vulnhub 靶场解题笔记——THE PLANETS:EARTH

作者：Mickey

2022 年 4 月 07 日
本文字数：3523 字
阅读完需：约 12 分钟

一，靶机介绍

下载地址

https://www.vulnhub.com/entry/the-planets-earth,755/#download

描述

Earth is an easy box though you will likely find it more challenging than "Mercury" in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware. Any questions/issues or feedback please email me at: SirFlash at protonmail.com, though it may take a while for me to get back to you.

二，解题步骤

1，确定 ip 地址

netdiscover -r 192.168.133.0/24

得到靶机地址：192.168.133.130

2，扫描靶机端口

nmap -A -sS -sC -p- 192.168.133.130

注意到两个 DNS 域名：earth.local、terratest.earth.local

3，扫描 web 目录

将上面两个域名配置在本地 hosts，然后分别扫描 http 和 https 的 web 目录

dirb http://terratest.earth.local

dirb https://terratest.earth.local

dirb http://earth.local

dirb https://earth.local

主要有以下内容：

http://terratest.earth.local/admin (CODE:301|SIZE:0)

https://terratest.earth.local/index.html (CODE:200|SIZE:26)

https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)

4，找 FLAG

先访问https://terratest.earth.local/robots.txt

最后一个应该是特有的文件，猜测是一个 txt 后缀，然后访问https://terratest.earth.local/testingnotes.txt看到以下内容

Testing secure messaging system notes:*Using XOR encryption as the algorithm, should be safe as used in RSA.*Earth has confirmed they have received our sent messages.*testdata.txt was used to test encryption.*terra used as username for admin portal.Todo:*How do we send our monthly keys to Earth securely? Or should we change keys weekly?*Need to test different key lengths to protect against bruteforce. How long should the key be?*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

复制代码

todo 里的内容可以忽略，上面几行主要告诉了以下几点

使用异或方式加密
https://terratest.earth.local/testdata.txt 里面是密钥
http://terratest.earth.local/admin 这个管理页面的用户名是 terra

这时的思路是应该是可以根据这几点信息来找到管理页面 terra 账户的密码，然后登录管理页面

打开http://earth.local主页，发现有一个消息发送的页面：

下面 previous message 里有 3 条消息，应该是之前使用密钥加密之后的消息（上面的几条消息可以忽略，是我测试时点 send message 产生的，原靶机里只有最后 3 条）。

因为使用的是异或加密，所以我们可以通过前面的 testdata.txt 里的密钥来还原加密之前的内容，python 脚本（meesageKey 是把 testdata 里的内容转成 16 进制后的结果）：

sendMessage = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d403714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b452402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"messageKey = "4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c696665726174696f6e206f6620616e6165726f62696320616e642c206c617465722c206165726f626963206f7267616e69736d732e20536f6d652067656f6c6f676963616c2065766964656e636520696e646963617465732074686174206c696665206d617920686176652061726973656e206173206561726c7920617320342e312062696c6c696f6e2079656172732061676f2e4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c696665726174696f6e206f6620616e6165726f62696320616e642c206c617465722c206165726f626963206f7267616e69736d732e20536f6d652067656f6c6f676963616c2065766964656e636520696e646963617465732074686174206c696665206d617920686176652061726973656e206173206561726c7920617320342e312062696c6c696f6e2079656172732061676f2e"c = ""i = 0while i < 1612:    print(int(sendMessage[i] + sendMessage[i+1], 16) ^ int(messageKey[i] + messageKey[i+1], 16))    c += str(chr(int(sendMessage[i] + sendMessage[i+1], 16) ^ int(messageKey[i] + messageKey[i+1], 16)))    i = i + 2print(c)

复制代码

最终得到加密之前的内容如下，观察到后面一部分有重复的片段：earthclimatechangebad4humans