Offensive Security Proving Grounds (Gaara)
Offensive Security offers free lab machines under their “Proving Grounds” library that I find super helpful to prepare for the OSCP. I will be walking you through my experience with an “Easy” level machine called Gaara which in my opinion was super annoying 😒. This machine teaches you how to enumerate as much as possible.
I started with an autorecon scan and discovered two open ports to work with.
Nmap scan report for 192.168.163.142
Host is up, received user-set (0.078s latency).
Scanned at 2024-01-31 13:11:33 PST for 98s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS8evJ7ywX5kz396YcIuR+rucTJ/OAK1SSpQoyx6Avj3v1/ZeRvikDEBZRZE4KMV4/+LraxOvCIb0rkU98B5WME6IReWvGTbF99x6wc2sDCG5haD5/OI6At8xrEQPV6FL8NqipouEeYXU5lp/aR7vsdJAs/748uo6Xu4xwUWKFit3RvCHAdhuNfXj5bpiWESerc6mjRm1dPIwIUjJb2zBKTMFiVxpl8R3BXRLV7ISaKQwEo5zp8OzfxDF0YQ5WxMSaKu6fsBh/XDHr+m2A7TLPfIJPS2i2Y8EPxymUahuhSq63nNSaaWNdSZwpbL0qCBPdn1jtTjh26fGbmPeFVdw1
| 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPFPC21nXnF1t6XmiDOwcXTza1K6jFzzUhlI+zb878mxsPin/9KvLlW9up9ECWVVTKbiIieN8cD0rF7wb3EjkHA=
| 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBprcu3jXo9TbgN5tBKvrojw4OFUkQIH+dITgacg3BLV
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Gaara
Aggressive OS guesses: Linux 2.6.32 (87%), Linux 2.6.39 (87%), Linux 3.10 - 3.12 (87%), Linux 3.4 (87%), Linux 3.5 (87%), Linux 4.2 (87%), Linux 4.4 (87%), Synology DiskStation Manager 5.1 (87%), WatchGuard Fireware 11.8 (87%), Linux 2.6.35 (87%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/31%OT=22%CT=1%CU=43136%PV=Y%DS=4%DC=T%G=Y%TM=65BA
OS:B7E7%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%TS=A)OPS(O1=M55
OS:1ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11NW7%O6
OS:=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF
OS:=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=AB43
OS:%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 25.247 days (since Sat Jan 6 07:16:56 2024)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelI ignored port 22 because, as we all know, that’s not usually the way in unless you have a key or password. Did a copy pasta on the IP and pasted it into Firefox and was presented with the legend Gaara himself.
If you are an anime dork and never watched Naruto you need to stop reading this walkthrough right now and go watch it 😎.
The page didn’t have anything interesting that I could leverage, so I proceeded with some more enumeration with directory-busting tools and had to use a specific wordlist to pinpoint an exposed directory after some trial and error. I always step up to a medium-size directory wordlist if I don’t get any hits on the defaults with dirb, etc.
Sure enough I got a hit for a cryoserver endpoint sweet!
Visiting the page it looked blank but after running around in circles for a while well I decided to scroll down the page and there were more endpoints..
There was an overwhelming amount of nonsense in these directories, but a base64-encoded line was embedded in a paragraph in the /iamGaara endpoint. But in all seriousness, whoever created this box is a cruel human being how dare you make me read all of that!
I plugged in the line discovered to be decoded and got a username and password when analyzing all the results.
Characters to decode: f1MgN9mTf9SNbzRygcUhttps://www.cachesleuth.com/multidecoder/
gaara:ismynameRemember when I said that ssh is not the way in usually? This scenario is different because I didn’t discover any login pages or other service ports that I could leverage with the discovered credentials.
Well, the password did not work, of course, because this box wants you to to go mad. My next step was to do some brute-forcing against SSH with my favirote tool Hydra.
hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.163.142:22
Looking at my Hydra results I was hoping that this time I got some working credentials and sure enough.
Root was pretty easy I pushed the ever so famous linpeas script onto the target machine and a SUID escalation was highlighted so I went to GTFObins for gdb.
GDB, which stands for GNU Debugger, is a powerful and widely used open-source debugger for programming languages like C, C++, and other supported languages. It is commonly used in the Linux environment but can also be used on various other platforms, including Windows and macOS.
I went with the file read privesc It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
Ran the following command to read the root flag:
gdb -nx -ex ‘python print(open(“/root/proof.txt”).read())’ -ex quit
