Os-Hax: 1 [VulnHub] — Walkthrough
Hey there! Let’s look at how I pwned the Os-Hax: 1 CTF machine by Rahul Gehlaut on VulnHub.
This is a very beginner-friendly machine. I was actually able to pwn it in under 15 minutes 😁
As always, I’m starting with the netdiscover tool to find the IP address of the remote machine:
root@kali:~# netdiscover
Now let’s see the services running on the remote machine with the help of the nmap tool by performing an aggressive scan on all the ports of the remote machine:
root@kali:~# nmap -p- -A 192.168.0.11
As can be seen, there are only 2 services running: SSH(22) & HTTP(80). Let’s explore them one by one.
HTTP(80):
The landing page on HTTP page looked like this:
http://192.168.0.11
I did a basic enumeration (robots.txt file, source code of the landing page, links from the landing page, etc) and looked for low-hanging fruits.
The page source had links to an “/img” folder and I found an interesting image file inside the folder:
http://192.168.0.11/img
So I downloaded that file and enumerated it:
root@kali:~# wget http://192.168.0.11/img/flaghost.png
root@kali:~# exiftool flaghost.png
Wow! A hint!
There was a folder by the name “passw@45” on the HTTP Server with another flag inside it:
And the following was the content of “flag2.txt”:
Ahh! The infamous Brainf**k programming language 🤯!
There are many online compilers to compile this language. I used this one from TutorialsPoint. This was the output of the program:
We got a username and a password! Time to SSH 💪
SSH:
root@kali:~# ssh web@192.168.0.11
We’re in! 😃 But we still need to escalate our privileges to get the final flag which should be under the root account.
Again, after some basic enumeration checks(SUID, GUID, Kernel exploits, etc), I saw that the awk application had the permission to be executed as SUDO without the SUDO password:
$ sudo -l
I did not exactly know what awk did. So I searched for it in GTFOBins and got this:
Super! And we have our final flag 😁 :
$ sudo awk 'BEGIN {system("/bin/sh")}'
# cd /root
# cat final.txt
And that’s a wrap! 😉
Thanks for staying so far 😃
A clap 👏 would encourage me to write more like this 🤗. You may check my profile for my other walkthroughs. I write one every week.
You can follow me on Twitter 🐦 to get updates on all the machines that I pwn 😄.
Please mention your doubts, comments, and suggestions below or DM me on Twitter!
See you in the next write-up next week 😄
Khuda hafiz! 😃👋