Gaara - Proving Grounds Play
Enumeration
Nmap
Initial nmap scan revealed HTTP and SSH ports were open.
Web Enumeration
Website only showed a PNG file.
I applied directory brute forcing and only one endpoint was available.
That endpoint showed 3 additional endpoints inside it.
Then visited those endpoints. It was useless, some story about character I do not even know named Gaara.
Exploitation
However, the name gaara is mentioned too much even machine’s name is gaara. So I brute forced SSH login using gaara as username. And I found a valid password. Logged in and got the user flag.
Privilege Escalation
There were 2 non-common SUID bit privileges: GDB and GIMP. I tried gimp at first but it did not work. Then tried gdb and it worked. I simply copied gtfobins SUID privilege escalation for gdb and got the root flag.