Getting root: Matrix
It was last year when I received the email saying I passed the Penetration testing with Kali Linux course and eventually I became an OSCP guy.
Now, an year later, I just finished the material for the Cracking the Perimeter course and later this spring I will try to obtain the OSCE certification.
Today I played with the Matrix Vulnhub machine, a very easy boot2root image you can start with if you’re starting studying offensive security techniques.
First stage: reconnaissance
Our boot2root machine is available on a internal host only virtuablbox network and the IP address is 192.168.56.104.
As all takeover journeys, the first step is to nmap the target discovering opened ports and associated services.
As we can see, we’ve got SSH server running on port 22 and two webservers on port 80 and 31337. We can use dirb tool to enumerate website content, discovering pages and other resources.
From the video below, you can see that the intended path was hidden in HTML source. On webserver port 80, the “service” hint was a rabbit picture and the filename suggests to see at port 31337.
On port 31337, there is a base64 encoded hint.
Decoding the base64, we can see as a suggestion this statement:
Let’s go and break the door
This hint suggests a Cypher.matrix file is present on the second webserver. Let’s try to download it.
It’s a brainfuck script, we can decode it with beef tool. You can install it, on a Kali Linux with apt install beef.
The script content is another hint, about the guest account ssh password.
We will use crunch tool to generate an 8 characters password starting with k1ll0r with the latest two characters substituted with all possible alphanumeric combinations.
We will use ncrack, passing the generated list, to find the password.
The guest account ssh password is k1ll0r7n.
Now we can log into the machine as guest user. As you can see from the video, guest account enters in a restricted shell environment; path is limited and we can’t launch ls to go deeper into our journey. Luckly enough vi editor is in our PATH, we can then use the !/bin/bash escape sequence to have a shell spawned for us.
This shell is not restricted, event the PATH variable is still mangled. Starting the post exploitation steps, a misconfiguration in sudoers file reveals that every account on the system can launch sudo to launch every command as root.
So we will use the guest password to launch a shell as root. Since we do want to have a working environment, we will ask sudo to launch a login shell (bash -l) to have the configuration files read and everything setted up.
Off by one
This machine is very simple but it can teach a couple of interesting lessons:
- look at web page source code;
- brainfuck programs are not a problem with beef tool;
- before looking to exploits, start post exploitation looking at the system configuration. Sometimes, it’s the human error the simplest path to root.