Vulnhub - HEMISPHERE: GEMINI
Prelude
Since my last post I did Brute It on THM and more or less finished TommyBoy from Vulnhub, although I had to consult a write-up for a hint or two on that one. I did most of it myself. I probably won’t write a post about it.
Introduction
Difficulty: Easy
Flag: 2 (user & root)
Enumeration | Web Application | Privilege Escalation
This works better with VirtualBox rather than VMware
This is HEMISPHERE: GEMINI from Vulnhub.
Ports
This one has FTP, SSH, HTTP and SMB, all on their standard ports. However FTP doesn’t support anonymous login and there is nothing obviously available via SMB so they are both distractions. We move forward with HTTP.
HTTP
robots.txt has three disallowed entries, and none of them exist lol.
Gobuster leads the way:
root@kali:/opt/vulnhub/gemini# gobuster dir -u http://192.168.1.132 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
This gets a directory called /Portal which has an index page like this:
http://192.168.1.132/Portal/index.php?view=about-us.html
It was presumably intentional with the view parameter but my first thought was LFI, and it was correct:
http://192.168.1.132/Portal/index.php?view=../../../../../../../../../../etc/passwd
This works, and we have a user called william. Probably it’s not as simple as this, right?
http://192.168.1.132/Portal/index.php?view=../../../../../../../../../../../home/william/.ssh/id_rsa
Actually, it is.
Privesc
Linpeas says /etc/passwd is writeable. We know what to do with that!
Short, sweet, and done.