Today we will be tackling Offensive Security’s Proving Grounds: Geisha box, this box is a simple boot2root that uses SSH Bruteforcing and an easy privilege escalation to capture the root flag.
First things first a Nmap scan, you can run an all port scan if you wish to but for this, you can run the command as a typical scan using -sV -sC flags for standard versions and standard scripts.
The full command should read as “nmap -sV -sC -oN Geisha-Scan [box IP]”, after running the scan I found 4 ports available to me; 21, 22, 80, 8088. Seeing this I investigated the FTP and web services. The FTP didn’t allow for Anonymous login so in the meantime this was put aside in case we needed to come back to it later.
Port 80 and 8088 came back as typical http services so the first step before enumerating the sites manually was to run a gobuster with the seclist common.txt dictionary to find any possible subdirectories that may be hidden to us.
The command for this can be written as “gobuster dir -u http//[box-ip]:80/ -w [directory/to/wordlist]”, with this running in the background we can start to manually enumerate the website.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
So after completing this box myself, it seemed I had completed this box in an unintended way, so first I will explain the intended method for completion and then my own logic for this box.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Intended Method:
So if during the Nmap you did a full port scan on the box you will have discovered Nginx server on port 7125, running a gobuster/dirb on this port looking for common file extensions (.HTML, .PHP, .TXT, .ZIP) you will find 2 files; /passwd and /shadow.
If you know your Linux file systems you know that the shadow and passwd files are used to store information about the users have accounts on the machine.
With the passwd file discovered we can download this using Curl:
“curl http://[box-ip]:7125/passwd -o passwd && cat passwd | grep home”
This will reveal the username of “Geisha” which we can assume is the user who has access to the SSH service on the box. So with that in hand, you can use ncrack or hydra, whichever password cracker you prefer and the rockyou.txt wordlist to get into the box through the SSH service.
My logic for the box:
So as you can see in my initial portscan on the box I did not find the service on port 7125, so without that how did I guess the correct username? A usual trope with CTFs is they emulate a lazy system administrator or if you play more gamified CTFs the name of the box is often the name of a user for the initial foot if not, it's for another user later down the line.
After poking around the service on port 80 and 8088, I came up with nothing except the image you see when you go to the service in the browser. Nothing hinted at giving me access to the FTP server, so while looking around a quick bruteforce attempt at the SSH services with rockyou.txt didn't seem like a bad idea to try while I was trying to enumerate more information.
So with a foothold within the machine lets move on to the privesc which is pretty interesting by all accounts and will show you why the most innocent of programs can be used to exploit a machine.
Privilege Escalation:
So first things first let's grab the flag within the user directory inside the local.txt file. Then we can move on to looking at what is inside this box that we can use to get more privileges.
The first thing I normally look for inside a box is what sudo privileges I have access to, in a CTF this can give you some hint to what kind of privesc we’re looking at, but it seems we have nothing to use in this machine.
The next thing to check for is binaries with SUID permissions, if you want to see which files these are you can find them with command: “find / -perm -u=s -type f 2>/dev/null”.
Seeing these binaries we can now start to look for privesc’s related to them, one of my favourite sites for things relating to privesc is GTFObins which has an interesting entry for base32.
To test this I tried something simple, /etc/shadow, this file contains the entries of all users and the hashed versions of their passwords which can be extremely handy in a pentest.
What do you know? It works! So now we have a way to read restricted files that we couldn’t normally read. Now I did try cracking the hash we got in the /etc/shadow file but after 30mins it seemed like this isn’t the way to do it or if it is, its taking too long. So then instead of trying to crack a password why not just steal it instead? We know an SSH service is running on the machine so let's see if an RSA key exists in the root directory? You can also usually confirm if there is a root login by checking the sshd_config and looking for #PermitRootLogin prohibit-password.
Ayyy we now have a copy of the root RSA key for the SSH service which we can copy to our machine and give the correct privileges to log on as root. Just open your favorite text editor, create a new file as key or rsa_id, paste in the RSA key from the box, and set the permissions to 600 using “chmod 600 key” and login to the machine.
Offensive Security a little funny with how they rigged this one up, you need to get the flag from the proof.txt file and not the flag.txt file. But with that said you have now owned this boot2root machine.
I hope you found this write-up as enjoyable as I did making it, it was a little disappointing to use blind bruteforce methods on this box but still overall enjoyable with the privesc seeing how a GTFObin that can read files is enough to compromise a misconfigured box.
If there was a method to this box that I didn’t mention or something I missed in this write-up please let me know in the comments or on twitter using #ZerefGeisha.
