GAARA — Offensive Security PG Play

“Long time, No see…. NARUTO!!..”

We start the enumeration process with a simple Nmap scan:

nmap -p- -sC -sV — open -o nmap.txt $IP

We find port 80 is open and visit it in our browser as a first step and after brute forcing hidden directories we found /Cryoserver. Furthur after static analysis we found three more directories and after reconnaissance we found /iamGaara has some strange string which after decoding with Base58 gave us name and credentials.

It was unsuccessful login to ssh but we got one username. So we brute force ssh and found the credentials for a successful login with wordlist used rockyou.txt

During Post Enumeration I found SUID permission to gdb as shown. So what now?

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor.

Abusing SUIDs to become root:

./gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

And we are root with the flag.

That’s all for now,

Until Next Time,

“Stay CHILL” Jutsu!

— — — — — — — — — — — — — — — — — — — — — — — — — —

To reach me out for any query or help:

https://www.linkedin.com/in/user-neeleshpatel/

--

--

--

Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

📢 @MinaProtocol listed this week on @thedapplist V2 🎉

Macy’s, Magecart, Black Friday, and JavaScript Code Injection

Launch a Minima node on your phone in less than 10 minutes and start earning tokens right now!!!

Your Guide to YOP Vaults, Strategies and APY Calculations

The growing demand for automation in Application Security

IoT Security in an Age of Insecurity

Apps to make downloading files and videos easier and quicker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

SIMPLE CTF (THM)

TryHackMe Writeup-GameZone

Vulnhub Series →DC-1

TryHackMe — Jr Penetration Tester | Privilege Escalation — Unquoted Service Path