Vulnhub's EMPIRE BREAKOUT CTF Walk-through

By Unbound3d

Box Info

Name	Empire: Breakout
Release date	21 Oct 2021
Author	icex64 & Empire Cybersecurity
Link	https://www.vulnhub.com/entry/empire-breakout,751/

Enumeration

sudo netdiscover -r 10.0.2.0/24

Netdiscover found our target machine

Let's begin by enumerating our target starting with a Nmap scan.

nmap -sC -sV 10.0.2.5 -v

Nmap found several open ports

Nmap results

Let's begin our investigation with port 80

The webpage that opens is an Apache default page

Webpage found on HTTP

I decided to look at the page's source code to see if there could be anything of interest hidden there.

Turns out my hunch was right! I found what looked like a brainfuck-encoded string at the bottom of the source code.

Hidden password encrypted in brainfuck

I used https://www.splitbrain.org/_static/ook/ to decode the string. The decoded output looked like a password.

Decrypted password string

Now we have a password for something. Let's try looking for a username we can use together with the password.

Enum4linux is quite a handy tool for that task. I proceeded to enumerate the box using Enum4linux to see whether I can get usernames.

enum4linux -a 10.0.2.5

Enum4linux found a user!

Found username

Now that we have a username and a password, I attempted to log into the box using the credentials, but was unsuccessful due to incorrect login information. It appears that the credentials are intended for a different service.

Failed login attempt

The hunt continues.

Next, I proceeded to investigate the other HTTP-related port. Our Nmap scan had revealed that port 20000 was open and hosting a mini-server.

Port 20000 opens a Usermin login page.

I attempted authenticating into the portal using the credentials we found and I was successful!

Inside the dashboard, I found a terminal and my eyes lit up!

Usermin Terminal

This is exactly how my eyes went!

Executing commands on the terminal