os-hackNos-2 Walkthrough

In this article, we will learn to solve a Capture the Flag challenge which was posted on VulnHub by Rahul Gehlaut. According to the information given in the description by the author of the challenge, this CTF is a medium-level boot-to-root challenge in which you need to capture two flags. The first flag needs to be captured as a user and the second flag needs to be captured as a root user.

Os-hackNos-2 Walkthrough Vulnhub CTF

os-hackNos-2 Download here os-hacknos-2 Walkthrough

Network Scanning

I’m starting with the netdiscover tool to find the IP address of the remote machine:

Now let’s see the services running on the remote machine with the help of the Nmap tool by performing an aggressive scan on all the ports of the remote machine

we see the target system two-port is open 22,80 Now enumerate the machine port


dirb is kali Linux tool for enumerating and Bruteforce web directory

After enumerating the directory we see the target many web directory now I am open the tsweb directory our browser

and we found the target system WordPress blog now enumerate the WordPress with most-powerful tool wpscan I use (-e ap for finding all plugin)

And we see all plugin target system and found a vulnerable gracemedia player 1.0 plugin and I search the exploit exploit-db and found a local file inclusion

CTF – Local File Inclusion POC:

Local file Inclusion Test our target WordPress web site. I see the user flag and password but the password is encrypted md5 crypt

our next step is password cracking with powerful kali Linux tool john password hash crack toll I Bruteforce the hashes with a wordlist rockyou.txt and format md5crypt

–show command to show crack hashes

Login with flag user

And we have a target machine username and password I try The Login ssh connection with flag Credentials

  • username: flag
  • password: topsecret

And I login Succesful login with ssh connection but flag user shell is (-rbash is The Restricted Shell is a Linux Shell that restrict some of the features of the bash shell,)

After some time I found a backups password with encrypted md5-formate

Cracking password with John

Again cracking backup hashes with john hash cracker

After one-two minute hashes are cracked we have seen the passwd file, two users,

The entry rohit and flag I change the user with su switch user command

Switch user flag to rohit

  • username: rohit
  • password: !%hack41

cd /rohit

and got our first user flag rohit directory see he flag file with cat command

After login with user rohit, I changing the user rohit to root with (sudo su command )mean superuser do

cd /root

and I got Final root Flag

Author: Rahul Gehlaut more Articles here

3 thoughts on “os-hackNos-2 Walkthrough”

  1. i have a question, what does the “MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
    ” in root.txt mean? i tried online decryptors and it couldnt decrypt it.

Comments are closed.

Exit mobile version