Today, We are going solve another boot2root Vulnhub CTF, name Hemisphere Gemini it is an easy level Box, and It’s available at Vulnhub for improving penetration testing skills and you can download here this machine.
Network Scanning
As you know, this is the initial phase where we used netdiscover for network scan for identifying target Machine IP address.
1 |
sudo netdiscover |
Now we have the target Machine IP address. my target IP is ( 192.168.43.105 ) and our next step is scanning the target machine open ports and running service.
1 |
nmap -A 192.168.43.105 |
Enumeration
We start with the Enumeration stage. The first Service we decided to take a look at was HTTP. Upon looking at the IP Address in Web Browser we see a static HTML Page. Nothing there special to look at here.
1 |
http://192.168.43.105 |
After checking the landing page source code and try some basic technique, we couldn’t found any useful stuff, then we run the gobuster for directory bruteforcing using a custom wordlist.
1 2 3 |
wordlist="/opt/seclists/Discovery/Web-conten/directory-list-2.3-small.txt" gobuster dir -u http://192.168.43.105/ -w $wordlist -t 40 |
and we discover some useful directories, Let’s navigate the directory, and we found a another PHP page and we get a message this website is undergoing maintenance.
1 |
http://192.168.43.105/Portal/ |
After enumeration the page we found LFI vulnerability ( Local File Injection ) on the About US page URL, let’s read the /etc/passwd file.
LFI is working since we saw target machine /etc/passwd file and users there is only one user exist, William, let’s try to read id_rsa SSH public key.
1 |
view-source:192.168.43.105/Portal/index.php?view=../../../../home/william/.ssh/id_rsa |
We save the target machine id_rsa key to our local machine and change the permission the only owner can read-write the file, and then we try to connect the SSH server.
1 2 3 |
vi rsa.pub chmod 600 rsa.pub ssh -i rsa.pub william@192.168.43.105 |
Privilege Escalation
Now we log in with William user, let’s check the passwd file permission and we can see all user have read-write-execute permission. first, we generate a password hash with help of OpenSSL.
our new user password is generated now our next step is adding a new user target passwd file as a root user.
1 2 |
ls -ls /etc/passwd openssl passwd -1 -salt rahul password |
Now, this is the final step let’s change the user William to new user Rahul run the su ( switch user command ). After changing the user we have root privileges, we move the /root directory for reading our final flag.
1 2 3 4 |
su rahul cd /root ls cat root.txt |