This article is a walkthrough for Empire LupinOne vulnerable machine. You can download this from vulnhub. The vulnerable machine is full of fuzzing and escalation of privileges by exploiting Python libraries with SUID being setup. Let’s look into exploiting this:
1. Vmware/Virtual Box < This is to run the vulnerable machine.
2. Download LupinOne : https://www.vulnhub.com/entry/empire-lupinone,750/
3. Kali or any other penetration testing OS you are comfortable with
1. To discover the IP of this machine through Kali, Use command netdiscover or if you know which network the machine could be in, you can use nmap as well.
The IP address of the vulnerable machine is 172.16.37.135
2. The front page comes up with a picture:
I checked robots.txt to see what else we can find and it gives out a directory : “/~myfiles”. You can use the tools like “nikto” to give you such informations but it purely depends on your choice. I usually do some manual checks of the source code of the site and check for any robots.txt.
~myfiles page looks like this :
3. Now after this, our next step would be to check for more directories and do more fuzzing. i have tried a lot of things before I found a ~secret directory. I used gobuster as a fuzzing tool here, you can use wfuzz and ffuf or any other tool:
command : gobuster fuzz -w wordlist -u http://<ip-of-the-vulnerable-machine/~FUZZ -b 404
When you will open ~secret directory you will find below information.
Now, we know the file must be hidden somewhere and we need to fuzz that hidden file:
There was a lot of time spent finding that file, from the message on ~secret, we knew that the file is hidden and so must start with “.”, then adding .txt was after several tries with different list of extensions and different directory lists.
You will find the .mysecret.txt file. This file contains some text which at first seemed like base64 but there were no non alphanumeric characters, I anyway tried to decode it with base64, base32 as well as all the other encodings using https://gchq.github.io/CyberChef/ and finally I found Base58 to be the correct encoding used.
We have got a private key which needs to be cracked. To do that we will first convert this private key into a hash so john can compare different ssh hashes with this one and give us the password.
After the above step, we will crack the password with the help of john:
Let’s do the SSH into the server now:
#ssh -i id_rsa firstname.lastname@example.org
You will be logged in as icex64 and in the user.txt, you will find the first flag.
4. The next step would be to take a look around what you can find in the server. You will find that icex64 can run a python program as arsene user:
Let’s focus on this piece of information and see what we can do with it. Now, if you take a look at the python code The above code is a very simple code which makes use of webbrowser library in python and open the link provided to it, however there is no parameter or argument we can provide to get any kind of reverse shell from this code. So somehow we need to find a way to change this code so we can get a reverse shell.
Let’s use nano editor to edit this file: heist.py, Couldn’t edit this file because of the permission issues.
Let’s see if we can edit library webbrowser :
- Use locate to command to find webbrowser directory:
- check permissions with command “#ls -la” and you will see the permission as rwx for users and other:
- Since we have the permission to edit , lets take payload from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md and then add this to open function which is being called in arsene’s script:
- Before running heist script, run a listener with the help of nc and you will get the access to arsene’s account:
5. We still do not have root and to get there we will again check for SUID bits or privileged commands:
I did a quick check on google to see how I can escalate the privileges through pip and I found this amazing article : https://gtfobins.github.io/gtfobins/pip/ , they have showed a lot of ways to get that. You can choose any of them. I used the first one :
TF=$(mktemp -d) echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py pip install $TF