Os-Hax: 1 [VulnHub] — Walkthrough

3 min readNov 16, 2019

Hey there! Let’s look at how I pwned the Os-Hax: 1 CTF machine by Rahul Gehlaut on VulnHub.

This is a very beginner-friendly machine. I was actually able to pwn it in under 15 minutes 😁

As always, I’m starting with the netdiscover tool to find the IP address of the remote machine:

root@kali:~# netdiscover

IMG: Finding the IP of the remote machine using the netdiscover tool — Finding the IP of the remote machine using the **netdiscover** tool

Now let’s see the services running on the remote machine with the help of the nmap tool by performing an aggressive scan on all the ports of the remote machine:

root@kali:~# nmap -p- -A 192.168.0.11

IMG: Finding exposed services on the remote machine using the nmap tool — Finding exposed services on the remote machine using the **nmap** tool

As can be seen, there are only 2 services running: SSH(22) & HTTP(80). Let’s explore them one by one.

HTTP(80):

The landing page on HTTP page looked like this:

http://192.168.0.11

IMG: The HTTP landing page — The **HTTP** landing page

I did a basic enumeration (robots.txt file, source code of the landing page, links from the landing page, etc) and looked for low-hanging fruits.

The page source had links to an “/img” folder and I found an interesting image file inside the folder:

http://192.168.0.11/img

IMG: An image file of interest in the /img folder under HTTP — An **image** file of interest in the **/img** folder under HTTP

So I downloaded that file and enumerated it:

root@kali:~# wget http://192.168.0.11/img/flaghost.png
root@kali:~# exiftool flaghost.png

IMG: Downloading and enumerating the image file — Downloading and **enumerating the image file**

Wow! A hint!

There was a folder by the name “passw@45” on the HTTP Server with another flag inside it:

IMG: Second flag obtained from the HTTP Server — **Second flag** obtained from the HTTP Server

And the following was the content of “flag2.txt”:

IMG: Content of flag2.txt — Content of ***flag2.txt***

Ahh! The infamous Brainf**k programming language 🤯!

There are many online compilers to compile this language. I used this one from TutorialsPoint. This was the output of the program:

IMG: The output of the Brainf**k program after execution — The **output** of the Brainf**k program after execution

We got a username and a password! Time to SSH 💪

SSH:

root@kali:~# ssh web@192.168.0.11

IMG: SSH login into the remote machine using the obtained credentials — SSH login into the remote machine using the obtained credentials

We’re in! 😃 But we still need to escalate our privileges to get the final flag which should be under the root account.

Again, after some basic enumeration checks(SUID, GUID, Kernel exploits, etc), I saw that the awk application had the permission to be executed as SUDO without the SUDO password:

$ sudo -l

I did not exactly know what awk did. So I searched for it in GTFOBins and got this:

IMG: Instructions to abuse SUDO privileges and gain root access using awk — Instructions to abuse SUDO privileges and gain root access using **awk**

Super! And we have our final flag 😁 :

$ sudo awk 'BEGIN {system("/bin/sh")}'
# cd /root
# cat final.txt

IMG: The final flag 🏁 — The final flag 🏁

And that’s a wrap! 😉

Thanks for staying so far 😃

A clap 👏 would encourage me to write more like this 🤗. You may check my profile for my other walkthroughs. I write one every week.

You can follow me on Twitter 🐦 to get updates on all the machines that I pwn 😄.

Please mention your doubts, comments, and suggestions below or DM me on Twitter!

See you in the next write-up next week 😄

Khuda hafiz! 😃👋

Os-Hax: 1 [VulnHub] — Walkthrough

HTTP(80):

SSH:

Written by Anu Shibin Joseph Raj