thesp0nge
thesp0nge OSCP guy. I break code and rebuild it with security in mind, taekwon-do, husband, dad. Chaotic good drow ranger. I blog @codiceinsicuro and @the_armoredcode.

Getting root: Matrix

Getting root: Matrix

It was last year when I received the email saying I passed the Penetration testing with Kali Linux course and eventually I became an OSCP guy.

Now, an year later, I just finished the material for the Cracking the Perimeter course and later this spring I will try to obtain the OSCE certification.

Today I played with the Matrix Vulnhub machine, a very easy boot2root image you can start with if you’re starting studying offensive security techniques.

First stage: reconnaissance

Our boot2root machine is available on a internal host only virtuablbox network and the IP address is 192.168.56.104.

As all takeover journeys, the first step is to nmap the target discovering opened ports and associated services.

As we can see, we’ve got SSH server running on port 22 and two webservers on port 80 and 31337. We can use dirb tool to enumerate website content, discovering pages and other resources.

From the video below, you can see that the intended path was hidden in HTML source. On webserver port 80, the “service” hint was a rabbit picture and the filename suggests to see at port 31337.

On port 31337, there is a base64 encoded hint.

Decoding the base64, we can see as a suggestion this statement:

echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix#

Let’s go and break the door

This hint suggests a Cypher.matrix file is present on the second webserver. Let’s try to download it.

It’s a brainfuck script, we can decode it with beef tool. You can install it, on a Kali Linux with apt install beef.

The script content is another hint, about the guest account ssh password.

You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

We will use crunch tool to generate an 8 characters password starting with k1ll0r with the latest two characters substituted with all possible alphanumeric combinations.

We will use ncrack, passing the generated list, to find the password.

The guest account ssh password is k1ll0r7n.

Root dance

Now we can log into the machine as guest user. As you can see from the video, guest account enters in a restricted shell environment; path is limited and we can’t launch ls to go deeper into our journey. Luckly enough vi editor is in our PATH, we can then use the !/bin/bash escape sequence to have a shell spawned for us.

This shell is not restricted, event the PATH variable is still mangled. Starting the post exploitation steps, a misconfiguration in sudoers file reveals that every account on the system can launch sudo to launch every command as root.

So we will use the guest password to launch a shell as root. Since we do want to have a working environment, we will ask sudo to launch a login shell (bash -l) to have the configuration files read and everything setted up.

Off by one

This machine is very simple but it can teach a couple of interesting lessons:

  • look at web page source code;
  • brainfuck programs are not a problem with beef tool;
  • before looking to exploits, start post exploitation looking at the system configuration. Sometimes, it’s the human error the simplest path to root.

Enjoy it!

(Updated: )

comments powered by Disqus