Previously, we have completed a few single and series vulnerable boxes. If you have not yet read them,
Click Here:
Vulhub - Vulnerable By Design
Vulhub is a platform designed to host intentionally vulnerable web applications for educational and testing purposes. It provides a hands-on learning environment for security enthusiasts to practice identifying and exploiting various vulnerabilities in web applications.
Table of Contents
Empire LupinOne is a vulnerable machine with difficulty level medium machine designed by icex64 and Empire Cybersecurity.
Settings Up
Firstly, we have to download the zip file from VulnHub.
Empire: Lupin One
Empire: Lupin One is a virtual machine (VM) hosted on Vulnhub designed for penetration testing and ethical hacking practice. It contains multiple security vulnerabilities that testers can exploit to gain unauthorized access and escalate privileges. Lupin One offers a hands-on learning experience for security enthusiasts to enhance their skills in identifying and mitigating security flaws.
On completion, we have to extract the file.
Open Virtual Box, and then click on new. Fill in the name, type, and version
Click Next to customize the memory size and then browse the existing virtual disk file.
Once you are done with the settings, let’s start the instance VMs.
Now, the instance is ready, and we have got a terminal screen that prompts us to input the password.
Enumeration
Our First step is to find out the target IP address using NetDiscover.
From the Scanning result, we have discovered our
target IP address i.e., 192.168.56.112.
We have discovered the IP address, so
let's perform a network scan to detect what ports are open is already known as
an essential part of the enumeration process. This offers us the opportunity to
better understand the attacking surface and design targeted attacks. As in most
cases, we are going to use the famous Nmap tool:
Conducting Network Scans with Nmap
- -sC: perform a script scan using the default set of scripts,
- -sV: enables version detection, which will detect what versions are running on what port.
From the Nmap output, we have spotted two
open ports.
- Port 22/TCP running an SSH service, which means, that if we have a valid username, and password then will be easily accessed the server.
- Port 80/TCP runs an HTTP service, which indicates that there might be a website running.
Web Enumeration
If you take a look at the below script, you will find out, that there is a robots.txt file disallowing a directory called /~my files on the webserver.
Let’s look at the contents ourselves, we can open a web browser of our choice,
and navigate to the target's IP address in the URL bar at the top of the
window.
If you take a look at the robots.txt file, you can spot a file that disallows from being crawled. Let’s visit this file.
We began the enumeration procedure by inspecting the (/~myfiles) HTTP page. From the output, we have discovered an Error 404, which seemed suspicious.
In the older version of the Apache server, the “~” tilde symbol was used to refer to the home directory of a user.
However, this is not the case for newer versions. So, we can try to find similar paths to start with the same symbol (~).
Let’s take a look at the page source code to
find a clue to foothold the instance.
There is nothing else special from the page source, so move to further steps.
Foothold
Let’s find out the hidden directories and
files on the web server that can also be categorized under fuzzing. The tool we are going to use is FFUF (A fast web fuzzer). FFUF does not come pre-installed with Kali Linux, so we have to
install them separately.
Discovery of Hidden Directories and files with FFUF
Let’s perform Fuzzing to find out hidden files and directories.
- -c: colorize the output,
- -u: set the Target URL,
- -w: set the Wordlist file path.
The scan results identified ‘secret’ as a valid directory name from
the server. So let us open this directory in the browser.
The page contained three major hints for the machine.
- The First hint is that there is a hidden file for the SSH private key.
- Secondly, we have a wordlist that will help us to crack the SSH hashes.
- In the end, the hint also talks about the best friend, who is possibly a username.
So, our first task is to find out the hidden file which contains the SSH key. To find the secret private SSH key, we again use fuzzing with the help of FFUF once more.
Where we are going to use three new parameters.
- -ic: ignore wordlist comments.
- -fc: filter HTTP status codes from the response.
- -e: specify the list of extensions.
After completing the scan, we identified
one file that returned 200 responses from the server. So, let us open that file
on the browser.
When we open the file on the browser, it will redirect us to a new page that might contain some encoded message. We need to figure out the encryption type to decrypt the actual SSH key.
Decrypting Encrypted text with CyberChef
Visit Cyberchef. To Learn More:
CyberChef: The Cyber Swiss Army Knife
This article explores CyberChef, a versatile tool used by cybersecurity professionals for various tasks such as encoding, decoding, encryption, and decryption. It discusses the features of CyberChef and its significance in analyzing and manipulating data during security assessments and forensic investigations.
Paste the string in the input section and Drag and Drop each operation to the recipe to match the encryption Type. After analyzing I found out that the string is encrypted with base 58.
The string was successfully decoded without
any errors. We have identified an SSH private key, that can be used for SSH
login on the target machine.
Save the key into the file using the nano text editor.
Decrypting SSH Key Files with John The Ripper
Since the author has shared some hints related to the passphrase for the SSH Key, thus we are going to use SSH2john to obtain the hash value of the SSH key.
Now, run John the Ripper to crack the hash value.
From the output, we obtained a password.
Establishing SSH Connection with SSH Key Authentication
Now we have a username and password, let's perform a secure shell connection to enable secure remote connections using the usernames and the relevant passwords.
We successfully authenticated and got a secure shell. As it’s depicted now, we have accessed the user Icex64. Next, run the ls command to list the files and the directory's contents. As a result, we found the user.txt.
Since the running shell does not have root permission, So, let’s
identify further information about the target machine, which could be useful
for gaining root access.
Privilege Escalation
Let's identify the rights, and privileges of the current user by executing the sudo -l command.
After analyzing the output, we confirm that the running Python script may be vulnerable to the Python Library Hijacking approach. You find out more about this vulnerability by searching on Google.
Python Library Hijacking
Let’s take a look at the contents of the Python script.
Upon reviewing the code, we discovered crucial information. Running this Python script opens the web browser and shows the URL.
To elevate privileges, we can inject a bash shell script and rerun the program. We need to use the locate command to locate the library's location.
From the output, we have obtained the location of the Python library of “webbrowser.py”.
We will now begin our Python Library Hijacking procedure. You will list the details of the library if we have to change the read, and write permission.
Now open the Python script using the nano command to edit the script.
Now add the below script to call root shell.
Let’s execute the Python script to switch the user to Arsene.
We have switched to the user Arsene, but we don't have root privilege, so let's again identify the rights, and privileges of the current user Arsene.
After analyzing the output, we spotted a new vulnerability that will help us to escalate the privilege. This is known as PIP Privilege Escalation.
PIP Privilege Escalation
You will find detailed information by searching on Google.
GTFOBins: pip
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions and escalate privileges on a compromised system. The GTFOBins page for pip provides information on how the pip package manager can be abused to gain unauthorized access or execute arbitrary commands with elevated privileges. It serves as a valuable resource for security professionals and penetration testers to understand and mitigate potential security risks associated with the pip utility.
Copy each of them, and paste them to the terminal one by one to get the root shell.
Finally, we have the root shell and verify using the whoami command. It has been proven that it is the root, simply change the directory to the /root path to obtain the root flag.
Congratulation! On completion of the CTF challenge.