GAARA — Offensive Security PG Play

Neelesh Patel
2 min readJan 4, 2022

--

“Long time, No see…. NARUTO!!..”

We start the enumeration process with a simple Nmap scan:

nmap -p- -sC -sV — open -o nmap.txt $IP

We find port 80 is open and visit it in our browser as a first step and after brute forcing hidden directories we found /Cryoserver. Furthur after static analysis we found three more directories and after reconnaissance we found /iamGaara has some strange string which after decoding with Base58 gave us name and credentials.

It was unsuccessful login to ssh but we got one username. So we brute force ssh and found the credentials for a successful login with wordlist used rockyou.txt

During Post Enumeration I found SUID permission to gdb as shown. So what now?

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor.

Abusing SUIDs to become root:

./gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

And we are root with the flag.

That’s all for now,

Until Next Time,

“Stay CHILL” Jutsu!

— — — — — — — — — — — — — — — — — — — — — — — — — —

To reach me out for any query or help:

https://www.linkedin.com/in/user-neeleshpatel/

--

--

Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.