https://download.vulnhub.com/deathnote/Deathnote.ova. Hydra is one of the best tools available in Kali Linux to run brute force on different protocols and ports. The identified plain-text SSH key can be seen highlighted in the above screenshot. BOOM! I am using Kali Linux as an attacker machine for solving this CTF. As per the description, this is a beginner-friendly challenge as the difficulty level is given as easy. We got one of the keys! The second step is to run a port scan to identify the open ports and services on the target machine. The online tool is given below. Please note: For all of these machines, I have used the VMware workstation to provision VMs. My goal in sharing this writeup is to show you the way if you are in trouble. Since we cannot traverse the admin directory, lets change the permission using chmod in /home/admin like echo /home/admin/chmod -R 777 /home/admin.. After executing the above command, we are able to browse the /home/admin, and I found couple of interesting files like whoisyourgodnow.txt and cryptedpass.txt. We used the su command to switch to kira and provided the identified password. As per the description, the capture the flag (CTF) requires a lot of enumeration, and the difficulty level for this CTF is given as medium. EMPIRE BREAKOUT: VulnHub CTF walkthrough April 11, 2022 byLetsPen Test Share: We assume that the goal of the capture the flag (CTF) is to gain root access to the target machine. The level is considered beginner-intermediate. Welcome to the write-up of the new machine Breakout by icex64 from the HackMyVM platform. Categories I simply copy the public key from my .ssh/ directory to authorized_keys. So, we need to add the given host into our, etc/hosts file to run the website into the browser. Let's do that. Required fields are marked *. sudo nmap -v -T4 -A -p- -oN nmap.log 192.168.19.130 Nmap scan result sudo netdiscover -r 192.168.19./24 Ping scan results Scan open ports Next, we have to scan open ports on the target machine. We used the ping command to check whether the IP was active. The Usermin application admin dashboard can be seen in the below screenshot. So, let us open the URL into the browser, which can be seen below. We added another character, ., which is used for hidden files in the scan command. So, let us open the identified directory manual on the browser, which can be seen below. We are now logged into the target machine as user l. We ran the id command output shows that we are not the root user. Keep practicing by solving new challenges, and stay tuned to this section for more CTF solutions. The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article. Unlike my other CTFs, this time, we do not require using the Netdiscover command to get the target IP address. Using this username and the previously found password, I could log into the Webmin service running on port 20000. sudo netdiscover -r 10.0.0.0/24 The IP address of the target is 10.0.0.26 Identify the open services Let's check the open ports on the target. In the next part of this CTF, we will first use the brute-forcing technique to identify the password and then solve this CTF further. This means that the HTTP service is enabled on the apache server. Merely adding the .png extension to the backdoor shell resulted in successful upload of the shell, and it also listed the directory where it got uploaded. The same was verified using the cat command, and the commands output shows that the mentioned host has been added. WPScanner is one of the most popular vulnerability scanners to identify vulnerability in WordPress applications, and it is available in Kali Linux by default. Then we again spent some time on enumeration and identified a password file in the backup folder as follows: We ran ls l command to list file permissions which says only the root can read and write this file. remote command execution Prerequisites would be having some knowledge of Linux commands and the ability to run some basic pentesting tools. The IP address was visible on the welcome screen of the virtual machine. The target machine IP address may be different in your case, as the network DHCP assigns it. We are going to exploit the driftingblues1 machine of Vulnhub. This gives us the shell access of the user. Quickly looking into the source code reveals a base-64 encoded string. Difficulty: Medium-Hard File Information Back to the Top I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. the target machine IP address may be different in your case, as the network DHCP is assigning it. The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article. hackmyvm In the next step, we will be using automated tools for this very purpose. 15. So, lets start the walkthrough. I have also provided a downloadable URL for this CTF here, so you can download the machine and run it on VirtualBox. Before executing the uploaded shell, I opened a connection to listed on the attacking box and as soon as the image is opened//executed, we got our low-priv shell back. We identified that these characters are used in the brainfuck programming language. The difficulty level is marked as easy. os.system . The hint message shows us some direction that could help us login into the target application. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. Command used: << enum4linux -a 192.168.1.11 >>. WordPress then reveals that the username Elliot does exist. First, we need to identify the IP of this machine. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. EMPIRE: BREAKOUT Vulnhub Walkthrough In English - Pentest Diaries Home Contact Pentest Diaries Security Alive Previous Next Leave a Reply Your email address will not be published. The scan command and results can be seen in the following screenshot. Lastly, I logged into the root shell using the password. There could be hidden files and folders in the root directory. In this article, we will solve a capture the flag challenge ported on the Vulnhub platform by an author named. By default, Nmap conducts the scan only on known 1024 ports. 