Empire: LupinOne Walkthrough – Privilege escalation through Python Libs

This article is a walkthrough for Empire LupinOne vulnerable machine. You can download this from vulnhub. The vulnerable machine is full of fuzzing and escalation of privileges by exploiting Python libraries with SUID being setup. Let’s look into exploiting this:

Requirements:
1. Vmware/Virtual Box < This is to run the vulnerable machine.
2. Download LupinOne : https://www.vulnhub.com/entry/empire-lupinone,750/
3. Kali or any other penetration testing OS you are comfortable with

1. To discover the IP of this machine through Kali, Use command netdiscover or if you know which network the machine could be in, you can use nmap as well.
netdiscover output

The IP address of the vulnerable machine is 172.16.37.135

2. The front page comes up with a picture:
LupinOne empire

I checked robots.txt to see what else we can find and it gives out a directory : “/~myfiles”. You can use the tools like “nikto” to give you such informations but it purely depends on your choice. I usually do some manual checks of the source code of the site and check for any robots.txt.

~myfiles page looks like this :
Error 404 lupinone3. Now after this, our next step would be to check for more directories and do more fuzzing. i have tried a lot of things before I found a ~secret directory. I used gobuster as a fuzzing tool here, you can use wfuzz and ffuf or any other tool:
command : gobuster fuzz -w wordlist -u http://<ip-of-the-vulnerable-machine/~FUZZ -b 404

gobuster

 

When you will open ~secret directory you will find below information.

secret directoryNow, we know the file must be hidden somewhere and we need to fuzz that hidden file:
fuzzing with gobuster
There was a lot of time spent finding that file, from the message on ~secret, we knew that the file is hidden and so must start with “.”, then adding .txt was after several tries with different list of extensions and different directory lists.
You will find the .mysecret.txt file. This file contains some text which at first seemed like base64 but there were no non alphanumeric characters, I anyway tried to decode it with base64, base32 as well as all the other encodings using https://gchq.github.io/CyberChef/ and finally I found Base58 to be the correct encoding used.

base58 decoded

We have got a private key which needs to be cracked. To do that we will first convert this private key into a hash so john can compare different ssh hashes with this one and give us the password.LupinOne empire ssh2john

After the above step, we will crack the password with the help of john:

john crack ssh private key

Let’s do the SSH into the server now:

#ssh -i id_rsa icex64@172.16.37.135

You will be logged in as icex64 and in the user.txt, you will find the first flag.

4. The next step would be to take a look around what you can find in the server. You will find that icex64 can run a python program as arsene user:
suid bits

Let’s focus on this piece of information and see what we can do with it. Now, if you take a look at the python code python privilege escalationThe above code is a very simple code which makes use of webbrowser library in python and open the link provided to it, however there is no parameter or argument we can provide to get any kind of reverse shell from this code. So somehow we need to find a way to change this code so we can get a reverse shell.

Let’s use nano editor to edit this file: heist.py, Couldn’t edit this file because of the permission issues.

Let’s see if we can edit library webbrowser :

 

5. We still do not have root and to get there we will again check for SUID bits or privileged commands:

I did a quick check on google to see how I can escalate the privileges through pip and I found this amazing article : https://gtfobins.github.io/gtfobins/pip/ , they have showed a lot of ways to get that. You can choose any of them. I used the first one :

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
pip install $TF

pip priviliege escalation

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: