THE PLANETS: EARTH

题目来源：THE PLANETS: EARTH

获取靶机信息

arp-scan -l
nmap -sP 192.168.7.0/24

提示

-sP 表示使用 TCP ping 扫描方式,该方式只发送 TCP SYN 数据包并等待主机响应,用于主机发现(存活主机检测),不会完全扫描端口。

获取到靶机的 ip 地址为 192.168.7.135

扫描端口

nmap 192.168.7.135

开放端口 22、80、443，尝试访问网页，发现 Bad Request (400)

使用 nmap 扫描详细信息

nmap -A 192.168.7.135

发现 dns 解析记录

DNS:earth.local, DNS:terratest.earth.local

尝试绑定用 hosts 域名访问

sudo vim /etc/hosts
# 添加以下内容
192.168.7.135 earth.local
192.168.7.135 terratest.earth.local
# 重启网络服务
sudo systemctl restart networking

再次访问

使用 dirsearch 或 dirb 扫描目录

dirsearch -u "earth.local"
dirb http://earth.local /usr/share/wordlists/dirb/big.txt
dirsearch -u "terratest.earth.local"
dirb http://terratest.earth.local /usr/share/wordlists/dirb/big.txt

dirb 命令参数

dirb <url_base> [<wordlist_file(s)>] [options]
-a 设置 user-agent
-p <proxy[:port]>设置代理
-c 设置 cookie
-z 添加毫秒延迟，避免洪水攻击
-o 输出结果
-X 在每个字典的后面添加一个后缀
-H 添加请求头
-i 不区分大小写搜索

在域名 earth.local 发现目录 /admin 和 /admin/login

[12:10:15] 200 -  306B  - /admin/
[12:10:15] 200 -  746B  - /admin/login

在域名 terratest.earth.local 发现目录 /robots.txt

[12:10:15] 200 -  306B  - /admin/

访问 /admin 页面，没什么有用的信息

访问 /robots.txt 页面，发现可疑文件 /testingnotes.*

试了一下 txt 后缀就可以访问这个文件了

拿到信息

• testdata.txt 曾经用于测试加密
• terra 是 admin 的用户名

文件 testdata.txt

弱密码爆破了一下，没有成功

只根据 使用 XOR 加密作为算法，在 RSA 中使用应该是安全的 和 testdata.txt 文件中的内容，尝试解密

import binascii
import base64

# 给定的16进制字符串数据
data1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

# 从文件testdata.txt中读取数据并将其转换为16进制字符串
f = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()

# 将data1与f进行异或运算，并将结果转换为16进制字符串
s1 = (hex(int(data1,16) ^ int(f,16)))
# 将s1从16进制字符串解码为bytes
t1 = base64.b16decode(str(s1[2:]).upper())

# 将data2与f进行异或运算，并将结果转换为16进制字符串
s2 = (hex(int(data2,16) ^ int(f,16)))
# 将s2从16进制字符串解码为bytes
t2 = base64.b16decode(str(s2[2:]).upper())

# 将data3与f进行异或运算，并将结果转换为16进制字符串
s3 = (hex(int(data3,16) ^ int(f,16)))
# 将s3从16进制字符串解码为bytes
t3 = base64.b16decode(str(s3[2:]).upper())

# 打印解码后的bytes
print(t1)
print(t2)
print(t3)

运行结果

b'According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth\'s hisCfy //}omo;/ppeare\'2~d;\x7ff$\'x,\x7fjj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/j\x7fkr0~h<Pj1s.=\x06i\x97\xf3\xdcs-q,<j${ugn$u6&\x7f*+o\'erlj|mnn/?;-\'\x7f1%,f{kx8.`\x7fb)"\x8c\xe5\x99np`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-\x17skl)$In*\'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky\x7f8/k<\x0b6=+1\x80\xe8\xdaq*Ir8xo"P|7wfbn'
b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the prol^rrlj~<evy\x7f{&*xk|h$kaw-oc 0-'web146iqc$hte7af#`ec~)o>kFnkukzdt|a>y~ciyvb~jn$6O?0i~\x7fd|0v|$lx4~%5l3d*`mx6a8{vcketdia %e,{tr9x>q{1w$h&v~oaxx-)if4tv6pudk"
b'earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat'

关键字符串为 earthclimatechangebad4humans，猜测是密码尝试登录 /admin/login
成功登陆

在 cli 中输入 ls 命令可以访问靶机文件

用 find 命令查找 flag

find / -name "*flag*" 2>/dev/null

直接 cat 出来

cat /var/earth_web/user_flag.txt

Flag

user_flag_3353b67d6437f07ba7d34afd7d2fc27d