Solving VulnHub CTF - Mercury
Used a walkthrough for tips here. Here are the rough steps:
- Run kali linux VM alongside the CTF vm with Running Virtualbox VMs with networking
- Run
sudo netdiscover
to find out the IP of target - Run
nmap <ip>
to discover open ports and find that8080
is open - Port 8080 hosts a web app that can be accessed through the browser
- Visit
/robots.txt
to find a new path/mercuryfacts
. (dirb
command in kali can also be used to “discover” robots.txt if not known already) mercuryfacts/<id>
is vulnerable to SQL injection as found by putting backtick in place of the IDsqlmap
can be used to further exploit this to eventually show passwords in the tableusers
in the databasemercury
- The password for
webmaster
can be used to ssh into the machine.cat user_flag.txt
for user flag. - Check the
mercuryfacts/notes.txt
file to see a base64 encoded password forlinuxmaster
. Login aslinuxmaster
. Runsudo -l
to figure out what all commands are allowed. Discover the script at/usr/bin/check_syslog.sh
that uses thetail
command - Add current directory to PATH. Create a symlink to
vim
namedtail
- Run
sudo –preserve-env=PATH /usr/bin/check_syslog.sh
to enter vim as superuser - Run
:!/bin/sh
to enter root shell. cat /root/root_flag.txt
for root flag