7. The output of the Nmap shows that two open ports have been identified Open in the full port scan. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. I am using Kali Linux as an attacker machine for solving this CTF. Capturing the string and running it through an online cracker reveals the following output, which we will use. The ping response confirmed that this is the target machine IP address. Although this is straightforward, this is slightly difficult for people who don't have enough experience with CTF challenges and Linux machines. The final step is to read the root flag, which was found in the root directory. We decided to enumerate the system for known usernames. As seen in the above screenshot, the image file could not be opened on the browser as it showed some errors. After that, we tried to log in through SSH. Testing the password for admin with thisisalsopw123, and it worked. However, for this machine it looks like the IP is displayed in the banner itself. 3. I wish you a good days, cyber@breakout:~$ ./tar -cvf old_pass /var/backups/.old_pass.bak, cyber@breakout:~$ cat var/backups/.old_pass.bak. This is fairly easy to root and doesnt involve many techniques. A large output has been generated by the tool. Lets look out there. Today we will take a look at Vulnhub: Breakout. Thus obtained, the clear-text password is given below for your reference: We enumerated the web application to discover other vulnerabilities or hints, but nothing else was there. It can be seen in the following screenshot. We do not understand the hint message. First off I got the VM from https: . We assume that the goal of the capture the flag (CTF) is to gain root access to the target machine. Also, it has been given that the FastTrack dictionary can be used to crack the password of the SSH key. Let us start the CTF by exploring the HTTP port. Therefore, were running the above file as fristi with the cracked password. , Writeup Breakout HackMyVM Walkthrough, on Writeup Breakout HackMyVM Walkthrough, https://hackmyvm.eu/machines/machine.php?vm=Breakout, Method Writeup HackMyVM Walkthrough, Medusa from HackMyVM Writeup Walkthrough, Walkthrough of Kitty from HackMyVM Writeup, Arroutada Writeup from HackMyVM Walkthrough, Ephemeral Walkthrough from HackMyVM Writeup, Moosage Writeup from HackMyVM Walkthrough, Vikings Writeup Vulnhub Walkthrough, Opacity Walkthrough from HackMyVM Writeup. << ffuf -u http://192.168.1.15/~FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e .php,.txt >>. This is a method known as fuzzing. Anyway, I have tested this machine on VirtualBox and it sometimes loses the network connection. So I run back to nikto to see if it can reveal more information for me. Similarly, we can see SMB protocol open. Here, we dont have an SSH port open. The identified password is given below for your reference. VulnHub provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks. we used -sV option for version enumeration and -p-for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. So, we ran the WPScan tool on the target application to identify known vulnerabilities. For hints discord Server ( https://discord.gg/7asvAhCEhe ). I have. django The hint also talks about the best friend, the possible username. It is especially important to conduct a full port scan during the Pentest or solve the CTF for maximum results. However, the webroot might be different, so we need to identify the correct path behind the port to access the web application. driftingblues If you understand the risks, please download! Note: the target machine IP address may be different in your case, as the network DHCP is assigning it. Note: The target machine IP address may be different in your case, as the network DHCP assigns it. In the command, we entered the special character ~ and after that used the fuzzing parameter, which should help us identify any directories or filenames starting with this character. We download it, remove the duplicates and create a .txt file out of it as shown below. However, upon opening the source of the page, we see a brainf#ck cypher. Locate the transformers inside and destroy them. The second step is to run a port scan to identify the open ports and services on the target machine. First, we tried to read the shadow file that stores all users passwords. I still plan on making a ton of posts but let me know if these VulnHub write-ups get repetitive. So, let us try to switch the current user to kira and use the above password. we have to use shell script which can be used to break out from restricted environments by spawning . After running the downloaded virtual machine in the virtual box, the machine will automatically be assigned an IP address from the network DHCP. As we noticed from the robots.txt file, there is also a file called fsocity.dic, which looks to be a dictionary file. Also, its always better to spawn a reverse shell. THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku, Colddworld immersion: VulnHub CTF walkthrough. To my surprise, it did resolve, and we landed on a login page. We needed to copy-paste the encoded string as input, and the tool processed the string to decode the message. The IP of the victim machine is 192.168.213.136. Note: The target machine IP address may be different in your case, as the network DHCP is assigning it. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. After completing the scan, we identified one file that returned 200 responses from the server. file permissions Taking remote shell by exploiting remote code execution vulnerability Getting the root shell The walkthrough Step 1 The first step to start solving any CTF is to identify the target machine's IP address. Author: Ar0xA "Writeup - Breakout - HackMyVM - Walkthrough" Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Breakout Identify the target As usual, I started the exploitation by identifying the IP address of the target.