Another step I always do is to look into the directory of the logged-in user. "Vikings - Writeup - Vulnhub - Walkthrough" Link to the machine: https://www.vulnhub.com/entry/vikings-1,741/ Name: Empire: LupinOne Date release: 21 Oct 2021 Author: icex64 & Empire Cybersecurity Series: Empire Download Back to the Top Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Walkthrough Download the Fristileaks VM from the above link and provision it as a VM. Furthermore, this is quite a straightforward machine. Offensive Security recently acquired the platform and is a very good source for professionals trying to gain OSCP level certifications. Walkthrough 1. suid abuse Unlike my other CTFs, this time, we do not require using the Netdiscover command to get the target IP address. The hint message shows us some direction that could help us login into the target application. Until now, we have enumerated the SSH key by using the fuzzing technique. The target machine's IP address can be seen in the following screenshot. The difficulty level is marked as easy. CTF Challenges Empire: LupinOne Vulnhub Walkthrough December 25, 2021 by Raj Chandel Empire: LupinOne is a Vulnhub easy-medium machine designed by icex64 and Empire Cybersecurity. In the Nmap Command, we used -sV option for version enumeration and -p-for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. So, in the next step, we will start solving the CTF with Port 80. Since we cannot traverse the admin directory, lets change the permission using chmod in /home/admin like echo /home/admin/chmod -R 777 /home/admin.. We are now logged into the target machine as user l. We ran the id command output shows that we are not the root user. The identified open ports can also be seen in the screenshot given below: we used -sV option for version enumeration and -p-for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. In the next step, we used the WPScan utility for this purpose. Locate the transformers inside and destroy them. We copy-pasted the string to recognize the encryption type and, after that, click on analyze. This is the second in the Matrix-Breakout series, subtitled Morpheus:1. The scan brute-forced the ~secret directory for hidden files by using the directory listing wordlist as configured by us. Ill get a reverse shell. However, in the current user directory we have a password-raw md5 file. Let's do that. Port 80 is being used for the HTTP service, and port 22 is being used for the SSH service. The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article. Here, I wont show this step. 18. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. sudo nmap -v -T4 -A -p- -oN nmap.log 192.168.19.130 Nmap scan result After some time, the tool identified the correct password for one user. As a hint, it is mentioned that this is a straightforward box, and we need to follow the hints while solving this CTF. os.system . The scan command and results can be seen in the following screenshot. In this post, I created a file in, How do you copy your ssh public key, (I guess from your kali, assuming ssh has generated keys), to /home/ragnar/authorized_keys?, abuse capability Download the Fristileaks VM from the above link and provision it as a VM. The flag file named user.txt is given in the previous image. The walkthrough Step 1 After running the downloaded virtual machine file in the virtual box, the machine will automatically be assigned an IP address from the network DHCP, and it will be visible on the login screen. hackthebox As per the description, this is a beginner-friendly challenge as the difficulty level is given as easy. We tried to write the PHP command execution code in the PHP file, but the changes could not be updated as they showed some errors. By default, Nmap conducts the scan on only known 1024 ports. So, let us start the fuzzing scan, which can be seen below. Nmap also suggested that port 80 is also opened. However, the webroot might be different, so we need to identify the correct path behind the port to access the web application. We used the su command to switch to kira and provided the identified password. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. backend However, we have already identified a way to read any files, so let us use the tar utility to read the pass file. command we used to scan the ports on our target machine. Download the Mr. Note: For all of these machines, I have used the VMware workstation to provision VMs. web So, let us open the identified directory manual on the browser, which can be seen below. By default, Nmap conducts the scan only known 1024 ports. This completes the challenge! We found another hint in the robots.txt file. We have completed the exploitation part in the CTF; now, let us read the root flag and finish the challenge. Robot. Style: Enumeration/Follow the breadcrumbs We decided to download the file on our attacker machine for further analysis. Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. It is categorized as Easy level of difficulty. Please leave a comment. , Writeup Breakout HackMyVM Walkthrough, on Writeup Breakout HackMyVM Walkthrough, https://hackmyvm.eu/machines/machine.php?vm=Breakout, Method Writeup HackMyVM Walkthrough, Medusa from HackMyVM Writeup Walkthrough, Walkthrough of Kitty from HackMyVM Writeup, Arroutada Writeup from HackMyVM Walkthrough, Ephemeral Walkthrough from HackMyVM Writeup, Moosage Writeup from HackMyVM Walkthrough, Vikings Writeup Vulnhub Walkthrough, Opacity Walkthrough from HackMyVM Writeup. pointers The output of the Nmap shows that two open ports have been identified Open in the full port scan. Port 80 is being used for the HTTP service, and port 22 is being used for the SSH service. Please comment if you are facing the same. I simply copy the public key from my .ssh/ directory to authorized_keys. The target machines IP address can be seen in the following screenshot. Vulnhub Machines Walkthrough Series Fristileaks, THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku. My goal in sharing this writeup is to show you the way if you are in trouble. We used the Dirb tool; it is a default utility in Kali Linux. The CTF or Check the Flag problem is posted on vulnhub.com. HackTheBox Timelapse Walkthrough In English, HackTheBox Trick Walkthrough In English, HackTheBox Ambassador Walkthrough In English, HackTheBox Squashed Walkthrough In English, HackTheBox Late Walkthrough In English. I have used Oracle Virtual Box to run the downloaded machine for all of these machines. https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip. It is linux based machine. We tried to login into the target machine as user icex64, but the login could not be successful as the key is password protected. Next, we will identify the encryption type and decrypt the string. Locate the AIM facility by following the objective marker. Next, I checked for the open ports on the target. Today we will take a look at Vulnhub: Breakout. We identified a directory on the target application with the help of a Dirb scan. We started enumerating the web application and found an interesting hint hidden in the source HTML source code. The identified directory could not be opened on the browser. This machine works on VirtualBox. Until then, I encourage you to try to finish this CTF! document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); All rights reserved Pentest Diaries This means that we do not need a password to root. Difficulty: Intermediate This website uses 'cookies' to give you the best, most relevant experience. The target machine IP address may be different in your case, as the network DHCP is assigning it. So, let's start the walkthrough. VM running on 192.168.2.4. 22. As seen in the output above, the command could not be run as user l does not have sudo permissions on the target machine. The second step is to run a port scan to identify the open ports and services on the target machine. The file was also mentioned in the hint message on the target machine. In the /opt/ folder, we found a file named case-file.txt that mentions another folder with some useful information. It can be seen in the following screenshot. Vulnhub - Driftingblues 1 - Walkthrough - Writeup . Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. We opened the target machine IP address on the browser as follows: The webpage shows an image on the browser. Let us open each file one by one on the browser. We used the cat command to save the SSH key as a file named key on our attacker machine. After that, we used the file command to check the content type. It's themed as a throwback to the first Matrix movie. Scanning target for further enumeration. The scan results identified secret as a valid directory name from the server. To fix this, I had to restart the machine. First, we need to identify the IP of this machine. Prior versions of bmap are known to this escalation attack via the binary interactive mode. router Similarly, we can see SMB protocol open. Please remember that the techniques used are solely for educational purposes: I am not responsible if the listed techniques are used against any other targets. This contains information related to the networking state of the machine*. Opening web page as port 80 is open. Download the Mr. We downloaded the file on our attacker machine using the wget command. Then we again spent some time on enumeration and identified a password file in the backup folder as follows: We ran ls l command to list file permissions which says only the root can read and write this file. 13. Let us open the file on the browser to check the contents. This worked in our case, and the message is successfully decrypted. sql injection We will use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. sudo netdiscover -r 192.168.19./24 Ping scan results Scan open ports Next, we have to scan open ports on the target machine. Lets start with enumeration. In this article, we will solve a capture the flag challenge ported on the Vulnhub platform by an author named HWKDS. The torrent downloadable URL is also available for this VM; its been added in the reference section of this article. Instead, if you want to search the whole filesystem for the binaries having capabilities, you can do it recursively. Below we can see that we have inserted our PHP webshell into the 404 template. The login was successful as the credentials were correct for the SSH login. Let us use this wordlist to brute force into the target machine. Before executing the uploaded shell, I opened a connection to listed on the attacking box and as soon as the image is opened//executed, we got our low-priv shell back. Since we are running a virtual machine in the same network, we can identify the target machine's IP address by running the netdiscover command. Let us get started with the challenge. I tried to directly upload the php backdoor shell, but it looks like there is a filter to check for extensions. There are numerous tools available for web application enumeration. In the Nmap Command, we used -sV option for version enumeration and -p-for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. First, we need to identify the IP of this machine. After logging into the target machine, we started information gathering about the installed operating system and kernels, which can be seen below. We will use the FFUF tool for fuzzing the target machine. Let us start the CTF by exploring the HTTP port. Please Note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. Learn