Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Been having fun solving vulnerable box on vulnhub really so today i will be working on Gaara which can easily be download here Download Gaara Of The Sand it pretty easy i know am a fanboy of Naruto lol let hit it.

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 04:31 EDT
Nmap scan report for 172.16.139.192
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
|   256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_  256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Gaara
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.29 seconds

We have 2 open ports 22 and 80 we know we are going after the HTTP port first which is the 80.

image

Checking the web page just a simple one really with the gaara image having the name gaara let try to brute force SSH with it maybe it the way in before burst for directory with gobuster.

image

Boom it our way in let SSH now.

image

We are i checking sudo -l but no luck let check what we have in the user folder and we have the first flag.

image

Also a message for the kazekage encoded in base64 let decode it.

image

Checking it we have a secret txt file which just end up to be a rabbit hole now let check for SUID.

image

Boom we have /usr/bin/gdb on SUID let hit Gtfobins.

image

let run it and we should be root.

image

Boom we are root and done.

Greeting From Muzec



Back To Home