Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Matrix

It has been a long time since I did a boot-2-root box from vulnhub.com.
If you don’t know the site and you’re interested learning pentesting skills or honing your skills, this is the right spot.
There are numerous of VM’s with different levels and most of them have a theme, which can be great fun.
When sites like hackthebox.eu weren’t there, this was the place to be for learning the right skills.
I have chosen to do ‘Matrix:1’ (link), created by Ajay Verma.
The level should be medium level and the goal is to get root and read /root/flag.txt.
As for hints…….follow your intuitions … and enumerate!
Let’s get cracking!

Enumeration

For my initial enumeration I use a tool called Red Team Kit (RTK), which has a automated recon scanner.
It does the port scanning and from the results will give some suggestions.

It looks like there is a webserver listening on 2 ports and a SSH server on the default port.

Webserver

While starting DirSearch in the background, I open my browser to check out port 80 first.

Welcome in the Matrix!
When looking at the source code there is a picture to be found:

A white rabbit to be more precise.
The name of the picture is the hint, but that port I already got from the port scan.
Port 31337 is my next port to visit with my browser.

In the source code there is another hint…..this time in the form of a base64 encode comment:

Let’s decode it.

It looks like a Linux command where a string is echoed and redirected into a file called Cypher.matrix.
When directing my browser to http://192.168.100.139:31337/Cypher.matrix I get to download a file.
Let’s check out what it is:

This can be confusing if you see it for the first time, but if you have seen it before it is quit simple.
It is a esoteric programming language called Brainfuck. Brainfuck was designed for extreme minimalism and leads to obfuscated code, with programs containing only eight distinct characters.
There are numerous online decoders, I use https://www.splitbrain.org/_static/ook/ for the decoding part.

Nice…..but there is a catch. I need to figure out the last characters to get it to work.
As for options I can try and brute force it, but mainly I try to use brute force as a last resort.
On Kali there a some password lists, so maybe it’s inside of one of the lists.

Not really what I’m looking for as it doesn’t have 2 chars after the r, but three.
Let’s just try it and then brute forcing it with a loop.

Nope…..let’s turn to crunch.

SSH

Crunch is a tool to create wordlists. It is quit handy and easy to use.
Because I already have a part of the password and I know I’m missing two characters the syntax will be like this:

There are different ways to use the list and brute force SSH. I go for the SSH scanner from Metasploit.

That one worked.

I’m in…now to do some recon on the system.

Dang…..looks like I entered into a restricted bash shell.
To get out of this restricted shell I need to know with what I can work with.

To find out what commands I can use I double tab

I can try and find the thing I need to break free……..or I can hit up msfconsole again and do the ssh scanner again.

As you can see I’m not bothered with the restricted shell. Much better.
Now to get a proper TTY shell.

Much better.

Ok….so normally I would check out the (root) and the (trinity) part of the sudo permission.
But in this case I can do everything as root with sudo….no strings attached.

And there you have it. I don’t know if this was the intended way of the creator, but hey!….whatever gets it to work.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.