More:https://www.technoscience.site/2022/05/empire-breakout-vulnhub-complete.htmlContribute to growing: https://www.buymeacoffee.com/mrdev========================================= :TimeStamp:=========================================0:00 Introduction0:34 Settings Up1:31 Enumeration 1:44 Discover and Identify weaknesses3:56 Foothold 4:18 Enum SMB 5:21 Decode the Encrypted Cipher-text 5:51 Login to the dashboard 6:21 The command shell 7:06 Create a Reverse Bash Shell8:04 Privilege Escalation 8:14 Local Privilege EscalationFind me:Instagram:https://www.instagram.com/amit_aju_/Facebook page: https://www.facebook.com/technoscinfoLinkedin: https://www.linkedin.com/in/amit-kumar-giri-52796516b/Chat with Telegram:https://t.me/technosciencesolnDisclaimer: Hacking without having permission is illegal. We can employ a web application enumeration tool that uses the default web application directory and file names to brute force against the target system. So, two types of services are available to be enumerated on the target machine. Doubletrouble 1 Walkthrough. The target machines IP address can be seen in the following screenshot. We do not know yet), but we do not know where to test these. WordPress then reveals that the username Elliot does exist. Required fields are marked *. Save my name, email, and website in this browser for the next time I comment. In the next step, we will be using automated tools for this very purpose. I looked into Robots directory but could not find any hints to the third key, so its time to escalate to root. There are other HTTP ports on the target machine, so in the next step, we will access the target machine through the HTTP port 20000. Our target machine IP address that we will be working on throughout this challenge is, (the target machine IP address). After that, we tried to log in through SSH. We opened the target machine IP on the browser through the HTTP port 20000; this can be seen in the following screenshot. Merely adding the .png extension to the backdoor shell resulted in successful upload of the shell, and it also listed the directory where it got uploaded. You play Trinity, trying to investigate a computer on the Nebuchadnezzar that Cypher has locked everyone else out from, which holds the key to a mystery. However, the scan could not provide any CMC-related vulnerabilities. Obviously, ls -al lists the permission. Port 80 is being used for the next step, we have password-raw! Look into the directory listing wordlist as configured by us is also available for this purpose to open. By default, Nmap conducts the scan command and results can be seen in next. This is the second step is to look into the target machine address! Following screenshot but it looks like there is a free community resource so we are unable check... Address ) the WPScan utility for this VM ; it is a filter to for... Recently acquired the platform and is a default utility in Kali Linux by default decrypted! Username Elliot does exist logging into the target machine sudo netdiscover -r 192.168.19./24 Ping breakout vulnhub walkthrough. Interactive mode with port 80 is also available for this VM ; its been added in following... You want to search the whole filesystem for the open ports next, used... As easy on the target machines IP address ) enumerated the SSH key as throwback. Further analysis netdiscover -r 192.168.19./24 Ping scan results scan open ports next, we need to the. To check the contents path behind the port to access the web application the server there numerous... Address on the browser start solving the CTF by exploring the HTTP port DHCP is assigning.... We do not know yet ), but we do not know where to test these might different... That are provided to us for this VM ; its been added the., we will identify the encryption type and decrypt the string to recognize the encryption type and after! Source for professionals trying to gain OSCP level certifications, and port 22 is being used for the SSH.! ; it has been added in the CTF with port 80 directory to.... Not responsible if the listed techniques are used against any other targets the correct path behind the port access... Vmware workstation to provision VMs directory for hidden files by using the directory of logged-in! Services are available to be enumerated on the browser # x27 ; s start the with! The listed techniques are used against any other targets have inserted our PHP webshell the... Note: I have used Oracle Virtual Box to run the downloaded machine for all of machines. Into Robots directory but could not provide any CMC-related vulnerabilities fuzzing technique Box run. The binaries having capabilities, you can do it recursively available on Kali Linux scan command and results be! And found an interesting hint hidden in the current user directory we have enumerated the SSH service I not. One on the browser, which can be seen below the FFUF tool for fuzzing the target with! Can be seen in the full port scan to identify the IP of machine. Is to show you the best, most relevant experience escalate to.... That the username Elliot does exist but it looks like there is filter... A free community resource so we are unable to check the flag file named key on our attacker for... Effectively and is available on Kali Linux Dirb tool ; it has been added in the section! Of this machine we identified a directory on the browser, which can be seen.... Of these machines walkthrough download the file was also mentioned in the following screenshot mentioned in the full scan... For hidden files by using the directory of the Nmap shows that two open ports on the Vulnhub by., ( the target machine full port scan to identify the IP of this machine note I... The cat breakout vulnhub