EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1
As per the description, the capture the flag (CTF) requires a lot of enumeration, and the difficulty level for this CTF is given as medium. Prerequisites would be having some knowledge of Linux commands and the ability to run some basic pentesting tools.
The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article.
Please Note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
- Getting the target machine IP Address by DHCP
- Getting open port details by using the Nmap Tool
- Enumerating HTTP Service with Dirb Utility
- Fuzzing the Hidden files with FFUF
- Decoding the SSH Key with Base58 Cypher
After running the downloaded virtual machine file in the virtual box, the machine will automatically be assigned an IP address from the network DHCP, and it will be visible on the login screen. The target machine’s IP address can be seen in the following screenshot.
The target machine IP address is 192.168.1.15, and I will be using 192.168.1.30 as the attacker’s IP address.
Note: The target machine IP address may be different in your case, as the network DHCP assigns it.
Unlike my other CTFs, this time, we do not require using the Netdiscover command to get the target IP address. The next step is to scan the target machine using the Nmap tool.
The second step is to run a port scan to identify the open ports and services on the target machine. We will use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below.
Command used: << nmap 192.168.1.15 -p- -sV >>
In the Nmap Command, we used ‘-sV’ option for version enumeration and ‘-p-‘for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. By default, Nmap conducts the scan on only known 1024 ports. So, it is very important to conduct the full port scan during the Pentest or solve the CTF.
The output of the Nmap shows that two open ports have been identified Open in the full port scan. Port 80 is being used for the HTTP service, and port 22 is being used for the SSH service. So, in the next step, we will start the CTF with Port 80.
Let us start the CTF by exploring the HTTP port. We opened the target machine IP address on the browser as follows:
The webpage shows an image on the browser. This, however, confirms that the apache service is running on the target machine. There could be hidden files and folders in the root directory. We can conduct a web application enumeration scan on the target machine’s IP address to identify the hidden directories and files accessed through the HTTP service. We used the Dirb tool; it is a default utility in Kali Linux. The Dirb command and scan results can be seen below.
Command used: << dirb http://192.168.1.15/ >>
The Drib scan generated some useful results. We identified a few files and directories with the help of the scan. Let us open each file one by one on the browser.
When we checked the robots.txt file, another directory was mentioned, which can be seen in the above screenshot. So, let us open the directory on the browser.
The identified directory could not be opened on the browser. There could be other directories starting with the same character ‘~.’ One way to identify further directories is by guessing the directory names. This is a method known as fuzzing. In the next step, we will be using automated tools for this very purpose.
This step will conduct a fuzzing scan on the identified target machine. We will use the FFUF tool for fuzzing the target machine. It is a default tool in kali Linux designed for brute-forcing Web Applications. It can be used for finding resources not linked directories, servlets, scripts, etc. So, let us start the fuzzing scan, which can be seen below.
<< ffuf -u ‘http://192.168.1.15/~FUZZ’ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e .php,.txt >>
In the command, we entered the special character ‘~’ and after that used the fuzzing parameter, which should help us identify any directories or filenames starting with this character. The scan results identified ‘secret’ as a valid directory name from the server. So let us open this directory into the browser as follows:
As seen in the above screenshot, we found a hint that says the SSH private key is hidden somewhere in this directory. So, we will have to do some more fuzzing to identify the SSH key. Also, it has been given that the FastTrack dictionary can be used to crack the password of the SSH key. The hint also talks about the best friend, the possible username. So, let us rerun the FFUF tool to identify the SSH Key.
<< ffuf -u ‘http://192.168.1.15/~secret/.FUZZ’ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e .php,.txt -fc 403 >>
We changed the URL after adding the ‘~secret’ directory in the above scan command. We added another character, ‘.’, which is used for hidden files in the scan command. The scan brute-forced the ‘~secret’ directory for hidden files by using the directory listing wordlist as configured by us. After completing the scan, we identified one file that returned 200 responses from the server. So, let us open the file on the browser.
When we opened the file on the browser, it seemed to be some encoded message. We need to figure out the type of encoding to view the actual SSH key. So, let us download the file on our attacker machine for analysis.
Command used: << wget http://192.168.1.15/~secret/.mysecret.txt >>
We downloaded the file on our attacker machine using the wget command. Next, we will identify the encryption type and decrypt the string.
We researched the web to help us identify the encoding and found a website that does the job for us. The website can be seen below. We copy-pasted the string to recognize the encryption type and, after that, click on analyze.
The web-based tool identified the encoding as ‘base 58 ciphers.’ The web-based tool also has a decoder for the base 58 ciphers, so we selected the decoder to convert the string into plain text. The base 58 decoders can be seen in the following screenshot.
The string was successfully decoded without any errors. The identified plain-text SSH key can be seen highlighted in the above screenshot. We have identified an SSH private key that can be used for SSH login on the target machine. First, let us save the key into the file.
Command used: << cat >> key >>
We used the cat command to save the SSH key as a file named ‘key’ on our attacker machine.
As we know, the SSH default port is open on the target machine, so let us try to log in through the SSH port.
Command used: < ssh –i pass firstname.lastname@example.org >>
We tried to login into the target machine as user’ icex64,’ but the login could not be successful as the key is password protected.
Until now, we have enumerated the SSH key by using the fuzzing technique. After that, we tried to log in through SSH. However, it requires the passphrase to log in. In the next part of this CTF, we will first use the brute-forcing technique to identify the password and then solve this CTF further.
Until then, I encourage you to try to finish this CTF! There are enough hints given in the above steps.