Today we are working on Geisha: 1 from Vulnhub.com. This box is rated as an Beginner/Intermediate level.
Enumeration
We start with our nmap scans.
There are quite a few ports open, pretty much all of them purporting to be web servers. Let’s just say I Dirbusted the hell out of all of these ports, including tcp/7125, which was also a web server although nmap didn’t identify it as so, and hit a dead end. I also investigated an exploit in Open LiteSpeed Server with no success.
Late in my Dirbusting, knowing this box creator, I kicked off a Hydra session to brute force ssh. I should have started with this.
Hydra pretty quickly found the password of “letmein” to go with the user “geisha”. This is the same ssh password as the box in my previous walkthrough. OK, SunCSR Team, while I appreciate you making these CTF’s, maybe it is time to branch out from the same ssh brute force solution for every box.
Privilege Escalation
At any rate, we can ssh into the box with our new-found creds and proceed with our privesc. After some initial privesc checks, I ran linpeas.sh and quickly noticed that /usr/bin/base32 has SUID permissions
As you should always do with SUID binaries, check GTFOBins and we find that base32 can execute privileged file reads. Using the technique on GTFOBins, you can read the root flag and call it a day, however I’m always attempting to get a root shell. I first used the exploit to read /etc/shadow.
Once we have /etc/shadow, we can also read /etc/passwd and save both to our attacker box. Then we combine the files and try to crack the root password with hashcat.
Unfortunately, the root password isn’t in rockyou.txt. What else might we be able to read that will help us get a root shell? How about root’s private ssh key?
Save the key to a file on our attacker box, do a ‘chmod 600’ and then try to ssh as root.
We got our root shell! Personally, I found this box a bit frustrating with all the rabbit-holes, although I will admit the box creator warned us on the download page. What did you think of this box? Drop me a comment.
