumeration since port 8080 runs the HTTP service by default. Using dirb which used the default wordlist, and found only robots.txt.
dirb http://192.168.X.X
After random searches on Google about the service version, tried /data, and it showed hints.
Checked mercuryfacts and found two links to it, from Website Todo List got a hint of SQL injection where the Mercury Facts has the vulnerable parameter.
Tried a single quote to check whether it was vulnerable to SQL injection or not and bingo! got an SQL error.
Without wasting time used sqlmap to dump the credentials.
User flag
Tried all of the credentials and webmaster:mercuryisthesizeof0.056Earths works via SSH
In the webmaster home directory, found the user flag.
There was one more folder named mercury_proj in that found notes.txt which contained the password of the linuxmaster user
As the password of linuxmaster was in base64 encoded, decoded it with one of the online services – https://www.base64decode.org/
Root flag
After logging in as a linuxmaster, checked for the privilege escalation with sudo -l and found that linuxmaster can execute /usr/bin/check_syslog.sh which is a bash script as root.
read the bash file using the cat command and script containing the tail program
Tried to make symlinking for vim through tail and then changed the environment variable and executed the bash file in preserve environment using the below command
As the script was running as root, run the below command to get the shell
After hitting enter, got the root shell where we checked the root flag.
That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide valuable comments and let us know if you have any suggestions. Now, you can also collaborate with us. Please check our collaboration page. Thank you!
Leave a Reply