Hemisphere Gemini vulnhub walkthrough

Today, We are going solve another boot2root Vulnhub CTF, name Hemisphere Gemini it is an easy level Box, and It’s available at Vulnhub for improving penetration testing skills and you can download here this machine.

Network Scanning

As you know, this is the initial phase where we used netdiscover for network scan for identifying target Machine IP address.

Hemisphere Gemini vulnhub walkthrough

Now we have the target Machine IP address. my target IP is ( 192.168.43.105 ) and our next step is scanning the target machine open ports and running service.

Hemisphere Gemini vulnhub walkthrough

Enumeration

We start with the Enumeration stage. The first Service we decided to take a look at was HTTP. Upon looking at the IP Address in Web Browser we see a static HTML Page. Nothing there special to look at here.

After checking the landing page source code and try some basic technique, we couldn’t found any useful stuff, then we run the gobuster for directory bruteforcing using a custom wordlist.

Hemisphere Gemini vulnhub walkthrough

and we discover some useful directories, Let’s navigate the directory, and we found a another PHP page and we get a message this website is undergoing maintenance.

After enumeration the page we found LFI vulnerability ( Local File Injection ) on the About US page URL, let’s read the /etc/passwd file.

LFI is working since we saw target machine /etc/passwd file and users there is only one user exist, William, let’s try to read id_rsa SSH public key.

Hemisphere Gemini vulnhub walkthrough

We save the target machine id_rsa key to our local machine and change the permission the only owner can read-write the file, and then we try to connect the SSH server.

Privilege Escalation

Now we log in with William user, let’s check the passwd file permission and we can see all user have read-write-execute permission. first, we generate a password hash with help of OpenSSL.

our new user password is generated now our next step is adding a new user target passwd file as a root user.

Now, this is the final step let’s change the user William to new user Rahul run the su ( switch user command ). After changing the user we have root privileges, we move the /root directory for reading our final flag.

Hemisphere Gemini vulnhub walkthrough

Kira CTF Vulnhub Walkthrough link