GAARA — Offensive Security PG Play

“Long time, No see…. NARUTO!!..”

We start the enumeration process with a simple Nmap scan:

nmap -p- -sC -sV — open -o nmap.txt $IP

We find port 80 is open and visit it in our browser as a first step and after brute forcing hidden directories we found /Cryoserver. Furthur after static analysis we found three more directories and after reconnaissance we found /iamGaara has some strange string which after decoding with Base58 gave us name and credentials.

It was unsuccessful login to ssh but we got one username. So we brute force ssh and found the credentials for a successful login with wordlist used rockyou.txt

During Post Enumeration I found SUID permission to gdb as shown. So what now?

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor.

Abusing SUIDs to become root:

./gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

And we are root with the flag.

That’s all for now,

Until Next Time,

“Stay CHILL” Jutsu!

— — — — — — — — — — — — — — — — — — — — — — — — — —

To reach me out for any query or help:

https://www.linkedin.com/in/user-neeleshpatel/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |