Used a walkthrough for tips here. Here are the rough steps:
- Run kali linux VM alongside the CTF vm with Running Virtualbox VMs with networking
sudo netdiscoverto find out the IP of target
nmap <ip>to discover open ports and find that
- Port 8080 hosts a web app that can be accessed through the browser
/robots.txtto find a new path
dirbcommand in kali can also be used to “discover” robots.txt if not known already)
mercuryfacts/<id>is vulnerable to SQL injection as found by putting backtick in place of the ID
sqlmapcan be used to further exploit this to eventually show passwords in the table
usersin the database
- The password for
webmastercan be used to ssh into the machine.
cat user_flag.txtfor user flag.
- Check the
mercuryfacts/notes.txtfile to see a base64 encoded password for
linuxmaster. Login as
sudo -lto figure out what all commands are allowed. Discover the script at
/usr/bin/check_syslog.shthat uses the
- Add current directory to PATH. Create a symlink to
sudo –preserve-env=PATH /usr/bin/check_syslog.shto enter vim as superuser
:!/bin/shto enter root shell.
cat /root/root_flag.txtfor root flag