Hi everyone
Today we are going to look for a Box called Gaara which is rated as easy in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.
Box Type: Linux
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.206.142
nmap -sC -sV -O -p- -oA nmap/full 192.168.206.142 -T4
I discovered these ports are open:
- 22/tcp – SSH Service running OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
- 80/tcp – HTTP Service running Apache httpd 2.4.38 ((Debian))
- OS: Linux
Then I went ahead and checked the IP in the web browser and I found a wallpaper running:
I got the creds but no luck
Exploitation
I found the password from Hydra and used it log in to SSH
I found the local.txt flag
Privilege Escalation
Now it was a time for escalating the privileges.
The above image shows the proof.txt file.
Key Takeaways
- Full port and service enumeration first — even simple services can reveal the entry point.
- Hidden directories can expose useful clues — web enumeration should never be skipped.
- Encoded strings or unusual data often hide credentials — always try decoding them.
- Weak credentials remain a common foothold — once a username is known, access may follow quickly.
- Always enumerate SUID binaries after gaining a shell — misconfigured ones can lead straight to root.
- Privilege escalation is often about trusted binaries — if a powerful tool runs with SUID, it may give full control.
If you enjoyed this post, share it with your friends and colleagues!