Gaara box from Offsec’s Proving Grounds.
As Always and as I frequently explain and document in my write-ups, in every penetration testing engagement we start by information gathering.
First lets ping the target to check if it’s up and running and accepting communication >>>
Next up, we scan our target with our info gather handy tool nmap, using it we scan for possible vulnerabilities and open ports!
Next step on our list is to enumerate the sub directory for files and directories >>>
After enumerating a bit I found a directory called Cryoserver that mentions another sub-directory.
from that I found a long hard-to-read text :
from that I saw a small cipher : f1MgN9mTf9SNbzRygcU
lets use it on CyberChef, maybe to crack it!
after checking the current encoding method of this text I found out that the encoding that is used is Base58, after cracking it I got this text which seems to be the password!
After trying a lot, the password was wrong!
Last resort is to brute-force the password, we can brute-force SSH using Hydra as follows:
hydra -l gaara -P /usr/share/wordlists/rockyyou.txt -t 30 ssh://192.168.225.142
through brute-force I got a matched credentials, and gained foothold on the box!
lets head to privilege escalation phase >
for Privilege Escalation we use our handy tool linpeas for elevating privilege, as follows:
from the screenshot above we find that gdb has SUID, so we head to https://gtfobins.github.io/gtfobins/gdb/ and check for possible commands we can throw at it.
using this command : /bin/gdb -nx -ex ‘python import os; os.execl(“/bin/sh”, “sh”, “-p”)’ -ex quit
we gain root!
