OS-Bytesec walkthrough

OS-Bytesec download here OS-Bytesec walkthrough

In this Blog, we slove OS-Bytesec walkthrough This lab is designed by Rahul Gehlaut

Network Scanning: I use Netdiscover is simple ARP Scanner to scan for live hosts in a network.

As you can see from the image our VM IP is Now we can be scanning our VM IP with Nmap.

Now let’s see the services running on the remote machine with the help of the Nmap tool by performing an aggressive scan on all the ports of the remote machine

As can be seen, there are only three port is open port: 80,139,445,2525

As port 80 is open, let us try and open the IP in the browser as shown in the image below

I did a basic enumeration with I see Web page source code and we see the bottom page ####GET####SMB####Fee

Now enumeration SMB with enum4linux

And I found after enumerate 3 SMB user Sagar, blackjax, smb, after trying login attempt I see smb user without password login.

login with SMB smbclient // -U smb -p and Enter twice I login into SMB

And we see after login smb found 2 file main.txt, safe.zip now download the file our local system with get command

And after download all files we see safe.zip file is locked now cracking safe file with fcrackzip toll Dictionary Attack with file rockyou.txt

And I found safe.zip file password

Now unzip our safe file with password hacker1

After unzipping safe file we 2 file secret.jpg, user.cap

Cracking user.cap file with aircrack-ng

After crack cap file found an ssh username: blackjax and password: snowflake

Login with ssh username blackjax and password snowflake

And Found a our first flag blackjax user home directory

Privilege Escalation

Again, after some basic enumeration checks(SUID, GUID, Kernel exploits, etc), I saw that the /usr/bin/netscan application had the permission to be executed as SUDO without the SUDO password:

and I run the script

after running the script I see the script working background netstat command

Privilege Escalation netscan PATH Variable I go to /tmp directory and run the command

and run the script Again

and I got root shell check with id command

and I go to root folder and run cat root.txt

We got the final root flag.

Author: Rahul Gehlaut