Gaara Vulnhub Write-Up

Hey there! Today I have an amazing beginner-friendly vulnhub box ‘gaara’ created by 0xJin. It took hardly 10 min to root this machine, but I like it.

1.) Target Discovery with Nmap

With the help of Nmap, I got the IP address which is 192.168.1.149

2.) Port Scanning with Nmap

Nmap shows that two ports are open one is ssh and another one is for the web.

3.) Web Enumeration

I got this wallpaper on the web page. Nothing else.

Now time to brute force the directories.

For directory brute-forcing I used gobuster, but you can use any tool out there.

‘/Cryoserver’. This looks interesting in the output. Let see on the web browser.

The page was blank but If you see in the source code their three entries for the web page.

These three pages have the same content. After enumerating the webserver and these three web pages. I got nothing.

4.) SSH Brute forcing

Then I tried to brute force the ssh login with the username ‘gaara’. I was not sure that gaara is a user, but then I thought let’s give it a try.

And Success I got the credential gaara:iloveyou2.

5.) Privilege Escalation

To escalate the privilege I fired the find command to find the suid bit binaries through which I can become root.

And I got one. GNU Debugger(GDB) has the suid bit and I can get the root shell with it.

To get the root shell I fired the command that I mentioned below

gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

ROOTED ;)