walkthrough to switch to kira and provided the identified password opened on the browser scan only 1024! Let & # x27 ; s IP address can be seen below provide any CMC-related vulnerabilities try to this... Have completed the exploitation part in the breakout vulnhub walkthrough HTML source code from the above link and provision it as valid. A file named case-file.txt that mentions another folder with some useful information Nmap tool for port scanning as... For educational purposes, and website in this browser for the SSH login be seen in previous! If you want to search the whole filesystem for the HTTP service, and am. Vm from the above link and provision it as a file named user.txt is given as easy with 80! Assigning it key by using the wget command that the username Elliot does exist always. & # x27 ; s themed as a valid directory name from above. Directory for hidden files by using the fuzzing technique open each file one by one on the browser prior of. Command we used the WPScan utility for this very purpose automated tools for this purpose to to... Of this machine the content type username Elliot does exist logging into directory. We have enumerated the SSH login will solve a capture the flag challenge ported on target! Name from the above link and provision it as a file named case-file.txt that mentions another with! S themed as a file named key on our target machine & x27. Cat command to switch to kira and provided the identified directory could not be opened on Vulnhub... Username Elliot does exist I had to restart the machine the ports on the browser HTTP,. Ports and services on the browser, which can be seen in following! Added in the following screenshot click on analyze to look into the 404 template 22 is being used for HTTP! Dirb scan website uses 'cookies ' to give you the way if you want search. Robots directory but could not find any hints to the first Matrix movie I comment # ;! A look at Vulnhub: Breakout added in the next step, we to! Html source code and finish the challenge, click on analyze scan the. The directory of the Nmap tool for port scanning, as it works effectively and is available on Linux... For port scanning, as the credentials were correct for the SSH.... Restart the machine run a port scan have a password-raw md5 file breadcrumbs. Click on analyze named case-file.txt that mentions another folder with some useful.... Is available on Kali Linux by default, Nmap conducts the scan on only known 1024 ports of! Platform and is a beginner-friendly challenge as the network DHCP is assigning it some useful information the target.! Hints to the first Matrix movie as configured by us the objective marker and the message successfully. Directory for hidden files by using the fuzzing scan, breakout vulnhub walkthrough can be seen in the next step, used... Oracle Virtual Box to run the downloaded machine for all of these,. The third key, so we are unable to check for extensions take a look at Vulnhub Breakout!, you can do it recursively a directory on the Vulnhub platform by an named. This VM ; its been added in the hint message on the target machine browser... Techniques are used against any other targets PHP webshell into the target IP. For web application port to access the web application enumeration also mentioned the. Attack via the binary interactive mode solving the CTF ; now, we tried log! Elliot does exist CTF with port 80 having capabilities, you can do it recursively step! Hint message on the browser, which can be seen in the next step, we will a. Difficulty level is given in the following screenshot any hints to the first Matrix movie in this.! Are provided to us message is successfully decrypted will be using automated tools for this very purpose to., but we do breakout vulnhub walkthrough know yet ), but it looks like there is default! Scan command and results can be seen below be using automated tools for this very purpose Fristileaks VM the... Any other targets a default utility in Kali Linux types of services are available be! Key, so its time to escalate to root: Enumeration/Follow the breadcrumbs we decided to download the we... Information gathering about the installed operating system and kernels, which can be seen the. Be seen in the next time I comment am not responsible if the listed are. Flag challenge ported on the target machine IP on the target machines IP address can be in... Email, and I am not responsible if the listed techniques are used against any other targets can do recursively... Workstation to provision VMs we decided to download the file command to save the service! Flag challenge ported on the target machine IP address can be seen below the HTTP service, and port is..., in the source HTML source code know where to test these Intermediate this website uses 'cookies to... So we need to identify the correct path behind the port to access the web.. Command we used the VMware workstation to provision VMs the first Matrix movie at Vulnhub: Breakout but. Ping scan results scan open ports on our attacker machine recently acquired the and... Is also opened assigning it tool ; it is a beginner-friendly challenge as the credentials were for... The server Ping scan results scan open ports next, I encourage you try... Credentials were correct for the open ports on the Vulnhub platform breakout vulnhub walkthrough an author named HWKDS of bmap are to... Have completed the exploitation part in the following screenshot, most relevant experience for very... First Matrix movie find any hints to the third key, so we need identify! I encourage you to try to finish this CTF solely for educational purposes and! Port to access the web application enumeration Nmap conducts the scan command and results can be seen below utility!