Table of Contents
Earth is an easy box though you will likely Capture the Flag (CTF) and be on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an MD5 hash. This has been tested on VirtualBox so may not work correctly on VMware.
Settings Up
1. Download the Mirror image from VulnHub. (CLICK HERE)
2. Open Virtual Box and then click on Import and then select the downloaded file.
3. Once Your import successful, You can now set the interface to Vbox guest addition. This process will help you in the Enumeration phase.
Enumeration
Our First step is to Find out the target IP address using NetDiscover.
- Note: Previously we have imported the VirtualMachine (OVA) File to VirtualBox.
From the Scanning we have discovered the target IP address i.e. 192.168.56.104.
Network Enumeration using Nmap
We have discovered an IP address, so let's Perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:
- -sC: Performs a script scan using the default set of scripts. It is equivalent to -- script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
- -sV: Enables version detection, which will detect what versions are running on what port.
We spot three open ports: Port 22(OpenSSH 8.6 (protocol 2.0)), Port 80 (Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)), and Port 443 (Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)).
From The SSL Protocol (Port 443), we spotted two hostnames:
Add two hostnames to /etc/hosts file.
Open any Browser as your choice, and then visit the following Link:
If you scroll down, you can be spotted a few encrypted messages that are signed with Message Key:
Directory Busting using Gobuster
Navigating any hidden or hardly accessible directories and pages, and that is through dir busting (Directory Busting). Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.
- dir : Uses directory/file enumeration mode.
- -u : The target URL.
- -w : Path to the wordlist.
We might get lucky and find an admin page that may help us find leverage against the target in combination with the credentials.
If you click on Login, then it will redirect to a Login Page:
We don't have any credentials to get login access, so we have to find out the credentials. After few research, I find out that the second DNS is a Test Site that may give us any clue:
Open Browser and Visit this site:
- Remember: Access this site with SSL (HTTPS)
Again, we have to find out Active directories using gobuster.
After successful Directory Busting, we spotted an interesting file (i.e., robots.txt).
And again we discover another interesting file (i.e., /testingnotes.*).
Seems to be some developer/admin who may be left Note on the network.
From the note, we can confirm that the encryption algorithm is XOR and the key might be from testdata.txt. Likewise, the username for the admin portal is terra. Also, the admin portal is /admin on the other website.
It seems like this is what was used to encrypt the first few messages we see on the earth.local page. Let’s try to decode the messages on that page using this information.
Decrypting Encrypted Messages with CyberChef
Let's Decrypt the Message using Cyberchef.
- Learn more:
CyberChef: The Cyber Swiss Army Knife
This article explores CyberChef, a versatile tool used by cybersecurity professionals for various tasks such as encoding, decoding, encryption, and decryption. It discusses the features of CyberChef and its significance in analyzing and manipulating data during security assessments and forensic investigations.
Visit Cyberchef :
The Messages are in the form of Hexadecimal and we have to decrypt to XOR. Drag and drop From Hex and XOR Operations to Recipe:
Input the decrypt Message one by one and also paste the key that we have found from "testdata.txt".
- Remember: The Key is set to UTF-8.
It seems that we get earthclimatechangebad4humans as a repeating string. It may be a password of the user terra.
Foothold
Let’s try to log in with the user terra. The login pannel we have found in previous.
After successful Login we got a CLI command line interface. Let's try with a simple command:
Our assumption was true and we got a Command Output. So let's try to get a Remote command line interface:
We got a Warning, which means we can not get a Remote connection by using the simplest method:
We can bypass this by converting it to its decimal notation. Or, we can encode the command in the base64 format.
Open terminal and input below command:
Now copy this output and switch back to Browser paste with base64 decode command, Before that make sure that Netcat is started.
Now copy the below command and paste to CLI Command Line interface:
The Netcat start to Listening on Port 4444 from a UNKNOWN source.
We have successfully foothold The Planet: Earth but we don't have any Administrator Privileges.
Privilege Escalation
Let’s check our SUIDs and see if there’s anyway we can escalate to root.
We found an reset_root script that may help us to gain root access. Let me run this script:
When I run the script, I got the error message RESET FAILED. Next we have to modify the script so move reset_root script to Local desktop using below command:
Before executing the upper command you have to open a new terminal and start another listener.
We have downloaded reset_root file to local storage. Let's trace using Itrace:
From the output, we mark that three files are missing on the shown locations. Therefore, we have to create those files on the target. Lastly, when I ran the binary, it changed the password of the root.
Let's execute the reset_root file again:
Reset successful and the password of root set to Earth. Let's switch back to root user and find out the flags:
Congratulation! we have successfully exploited VulnHub VMs.