This is a write-up on the Gemini Inc: 1, a VulnHub machine designed to be vulnerable. This write-up aims to guide readers through the steps to identifying vulnerable services running on the server and ways of exploiting them to gain unauthorised privileged access to the server.
Disclaimer: this write-up is meant for security enthusiast to set up and hacks the machine locally, in a safe environment while still having fun and get to practice. VulnHub provides users with many vulnerable machines for practice, similar to the ones in the OSCP course lab (read about my OSCP journey).
Word of Advice
As always, my advice for you is that you dirty your hands with the setup and try to hack the machines first before reading through my write-up, that way, you will be able to maximise your learning and be able to enhance your thought process towards hacking and compromising a vulnerable machine.
Setting Up
- Download the Virtual Machine (VM) from VulnHub (link)
- Start the VM and select “I copied it” and it should start smoothly. Note that the machine was preconfigured to obtain an IP address automatically using DHCP so that is no additional configuration required.
- Please note that for this write-up, I have explicitly switched my “Network Adaptor” options to “NAT”. You may choose to also do so or remain with the default settings (Bridge), it should not differ much in terms of the steps in the write-up.
Host discovery
Use netdiscover
to identify the hosts in my network:
netdiscover -r 192.168.117.0/24

netdiscover
As shown in the screenshot, it was pretty straight-forward that my target machine is located at the IP address of 192.168.117.159
.
Service discovery
Use nmap
to identify the list of services running on the target machine:
nmap -sS -Pn -T4 -p- 192.168.117.159

nmap
on all portsAs shown, only port 22 and 80 were identified to be running.
Now, use the nmap
scripts to perform further information gathering:
nmap -O -A -Pn -T4 -p22,80 192.168.117.159
The following information was obtained:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0) | ssh-hostkey: | 2048 e9:e3:89:b6:3b:ea:e4:13:c8:ac:38:44:d6:ea:c0:e4 (RSA) | 256 8c:19:77:fd:36:72:7e:34:46:c4:29:2d:2a:ac:15:98 (ECDSA) |_ 256 cc:2b:4c:ce:d7:61:73:d7:d8:7e:24:56:74:54:99:88 (EdDSA) 80/tcp open http Apache httpd 2.4.25 | http-ls: Volume / | SIZE TIME FILENAME | - 2018-01-07 08:35 test2/ |_ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Index of / MAC Address: 00:0C:29:05:4A:83 (VMware)
From the information, it was already possible to determine that very likely, port 80 is the entry point to compromising the machine. But as security folks, we do not assume. Now, let’s move on to see if we can compromise the machine.