I am going to share my walkthrough for Vulnhub machine called “Geisha: 1”. The machine difficulty was a beginner to intermediate, the goal is to get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
As usual, we are scanning and obtaining our vulnerable machine IP which I am skipping these steps. Then, using nmap gathering as much as possible information regarding Geisha machine.
As we see, from the screenshot there are a lots of ports open and services running but our scope will be 22 and 7125 because I already investigated services for you ;-).
First of all, I used nikto for scanning the web service and got interesting information related to OSVDB–3092: /passwd.
Immediately, I checked the URL http://192.168.85.133:7125/passwd in that case IP will be different according to your configuration. I was able to download passwd file which stores essential information, required during login. In other words, it stores user account information. The /etc/passwd is a plain text file. It contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more. The /etc/passwd file should have general read permission as many command utilities use it to map user IDs to user names. Additionally, I have tried to download shadow file for cracking the passwords of users but was not successful.
Then, I have used one of my favourite tools named hydra for a brute-force attack to ssh service in order to crack the password of geisha user which found from passwd file. As you see, hydra was able to crack it.
I used these credentials and logged in the system via ssh. However, the user does not have administrative or special privileges. Therefore, we need some privilege escalation techniques.
I checked for setuid binaries and pulled out /usr/bin/base32 which can be run as root user. Lets summaries, binaries with the setuid bit enabled, are being executed as if they were running under the context of the root user. This enables normal (non-privileged) users to use special privileges, like opening sockets.
I am going to encode and decode /root/.ssh/id_rsa for logging in SSH via using private key of user. Generally, SSH uses public/private key pairs, so id_rsa is RSA private key of users (based on prime numbers).
Thus, I was able to see what was the private key of user and used for connecting to system via SSH.
Finally, I managed to read flag.txt file which was required as a goal by the task.
Today’s post finished 😉 lets see each other on other posts.
Sorry for my bad English 😉
