Hello fellas, in this write-up, we'll provide the solution to the CTF, Empire:LupinOne. This is an easy-medium CTF. Although, a few hints were gotten from the discord channel to solve this. Let's dive straight into it.
As usual, after importing the CTF (target) machine and running it in virtualBox, we use the netdiscover command on the attacking machine to get the IP address.
We then proceed to run a nmao scan against the ip address found (in our case, IP is 10.0.10.6).
From our scan, we see that ports 22/ssh and 80/http are open. We also see that a /robots.txt path was found. Let's open the /robots.txt path on our browser.
We see that there's another path, /~myfiles. Now, let's access that path on the browser.
The /~myfiles path just displays an error page, so let's view the page source to see if we can find any hints to getting remote access via ssh.
From the page source, not much of a help was gotten and I spent tons of hours figuring out what next to do. At this point, I had to get some hints as I had already did some directory busting using rockyou.txt wordlist.
Using hints found from the discord channel, we then proceed to do another directory busting using seclists wordlist with ffuf
ffuf -u "http://10.0.10.6:80/~FUZZ" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
From the image, we can now see that there's another /~secret path found. Also, note the url fuzzed and how it was fuzzed. The hint used here suggested to fuzz using the tilder symbol (~), just like the path /~myfiles. Let's head over to access the /~secret path.
The accessed gives a couple of hints on the next step. First, it says that the private ssh key file is on the http server (suggests we fuzz it further),states we can use the fasttrack wordlists to crack the password and that the key belongs to the user, icex64. Also, since it's a private ssh key file, we should remember that ssh files are usually hidden with the period character (.). Using the hints, let's fuzz using ffuff again. But this time, we will also try to catch files with .txt and .php extensions. We will fuzz the url - http://10.0.10.6:80/~secret/.FUZZ. Fuzzing command
ffuf -u "http://10.0.10.6:80/~secret/.FUZZ" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php,.txt -mc 200
Note that the period attached before the FUZZ word in the command is because typically ssh file are hidden and are usually preceeded by a period.
We see that a mysecret.txt file is on the server and can be accessed at http://10.0.10.6:80/~secret/.mysecret.txt. Let's move over to the browser to access it.
The content of the file looks to be encoded (It actually is ..Lol..). So after trying base64 decoding and it does not give any meaningful output, we tried identifying the string and so many other things. The encoding was not found till we headed over to get the hint from the discord channel, only to find out it was encoded in base58 (very very strange... Lol...).
Since we've identified the encoding, let's head over to cyberchef to decode it.
After decoding the file, we copy the decoded key and save it to a file named private_key. You can save yours as anything.
Next, let's try to use the key and gain remote access via ssh with the command
ssh -i private_key icex64@10.0.10.6
We notice that we were denied access as the permission for the key file, private_key, are too open and a password is required. To fix this, we first change the key permissions to strict permission with chmod 600 private_key and use johntheripper to crack the password using the fasttrack wordlist.
After assigning strict permissions to the key file, we then extracted the hash of the key to a key_hash.txt file with ssh2john private_key > key_hash.txt. Then we proceeded to crack the password with john --wordlist=/usr/share/wordlists/fasttrack.txt key_hash.txt . To view the cracked password, we used john key_hash.txt --show command.
Now, we see that the password is P@55w0rd! . Let's log remotely as icex64 with the password using ssh.
We now have remote access as icex64. We now proceed to finding things to exploit.
In the /home/icex64 directory, we see a user.txt file which just tells us we've found the first flag.
In the home directory, we see that there's another user, arsene and we can view files in arsene directory. We notice a note.txt and a heist.py script we can read.
The content are the two files are shown in the image above. Let's run sudo -l to see if icex64 has any sudo privileges.
We see that icex64 has sudo privilege to run as arsene, running the /usr/bin/python3.9 /home/arsene/heist.py without requiring a password. Skipping over to exploiting this, we are going to use one of the techniques of python library hijacking to escalate horizontally to arsene.
When we viewed the content of the heist.py, we noticed that a module, webbrowser, was imported and the function webbrowser.open() was called in the script. Using linpeas, we were able to find where the webbrowser module was located - /usr/lib/python3.9/webbrowser.py.
Now, we'll edit the module, by adding os.system('/bin/bash') in the open function in the module.
Then, running the command sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py , we become arsene.
Since we are now arsene, let's run the sudo -l command see if arsene has sudo privileges of any sort.
Voila, arsene has privilege that can be escalated to root. We not that we can run /usr/bin/pip as root without password (pip privilege escalation). Doing some research, we found the command to escalate to root. Here are the commands:
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo /usr/bin/pip install $TF
We are now root. However, we can spawn an interactive shell with the command:
python3 -c 'import pty;pty.spawn("/bin/bash")'
After getting an interactive shell, we now navigate to the root directory to find a root.txt file with content shown in the image below:
We have successfully rooted this machine and solved the CTF. In solving this the following were covered directory fuzzing, base58 decoding, python library hijacking, pip privilege escalation and a whole lot of research.
Thus, we have come to the end. Until we meet again, felicia priteria.
Disclaimer: This content is provided solely for educational and informational purposes. It is intended to demonstrate the use of cybersecurity tools and techniques for ethical hacking and penetration testing within a controlled and authorized environment. Any unauthorized use of this information is strictly prohibited and may result in legal consequences.