THE PLANETS: MERCURY Walkthrough - VulnHub

By -

Introduction

Getting back to CTF solving after a looong break, is a difficult task. So, I decided to proceed with an EASY challenge, and VulnHub was the obvious choice to find the one. In few searches, I found a perfect machine to start with - 'The Planets: Mercury'. This boot2root machine had 2 flags: USER & ROOT. The USER flag can be obtained by SQLi ==> Creds ==> SSH ==> FLAG. The ROOT flag is were an interesting PrivEsc lie in. Hope you find this writeup interesting & useful!

Information Gathering

Port Scan: Nmap

To begin with reconnaissance, let's find out open ports with Nmap, with service version enumerations:

Port 8080

So this looks like a simple page with no secrete or hint. Let's try accessing some common directories:

Visiting 'admin' directory, we got the error page. This happened as the site is built on Django with Debug set to True. Luckily for us, the URL Configuration is being reflected on error page. Let's visit 'mercuryfacts':

Again, this page has 2 URLs, To Do List & a Facts page. Facts page has interesting facts about mercury, and more interestingly, these facts are assigned with IDs:

This is an SQL call. The Fact is changing along with the ID from URL. Let's try to break the query and confirm the SQLi:

This debug information from the SQL error page, shows that the URL string directly being accepted to build SQL syntax to query the database for facts.

Let's further add the universal True query to this statement to start with:


Worked as expected! Considering the True statement, database reverted with all the facts. Now let's exploit this further to dump-out the database.

Exploitation

With 'order by', let's find out no. of records:



As can be seen, it contains only one record as we have got error at 2. Moving ahead with 'UNION' statement, let's find the DB name:


Digging deeper and enumerating table names from database, with reference to information_schema:


USERS table seems like interesting, let's enumerate the columns from it:


The obvious choice will be to procced with dumping data from username password:


Remember, there's a SSH service running! We shall use these dumped credentials to login via SSH. Being lazy to try with each username & password combination, MSF auxiliary will be helpful here to bruteforce the SSH login:


Success! We found the valid username:password combination:


Moving ahead, let's SSH into webmaster and gain the user flag:



Awesome! This was an easy catch. But the very interesting technique lies in Privilege Escalation part, let's move ahead.

Privilege Escalation

Exploring all files & folders leads us to a secrete note:


By decoding the base64 value, we got the password for linuxmaster user. Let's su into it & look for root flag:


Checking linuxmaster's privileges, we can understand that the user is allowed to run /usr/bin/check_syslog.sh as a root user (sudo permissions), but in Preserved Environment. Now, as a primary approach, let's read and understand the shell script:


As can be seen here, the user doesn't have the write permission to modify the shell script. But, as the user can execute it and tail command is also being called in the script, we can take advantage of this by linking tail with another executable which can spawn a bash shell!

Being a Linux machine, this machine has vim like most others. And vim can spawn a shell! Let's symlink vim through tail and add the current path to environment variables:


Now, we should execute check_syslog.sh in preserved environment mode so that symlinking can work as expected. This will link vim to tail and open the check_syslog.sh in vim editor mode:



Spawning /bin/bash from vim will land us into root shell:


Voila! Now, let's move ahead and hunt for root flag:



Awesome technique always gives awesome result!

Comments

  1. Abdurrahman NazimOctober 5, 2020 at 3:26 AM

    Nicely explained. Thanks for sharing, hope to see more cool stuff from you.

    ReplyDelete

Post a Comment

Popular posts from this blog

API Testing Checklist

By -
Checkpoints: 1. Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of REST APIs to find old versions. Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable. 2. Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc. Find and test all of them for AuthN problems. 3. Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company? BOLA (IDOR) is the new epidemic of API security. 4. Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design) Reference Link: https://apidock.com/ruby/Kernel/open 5. Found SSR
Read more

OSCP - Personal Notes

By -
Image
  Hey Guys, in this post I am just going to copy paste my notes which I collected during my OSCP journey from different sources. Feel free to collaborate. 💀 [*] SSH - 22 Tunneling ssh -L 8443:127.0.0.1:8443 user@x.x.x.x Credentials Spraying ncrack -U users.txt -P pass.txt ssh://x.x.x.x [*] DNS - 53 Perform DNS Zone Transfer check dig axfr x.x.x.x dig axfr vhost.com @x.x.x.x  [*] TCPDUMP tcpdump -i eth0 icmp [*] SMB 1. SMB Protocol enumeration: nmap -p445 --script smb-protocols x.x.x.x 2. Check for SMB Vulnerability nmap --script smb-vuln* x.x.x.x 3. Get a list of shares available on a host smbclient -L x.x.x.x 4. Connect to the share smbclient //x.x.x.x/Share_Name 5. SMBMap for checking access on fileshares smbmap -H x.x.x.x -u Username -p Password or smbmap -u '' -p '' -d 'htb.local' -H x.x.x.x 6. Download all files in shares: smbget -R smb://x.x.x.x/Share -U Username 7. Use crackmapexec for spraying crackmapexec smb 10.10.10.175 -u Users.txt -p Pass.txt --co
Read more