GAARA — Offensive Security PG Play
“Long time, No see…. NARUTO!!..”
We start the enumeration process with a simple Nmap scan:
nmap -p- -sC -sV — open -o nmap.txt $IP
We find port 80 is open and visit it in our browser as a first step and after brute forcing hidden directories we found /Cryoserver. Furthur after static analysis we found three more directories and after reconnaissance we found /iamGaara has some strange string which after decoding with Base58 gave us name and credentials.
It was unsuccessful login to ssh but we got one username. So we brute force ssh and found the credentials for a successful login with wordlist used rockyou.txt
During Post Enumeration I found SUID permission to gdb as shown. So what now?
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor.
Abusing SUIDs to become root:
./gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
And we are root with the flag.
That’s all for now,
Until Next Time,
“Stay CHILL” Jutsu!
— — — — — — — — — — — — — — — — — — — — — — — — — —
To reach me out for any query or help: