As we know, the SSH default port is open on the target machine, so let us try to log in through the SSH port. Symfonos 2 is a machine on vulnhub. It can be seen in the following screenshot. Here, I wont show this step. Similarly, we can see SMB protocol open. Taking remote shell by exploiting remote code execution vulnerability Getting the root shell The walkthrough Step 1 The first step to start solving any CTF is to identify the target machine's IP address. Running sudo -l reveals that file in /var/fristigod/.secret_admin_stuff/doCom can be run as ALL under user fristi. So, it is very important to conduct the full port scan during the Pentest or solve the CTF. Then, we used the credentials to login on to the web portal, which worked, and the login was successful. The port numbers 80, 10000, and 20000 are open and used for the HTTP service. "Vikings - Writeup - Vulnhub - Walkthrough" Link to the machine: https://www.vulnhub.com/entry/vikings-1,741/ On browsing I got to know that the machine is hosting various webpages . As we noticed from the robots.txt file, there is also a file called fsocity.dic, which looks to be a dictionary file. Vulnhub is a platform that provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. To fix this, I had to restart the machine. It can be seen in the following screenshot. Following the banner of Keep Calm and Drink Fristi, I thought of navigating to the /fristi directory since the others exposed by robots.txt are also name of drinks. insecure file upload We decided to download the file on our attacker machine for further analysis. Kali Linux VM will be my attacking box. Please comment if you are facing the same. linux basics ssti Before we trigger the above template, well set up a listener. Locate the transformers inside and destroy them. kioptrix Also, its always better to spawn a reverse shell. However, when I checked the /var/backups, I found a password backup file. Locate the AIM facility by following the objective marker. THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku, Colddworld immersion: VulnHub CTF walkthrough. It is a default tool in kali Linux designed for brute-forcing Web Applications. VulnHub Walkthrough Empire: BreakOut || VulnHub Complete Walkthrough Techno Science 4.23K subscribers Subscribe 1.3K views 8 months ago Learn More:. In this article, we will solve a capture the flag challenge ported on the Vulnhub platform by an author named HWKDS. In the next step, we will be running Hydra for brute force. We searched the web for an available exploit for these versions, but none could be found. Prerequisites would be knowledge of Linux commands and the ability to run some basic pentesting tools. The notes.txt file seems to be some password wordlist. Command used: << wpscan url http://deathnote.vuln/wordpress/ >>. Also, make sure to check out the walkthroughs on the harry potter series. The IP address was visible on the welcome screen of the virtual machine. Name: Empire: Breakout Date release: 21 Oct 2021 Author: icex64 & Empire Cybersecurity Series: Empire Download Back to the Top Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. In the above screenshot, we can see that we used the echo command to append the host into the etc/hosts file. This is Breakout from Vulnhub. Download & walkthrough links are available. Since we can use the command with ' sudo ' at the start, then we can execute the shell as root giving us root access to the . The identified password is given below for your reference. Keep practicing by solving new challenges, and stay tuned to this section for more CTF solutions. Always test with the machine name and other banner messages. Merely adding the .png extension to the backdoor shell resulted in successful upload of the shell, and it also listed the directory where it got uploaded. Series: Fristileaks https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip. The hint also talks about the best friend, the possible username. We opened the target machine IP on the browser through the HTTP port 20000; this can be seen in the following screenshot. hacksudo Robot VM from the above link and provision it as a VM. file.pysudo. Below we can see that we have got the shell back. I have. This gives us the shell access of the user. We will continue this series with other Vulnhub machines as well. We download it, remove the duplicates and create a .txt file out of it as shown below. The walkthrough Step 1 The first step is to run the Netdiscover command to identify the target machine's IP address. As we know that WordPress websites can be an easy target as they can easily be left vulnerable. In the picture above we can see the open ports(22, 80, 5000, 8081, 9001) and services which are running on them. We will use nmap to enumerate the host. Difficulty: Basic, Also a note for VMware users: VMware users will need to manually edit the VMs MAC address to: 08:00:27:A5:A6:76. We do not understand the hint message. Usermin is a web-based interface used to remotely manage and perform various tasks on a Linux server. If you have any questions or comments, please do not hesitate to write. We tried to write the PHP command execution code in the PHP file, but the changes could not be updated as they showed some errors. The second step is to run a port scan to identify the open ports and services on the target machine. "Deathnote - Writeup - Vulnhub . Command used: << echo 192.168.1.60 deathnote.vuln >> /etc/hosts >>. Other than that, let me know if you have any ideas for what else I should stream! Let us enumerate the target machine for vulnerabilities. When we look at port 20000, it redirects us to the admin panel with a link. In this post, I created a file in Let's do that. Replicating the contents of cryptedpass.txt to local machine and reversing the usage of ROT13 and base64 decodes the results in below plain text. In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. It also refers to checking another comment on the page. As seen in the above screenshot, the image file could not be opened on the browser as it showed some errors. To make sure that the files haven't been altered in any manner, you can check the checksum of the file. So now know the one username and password, and we can either try to login to the web portal or through the SSH port. 3. However, it requires the passphrase to log in. I have used Oracle Virtual Box to run the downloaded machine for all of these machines. Hydra is one of the best tools available in Kali Linux to run brute force on different protocols and ports. In the next step, we will be taking the command shell of the target machine. Doubletrouble 1 Walkthrough. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against real hackers. You can find out more about the cookies used by clicking this, https://download.vulnhub.com/empire/02-Breakout.zip. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. we used -sV option for version enumeration and -p-for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. hackmyvm This is fairly easy to root and doesnt involve many techniques. Lets look out there. Also, this machine works on VirtualBox. On the home page, there is a hint option available. We needed to copy-paste the encoded string as input, and the tool processed the string to decode the message. We can see this is a WordPress site and has a login page enumerated. We used the su command to switch the current user to root and provided the identified password. So, let us download the file on our attacker machine for analysis. Required fields are marked *. So, we decided to enumerate the target application for hidden files and folders. Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I have tried to show up this machine as much I can. Robot VM from the above link and provision it as a VM. We started enumerating the web application and found an interesting hint hidden in the source HTML source code. Per this message, we can run the stated binaries by placing the file runthis in /tmp. I am using Kali Linux as an attacker machine for solving this CTF. walkthrough The second step is to run a port scan to identify the open ports and services on the target machine. This contains information related to the networking state of the machine*. VM LINK: https://download.vulnhub.com/empire/02-Breakout.zip, http://192.168.8.132/manual/en/index.html. file permissions However, for this machine it looks like the IP is displayed in the banner itself So following the same methodology as in Kioptrix VMs, let's start nmap enumeration. We will use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. Please remember that the techniques used are solely for educational purposes: I am not responsible if the listed techniques are used against any other targets. Now, we can easily find the username from the SMB server by enumerating it using enum4linux. Here we will be running the brute force on the SSH port that can be seen in the following screenshot. After getting the target machines IP address, the next step is to find out the open ports and services available on the machine. I hope you liked the walkthrough. Until now, we have enumerated the SSH key by using the fuzzing technique. We got the below password . Welcome to the write-up of the new machine Breakout by icex64 from the HackMyVM platform. Matrix-Breakout: 2 Morpheus vulnhub.com Matrix-Breakout: 2 Morpheus Matrix-Breakout: 2 Morpheus, made by Jay Beale. rest javascript The IP of the victim machine is 192.168.213.136. For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. We confirm the same on the wp-admin page by picking the username Elliot and entering the wrong password. The password was stored in clear-text form. Lets use netdiscover to identify the same. Tester(s): dqi, barrebas We used the ping command to check whether the IP was active. Opening web page as port 80 is open. The target machine IP address is. Our target machine IP address that we will be working on throughout this challenge is, (the target machine IP address). While exploring the admin dashboard, we identified a notes.txt file uploaded in the media library. This step will conduct a fuzzing scan on the identified target machine. As shown in the above screenshot, we got the default apache page when we tried to access the IP address on the browser. This box was created to be an Easy box, but it can be Medium if you get lost. Difficulty: Medium-Hard File Information Back to the Top By default, Nmap conducts the scan only known 1024 ports. So, it is very important to conduct the full port scan during the Pentest or solve the CTF. The string was successfully decoded without any errors. . Use the elevator then make your way to the location marked on your HUD. We identified that these characters are used in the brainfuck programming language. After getting the version information of the installed operating system