Hemisphere: Gemini Vulnhub Walkthrough
This is again a very easy level machine good for beginners and for people who want to keep in touch with your basic skills. Highly recommend it for oscp starters as a practice.
The download link is as given below:
As usual, we start with a full port nmap scan:
nmap shows these ports open. Usually I would a service scan and try to enumerate the other services and misconfigurations like if any share we can access through port 445 or if ftp allows anonymous before moving onto port 80. Having said that, I had tried it but nothing useful came from there. hence I switched to the http server we had. On opening it, we were greeted with this:
Then I checked the robots.txt and found there were three directories listed which were not found when tried to reach. Seems to me they were rabbit holes.
Anyway, time to go for dirbuster:
The Portal directory seems interesting. Let’s head over there
After clicking around , we land up here
Immediately, I thought of lfi, hence I tried it .And boy was I correct!
Hooray! We got a lfi.
Normally in lfi, I first try to look into log files to perform log cache poisoning . But sadly, in this case, we were unable to read any log files.
Then another thought struck to my mind. Could we read a user’s id_rsa file and ssh into a machine?If you observe carefully, you can see we have a user william and plus ssh port is also open
On putting my hypothesis to test , we get:
Great! We got the user’s rsa key. We can now login as william:
Now for privilege escalation, we observe that the etc passwd file has weak permissions and can be modified by anyone :
Now it’s very straight forward. We are going to add a user arnav with root permissions . To do it , lets first generate the salted pasword:
Add this line into the /etc/passwd file of the compromised machine:
Now switch to user arnav using su and read the root flag:
As stated, this machine is designed for extreme beginners and for seasoned people with less time to keep in touch with skills as hack the box takes up a lot of time . It is also very good for oscp practice as well. Happy hacking :)
