Been having fun solving vulnerable box on vulnhub really so today i will be working on Gaara which can easily be download here Download Gaara Of The Sand it pretty easy i know am a fanboy of Naruto lol let hit it.
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 04:31 EDT Nmap scan report for 172.16.139.192 Host is up (0.00021s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA) | 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA) |_ 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Gaara Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.29 seconds
We have 2 open ports 22 and 80 we know we are going after the HTTP port first which is the 80.
Checking the web page just a simple one really with the gaara image having the name
gaara let try to brute force SSH with it maybe it the way in before burst for directory with gobuster.
Boom it our way in let SSH now.
We are i checking
sudo -l but no luck let check what we have in the user folder and we have the first flag.
Also a message for the kazekage encoded in base64 let decode it.
Checking it we have a secret txt file which just end up to be a rabbit hole now let check for SUID.
Boom we have
/usr/bin/gdb on SUID let hit Gtfobins.
let run it and we should be root.
Boom we are root and done.
Greeting From Muzec