medium.com

Os-Hax: 1 [VulnHub] — Walkthrough

Anu Shibin Joseph Raj
3–4 minutes

As always, I’m starting with the netdiscover tool to find the IP address of the remote machine:

root@kali:~# netdiscover

Press enter or click to view image in full size

IMG: Finding the IP of the remote machine using the netdiscover tool
Finding the IP of the remote machine using the netdiscover tool

Now let’s see the services running on the remote machine with the help of the nmap tool by performing an aggressive scan on all the ports of the remote machine:

root@kali:~# nmap -p- -A 192.168.0.11

Press enter or click to view image in full size

IMG: Finding exposed services on the remote machine using the nmap tool
Finding exposed services on the remote machine using the nmap tool

As can be seen, there are only 2 services running: SSH(22) & HTTP(80). Let’s explore them one by one.

HTTP(80):

The landing page on HTTP page looked like this:

http://192.168.0.11

Press enter or click to view image in full size

IMG: The HTTP landing page
The HTTP landing page

I did a basic enumeration (robots.txt file, source code of the landing page, links from the landing page, etc) and looked for low-hanging fruits.

The page source had links to an “/img” folder and I found an interesting image file inside the folder:

http://192.168.0.11/img
IMG: An image file of interest in the /img folder under HTTP
An image file of interest in the /img folder under HTTP

So I downloaded that file and enumerated it:

root@kali:~# wget http://192.168.0.11/img/flaghost.png
root@kali:~# exiftool flaghost.png

Press enter or click to view image in full size

IMG: Downloading and enumerating the image file
Downloading and enumerating the image file

Wow! A hint!

Get Anu Shibin Joseph Raj’s stories in your inbox

Join Medium for free to get updates from this writer.

There was a folder by the name “passw@45” on the HTTP Server with another flag inside it:

IMG: Second flag obtained from the HTTP Server
Second flag obtained from the HTTP Server

And the following was the content of “flag2.txt”:

IMG: Content of flag2.txt
Content of flag2.txt

Ahh! The infamous Brainf**k programming language 🤯!

There are many online compilers to compile this language. I used this one from TutorialsPoint. This was the output of the program:

Press enter or click to view image in full size

IMG: The output of the Brainf**k program after execution
The output of the Brainf**k program after execution

We got a username and a password! Time to SSH 💪

SSH:

root@kali:~# ssh web@192.168.0.11

Press enter or click to view image in full size

IMG: SSH login into the remote machine using the obtained credentials
SSH login into the remote machine using the obtained credentials

We’re in! 😃 But we still need to escalate our privileges to get the final flag which should be under the root account.

Again, after some basic enumeration checks(SUID, GUID, Kernel exploits, etc), I saw that the awk application had the permission to be executed as SUDO without the SUDO password:

$ sudo -l

Press enter or click to view image in full size

I did not exactly know what awk did. So I searched for it in GTFOBins and got this:

Press enter or click to view image in full size

IMG: Instructions to abuse SUDO privileges and gain root access using awk
Instructions to abuse SUDO privileges and gain root access using awk

Super! And we have our final flag 😁 :

$ sudo awk 'BEGIN {system("/bin/sh")}'
# cd /root
# cat final.txt

Press enter or click to view image in full size

IMG: The final flag 🏁
The final flag 🏁

And that’s a wrap! 😉

Thanks for staying so far 😃

A clap 👏 would encourage me to write more like this 🤗. You may check my profile for my other walkthroughs. I write one every week.

You can follow me on Twitter 🐦 to get updates on all the machines that I pwn 😄.

Please mention your doubts, comments, and suggestions below or DM me on Twitter!

See you in the next write-up next week 😄

Khuda hafiz! 😃👋