Categories
Vulnhub Walkthrough

Hemisphere Gemini vulnhub walkthrough

Today, We are going solve another boot2root Vulnhub CTF, name Hemisphere Gemini it is an easy level Box, and It’s available at Vulnhub for improving penetration testing skills and you can download here this machine.

Network Scanning

As you know, this is the initial phase where we used netdiscover for network scan for identifying target Machine IP address.

sudo netdiscover

Now we have the target Machine IP address. my target IP is ( 192.168.43.105 ) and our next step is scanning the target machine open ports and running service.

nmap -A 192.168.43.105

Enumeration

We start with the Enumeration stage. The first Service we decided to take a look at was HTTP. Upon looking at the IP Address in Web Browser we see a static HTML Page. Nothing there special to look at here.

http://192.168.43.105

After checking the landing page source code and try some basic technique, we couldn’t found any useful stuff, then we run the gobuster for directory bruteforcing using a custom wordlist.

wordlist="/opt/seclists/Discovery/Web-conten/directory-list-2.3-small.txt"

gobuster dir -u http://192.168.43.105/ -w $wordlist -t 40

and we discover some useful directories, Let’s navigate the directory, and we found a another PHP page and we get a message this website is undergoing maintenance.

http://192.168.43.105/Portal/

After enumeration the page we found LFI vulnerability ( Local File Injection ) on the About US page URL, let’s read the /etc/passwd file.

LFI is working since we saw target machine /etc/passwd file and users there is only one user exist, William, let’s try to read id_rsa SSH public key.

view-source:192.168.43.105/Portal/index.php?view=../../../../home/william/.ssh/id_rsa

We save the target machine id_rsa key to our local machine and change the permission the only owner can read-write the file, and then we try to connect the SSH server.

vi rsa.pub
chmod 600 rsa.pub
ssh -i rsa.pub william@192.168.43.105

Privilege Escalation

Now we log in with William user, let’s check the passwd file permission and we can see all user have read-write-execute permission. first, we generate a password hash with help of OpenSSL.

our new user password is generated now our next step is adding a new user target passwd file as a root user.

ls -ls /etc/passwd
openssl passwd -1 -salt rahul password

Now, this is the final step let’s change the user William to new user Rahul run the su ( switch user command ). After changing the user we have root privileges, we move the /root directory for reading our final flag.

su rahul
cd /root
ls
cat root.txt

Kira CTF Vulnhub Walkthrough link

By Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View Archive