Vulnhub Matrix: 1 Walkthrough
A service scan reveals 3 open ports
A base64 encoded string can be found in the source of the web root on port 31337
Decoding this string reveals a command that redirects a quote to a file named 'Cypher.matrix'
The server's response to http://matrix:31337/Cypher.matrix is a brainfuck sample
I then used https://copy.sh/brainfuck to interpret the code
This reveals a set of credentials, where the last 2 characters of the password are unknown
I then used crunch to create a list of suffixes to use in combination with 'k1ll0r'
Awk was then used to prepend 'k1ll0r' to the wordlist
The list is now ready to be used in a dictionary attack against ssh using ncrack
ncrack found the credentials to be 'guest:k1ll0r7n'
We are now able to login to ssh using these credentials!
Attempts to execute commands reveal that we are stuck in a restricted shell
Trying to escape the shell with '/bin/bash' as a command option in ssh fails due to '/' being disallowed
Doing the same, but with 'bash' is successful in breaking out of the restricted shell
python -c 'import pty;pty.spawn("/bin/bash")' was then used to spawn a shell prompt
Running 'sudo -l' as guest on matrix reveals some very loose permissions
'sudo su root' was then used to gain root access on matrix!
We are now able to grab the flag
Thank you to Ajay Verma and Vulnhub for this fun boot2root!
Comments
Post a Comment