<Introduction>
In this blog post, I documented my walkthrough of the OffSec Proving Grounds Gaara vulnerable host. I documented my steps taken pertaining to reconnaissance through post-exploitation. This will include performing port scanning, service enumeration, dictionary attack, and privilege escalation.
If you find this content informative and you are interested in cybersecurity, regularly check back on the Cyb3r-S3c website. Also for more free content please like and subscribe to the Cyb3r-0verwatch channel.
<OVERVIEW>
Gaara is a vulnerable host created by 0xJin to allow users to practice ethical hacking techniques. This virtual machine is accessible from the OffSec Proving Grounds virtual training lab and VulnHub owned by OffSec.
<Enumerating What is Running>
I began the process of the security assessment by starting the target host Gaara. As can be seen in the image above, I was provided the IP of the target host to begin with. Initially, the first thing I needed to do was information gathering, including port scans and service enumeration. This would allow me to get an idea of what is exposed on the target host.
nmap -sS -p- -A -T5 -vv 192.168.222.142 -oA /home/kali/Downloads/nmapscanFor active information gathering, I used Nmap because of the flexibility and the amount of information I can gain. I also ran the following command shown in the CLI. In general, since I am trying to figure out what ports are open, I first want to scan all 65 thousand 535 ports using the -p- switch to look for services listening on non-standard ports.
<Analyzing the Results>
Reviewing the Nmap scan results, I could see that Nmap detected two open ports, port 22 (SSH) and port 80 (HTTP).
After analyzing the results of the Nmap scan, going off of previous experience all indications pointed to the target host Gaara being a Linux host. My assumption was also based on Nmap detecting the OS, as a generic Linux distribution and ssh service running. Upon completion of analysis the first service I choose to investigate was port 80.
<Active Reconnaissance of HTTP>
Reviewing the Nmap output, the scan detected that the web server was running Apache v2.4.38.
Browsing to the webpage on http://192.168.222.142, the image of the Naruto character for which the host is named after was visible.
Reviewing the page source, I did not find anything useful. It was at this point that I realized I needed to crawl the webserver.
fuff -u http://192.168.222.142/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 403I used Ffuf to run the following command, as shown in the CLI to crawl the webserver in order to detect hidden directories.
After Fuff completed its crawl, I reviewed the results. I could see an interesting page called “cryoserver”.
Initially browsing to Cryoserver brought me to a page that didn't look to have anything useful, until I scrolled all the way down.
Listed at the bottom of the page were three (3) possible pages named after Naruto characters. I decided to first investigate /Temari first.
Browsing to /Temari just brought me to a page that appears to provide Gaara’s backstory. I continued my reconnaissance by browsing to /Kazekage.
Browsing to /kazekage, it appears that the page just provided the same backstory.
The last page I browsed to was /iamGaara.
During the review of the page, it at first appeared to be the same information as the other pages. On a closer look, I was able to see what appeared to be a hash of some kind. Reviewing the text it did not appear to be base64 because there were only numbers, uppercase, and lowercase letters.
I ran the hash through CyberChef to see if it could detect the hash type. CyberChef unfortunately for me did not identify the hash type. It did give me a good starting point, as it had detected Base85, but Base85 has special characters, that also ruled out base64.
To verify whether my assumption I tried decoding the assumed hash using AppDevTools Base58 decoder. Sure enough, it decoded to "gaara:ismyname".
hydra -l gaara -P /home/kali/Downloads/rockyou.txt ssh://192.168.250.142Based on enumeration it was highly likely that "gaara" was a username on the host. I decided to run Hydra on the host to dictionary attack the ssh password using the following command in the CLI.
I decided to use the rockyou password list. If you are using Kali you can find the wordlist using the following file path /usr/share/wordlists/.
Running a dictionary attack using Hydra, I was able to successfully get the password. Hydra detected the password as "iloveyou2".
Now that I have the password for the gaara account, I run the following command shown in the CLI to authenticate via SSH.
The credentials worked and I am able to authenticate as gaara.
Next thing I want to do is directory enumeration, I run ls -la to see what is in the gaara home directory. I can see the local.txt file.
I run cat on the local.txt file to get the hash.
I enter the hash into the Offsec PG console.
Now I need to find a method to escalate privileges. The easiest path to enumerating for escalation paths is running Peas-ng (whether its Linux or Windows), if for some reason I cant use Peas-ng, I have my escalation notes in my Joplin notebook that is based off of TJ Nulls template, but I’ve added more custom info for my use.
There are plenty of free resources out there to use. Another source is the “Basic Linux Privilege Escalation” from g0tMi1k, it’s an old but trusted source. It's definitely worth searching for resources and making your own custom list.
I just need to upload Linpeas to the target host, since I already have it on Kali. First thing I'll do is start my http server using the following command shown in the CLI.
Now that my http server is running, I need to change directory to the /tmp folder, so that I can upload Linpeas.
I'll run the following command from the target host as shown in the CLI.
I successfully uploaded Linpeas to the target host.
If I upload a file, I always run ls -la to 1) verify that the file uploaded successfully, and 2) check whether I need to run chmod.
In this case, based on the ls output it looks like i need to run chmod as shown in the CLI to make Linpeas executable.
I run chmod then run ls -la to verify Linpeas is executable, and as can be see it shows Linpeas is now executable.
Now I’ll run Linpeas to find possible privesc paths.
The first thing that Linpeas finds is that /usr/local/games is in the writable paths. Linpeas also detects that /usr/local/games is writable by everyone.
Another interesting thing that Linpeas found is that gdb has the suid bit.
Lets check GTFOBins to see what if anything can be found for gdb.
GTFOBins has a command I can use. I think I will try this before I try to escalate using the /usr/local/games writable folder path.
First thing I’ll do is change directory to the /usr/bin folder. Then I will run the command shown in the CLI.
After running the command it looks like I get a root prompt. I verified by running whoami and it shows that I am root.
I change directory to /root and then run the ls -la command to see the folder contents. Right away I can see the proof.txt file. I cat the proof.txt file to get the hash.
I enter the hash into the OffSec PG console and I have completed this host.
<CONCLUSION>
To conclude this blog post, using a variety of techniques I was able to go from reconnaissance to gaining root privileges on the target host. Performing these steps allowed me to gather the information I needed in order to gain a foothold on the target host through the use of a dictionary attack on ssh. Upon gaining access, performing further enumeration allowed me to find a workable escalation path to root by abusing the suid bit, in order to gain the final flag.
Thank you for checking out my blog post demonstrating the exploitation of OffSec Proving Grounds Gaara vulnerable host. If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.
/Signing Off,
Pragmat1c_0n3
Comments