THE PLANETS: VENUS

Get ready

attack : kali

Drone aircraft : THE PLANETS: VENUS NAT 192.168.91.0 Network segment

Download link :

https://www.vulnhub.com/entry/the-planets-venus,705/

Information collection and utilization

The host found

python3 ping.py -H 192.168.91.0/24

Get the target as shown in the figure IP Address ：192.168.91.173

Port scanning

nmap -sV -p- -sS -A 192.168.91.173 -oN venus_nmap.txt

As shown above, only 22,8080 port , among 8080 Like the previous two, it is made up of python Composed of web page .

HTTP

http://192.168.91.173:8080/

As shown in the figure above , Show Use guest:guest To log in to the guest account , After testing （ guess ） I found that when the user name and password are entered as ： venus:venus You can also log in when .

Directory scanning

python3 dirsearch.py -u http://192.168.91.173:8080/

Sweep out a lot 302 Redirect , It's not shown here .

Generally speaking python Page written by , Either Flask frame , Or Django frame , These two frameworks are common , Generally speaking, there are admin Background page , Only when you log in can you go further .

http://192.168.91.173:8080/admin/login/?next=/admin/

As shown in the figure , yes Django . That's right . Try to open it DEBUG Pattern , If the error message is displayed and all routes are displayed, it is proved that it is enabled , If only Not Found It proves that it is closed DEBUG Pattern . After testing, it is found that it is closed .

Try to log in to the background with a weak password , Failure ！

Return to the first landing page again , Now we know that there are two user names and passwords :

guest:guest

venus:venus( Guess from the name of the target )

Is there any other user name ？ So now we need to blast .

Enter the correct user name at the login, and the wrong password will be displayed : invalid password.

When you enter any user name, it will display : invalid username.

So by returning information ： invalid username To blast the user name .

But there is another problem , How to ensure that the correct user name is in our dictionary ？？？ The two known user names are useless , Can not ssh land .

I saw wp : https://medium.com/@mcl0x90/the-planets-venus-vulnhub-write-up-f6727d08bafb

Got a username and password :

magellan:venusiangeology1989 ( It was blasted by foreign leaders .)

flag 1

Raise the right

Method 1 ：

SUID Raise the right

find / -perm -u=s -type f 2>/dev/null

As shown in the figure, it is found that polkit-1/polkit-agent-helper-1 With the previous target : MECURY( mercury ) As like as two peas . We try the same method to exp Download to the target , Note that there is no git command . We use it wget download

then unzip cve-2021-4034 Decompression can be .

then make

Generated Executable file cve-2021-4034

function :

./cve-2021-4034

As shown in the figure, we get root jurisdiction .

flag 2

This method is similar to that of the previous target aircraft in this series The method of raising rights is the same . It should be said that the focus of this target plane is not this .

Method 2 ：

Refer to those of foreign leaders wp, Personally, I find it difficult . Gave up .

summary

1. It can be used as the previous mercury target cev-2021-4034 Right to come （ Simple , It suits my kind of chicken ！）
2. Blasting passwords require a powerful Dictionary , Here I looked directly at wp The answer .