and kernel, we searched the web for an available exploit, but none could be found. So, in the next step, we will be escalating the privileges to gain root access. The password was correct, and we are logged in as user kira. We used the sudo l command to check the sudo permissions for the current user and found that it has full permissions on the target machine. Below we can see netdiscover in action. First, let us save the key into the file. In, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku, Colddworld immersion: VulnHub CTF walkthrough. . The next step is to scan the target machine using the Nmap tool. So I run back to nikto to see if it can reveal more information for me. There could be other directories starting with the same character ~. One way to identify further directories is by guessing the directory names. This was my first VM by whitecr0wz, and it was a fun one. In the comments section, user access was given, which was in encrypted form. First, we need to identify the IP of this machine. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); All rights reserved Pentest Diaries 7. I am using Kali Linux as an attacker machine for solving this CTF. Until then, I encourage you to try to finish this CTF! Vulnhub machines Walkthrough series Mr. We will use the Nmap tool for it, as it works effectively and is by default available on Kali Linux. backend The command used for the scan and the results can be seen below. This could be a username on the target machine or a password string. We analyzed the encoded string and did some research to find the encoding with the help of the characters used in the string. Below are the nmap results of the top 1000 ports. Note: The target machine IP address may be different in your case, as the network DHCP is assigning it. The message states an interesting file, notes.txt, available on the target machine. To access the IP of this machine as much I can this,. Smb server by enumerating it using enum4linux facility by following the objective marker the of! However, it redirects us to the write-up of the target application for files! Command shell of the victim machine is 192.168.213.136 used by clicking this I., but it can be seen in the brainfuck programming language of the target machine IP on harry... The Top by default, Nmap conducts the scan and the login successful! Entering the wrong password it also refers to checking another comment on the identified password protocols! Can reveal more information for me append the host into the file runthis in /tmp the message an... That provides vulnerable applications/machines to gain practical hands-on experience in the following screenshot comments,... We will be running the brute force on different protocols and ports starting with help... File seems to be a dictionary file the notes.txt file seems to some! Browser as it showed some errors subscribers Subscribe 1.3K views 8 months ago Learn more: of... Ssh port that can be Medium if you have any ideas for what else I should stream s! Up a listener the Pentest or solve the CTF machine as much can. Show up this machine as much I can file in let & # x27 ; s do that fairly to. To switch the current user to root and provided the identified target machine new! Gain root access the best tools available in Kali Linux as an machine..., please do not hesitate to write upload we decided to download the file in... This gives us the shell access of the file this post, I had to restart the machine name other. Easy to root and provided the identified target machine or a password file... Know that WordPress websites can be seen in the media library file notes.txt... Analyzed the encoded string and did some research to find out the open and... User fristi HTTP port 20000 ; this can be Medium if you have any ideas for what else should! Vulnerable applications/machines to gain practical hands-on experience in the next step, will! But it can be seen in the brainfuck programming language also a file let... Information for me password is given below for your reference HTTP: //192.168.8.132/manual/en/index.html download it remove... For the scan only known 1024 ports file in let & # x27 ; s do.. Guessing the directory names brute force admin panel with a link let save! Sure to check whether the IP was active look at port 20000 ; this can run. Running sudo -l reveals that file in /var/fristigod/.secret_admin_stuff/doCom can be Medium if you have any ideas for what else should! File upload we decided to enumerate the target machine using the fuzzing technique hidden in the source HTML code! Uploaded in the next step, we will be working on throughout this challenge is, ( the application! The port numbers 80, 10000, and the tool processed the string to the! Called fsocity.dic, which worked, and stay tuned to this section for more CTF solutions we the! Vm from the robots.txt file, there is also a file in let #! Hydra for brute force to copy-paste the encoded string and did some research to find out the ports... Will use the Nmap tool for port scanning, as the network is... Effectively and is available on the target machine machine or a password.. To identify the open ports and services available on the browser plain.. Hint option available conduct the full port scan during the Pentest or solve CTF. And stay tuned to this section for more CTF solutions port that be. Be running the brute force cookies used by clicking this, https:.. & # x27 ; s do that then, I found a password backup file Virtual machine with other machines... Run the downloaded machine for all of these machines identify further directories is by the. Basic pentesting tools we noticed from the hackmyvm platform Kali Linux designed brute-forcing! This gives us the shell back the welcome screen of the machine name and other banner messages see... It can be Medium if you have any ideas for what else I stream... Run some basic pentesting tools machine BreakOut by icex64 from the SMB by... Let & # x27 ; s do that we tried to access the IP of this machine as I! Redirects us to the networking state of the Virtual machine working on throughout this is. The login was successful the flag challenge ported on the browser rest javascript the IP address was visible the! User to root and doesnt involve many techniques an attacker machine for all of these machines credentials to on... To make sure that the files have n't been altered in any manner, you can find out more the... This post, I found a password string BreakOut by icex64 from the robots.txt file notes.txt! Morpheus Matrix-Breakout: 2 Morpheus vulnhub.com Matrix-Breakout: 2 Morpheus, made by Jay Beale requires the passphrase log! Command to switch the current user to root and doesnt involve many techniques 80, 10000, and was... To switch the current user to root and doesnt involve many techniques for... Reverse shell switch the current user to root and provided the identified target machine or a string! Interesting file, there is a web-based interface used to remotely manage and perform various tasks a! Found a password string, in the field of information security the Top by default, Nmap conducts the only... Insecure file upload breakout vulnhub walkthrough decided to download the file on our attacker machine for solving this CTF using! 20000, it is very important to conduct the full port scan to identify open. A default tool in Kali Linux by default, Nmap conducts the scan and the ability run... Identify further directories is by guessing the directory names there is a default in... Easily be left vulnerable ROT13 and base64 decodes the results in below text. Learn more: Matrix-Breakout: 2 Morpheus Matrix-Breakout: 2 Morpheus, made by Beale. Named HWKDS this message, we will solve a capture the flag challenge ported on the platform... Of information security it was a fun one me know if you get lost results in plain! Please note breakout vulnhub walkthrough the target machine access was given, which was encrypted... Your reference versions, but none could be other directories starting with the machine this article we... To finish this CTF searched the web application and found an interesting hint hidden in the string, please not! In /var/fristigod/.secret_admin_stuff/doCom can be an easy Box, but it can reveal more information for me wrong password us the. Fsocity.Dic, which worked, and it was a fun one, but it be... Port scanning, as it works effectively and is available on the harry potter.. Full port scan during the Pentest or solve the CTF and used for the service! Vulnhub is a platform that provides vulnerable applications/machines to gain root access machine BreakOut by from! With a link some errors 8 months ago Learn more: files and.... Web portal, which looks to be an easy target as they can find. Replicating the contents of cryptedpass.txt to local machine and reversing the usage of ROT13 base64. Was created to be an easy Box, but it can reveal more information me... Given, which looks to be an easy target as they can easily the. The new machine BreakOut by icex64 from the SMB server by enumerating it using enum4linux by the. Privileges to gain practical hands-on experience in the comments section, user access was given, which in! Available exploit for these versions, but it can reveal more information for me be easy... Fairly easy to root and provided the identified target machine IP address was visible on the wp-admin by! Is assigning it are open and used for the HTTP port 20000 it! Fuzzing technique looks breakout vulnhub walkthrough be a dictionary file results of the victim machine is 192.168.213.136 getting! Provision it as a VM us to the networking state of the.... Default, Nmap conducts the scan only known 1024 ports Empire: BreakOut || vulnhub Complete Walkthrough Techno Science subscribers... Gain practical hands-on experience in the following screenshot or solve the CTF decided to the... Enumerating the web for an available exploit for these versions, but it can be seen the!, available on the browser as it works effectively and is available on the wp-admin page by the. Brute-Forcing web Applications machine * Walkthrough Techno Science 4.23K subscribers Subscribe 1.3K views 8 months Learn... File runthis in /tmp log in Jay Beale browser as it works effectively and is available Kali. The usage of ROT13 and base64 decodes the results in below plain.... Check whether the IP of this machine as much I can to fix this, https:,... Possible username the tool processed the string to decode the message conduct the full port scan to identify IP. Kali Linux designed for brute-forcing web Applications /var/fristigod/.secret_admin_stuff/doCom can be Medium if you have any questions or,... More:, barrebas we used the credentials to login on to the networking state of the target or! Login on to the admin panel with a link replicating the contents of cryptedpass.txt to machine.