Solving VulnHub CTF - Mercury

Used a walkthrough for tips here. Here are the rough steps:

  1. Run kali linux VM alongside the CTF vm with Running Virtualbox VMs with networking
  2. Run sudo netdiscover to find out the IP of target
  3. Run nmap <ip> to discover open ports and find that 8080 is open
  4. Port 8080 hosts a web app that can be accessed through the browser
  5. Visit /robots.txt to find a new path /mercuryfacts. (dirb command in kali can also be used to “discover” robots.txt if not known already)
  6. mercuryfacts/<id> is vulnerable to SQL injection as found by putting backtick in place of the ID
  7. sqlmap can be used to further exploit this to eventually show passwords in the table users in the database mercury
  8. The password for webmaster can be used to ssh into the machine. cat user_flag.txt for user flag.
  9. Check the mercuryfacts/notes.txt file to see a base64 encoded password for linuxmaster. Login as linuxmaster. Run sudo -l to figure out what all commands are allowed. Discover the script at /usr/bin/check_syslog.sh that uses the tail command
  10. Add current directory to PATH. Create a symlink to vim named tail
  11. Run sudo –preserve-env=PATH /usr/bin/check_syslog.sh to enter vim as superuser
  12. Run :!/bin/sh to enter root shell.
  13. cat /root/root_flag.txt for root flag

Backlinks

  • Information Security
  • Infosec CTF Walkthroughs