Matrix 1: A Vulnhub VM Walkthrough

Nelson Colón
Nov 9, 2018 · 6 min read

Hello again, this time I’m going to write about Matrix, no, not the movie, but instead a VM from Vulnhub which main focus is to obtain the root flag. Let’s dive into it.


Summary

The Matrix VM is a virtual machine inspired in the Matrix trilogies, it has some easter eggs in it but nothing crazy which is fine for me as I don’t remember too much about the trilogy. But anyways, the difficulty for this VM is Intermediate as described in here. Some advice is that we don’t need too much to work on this VM and every tool used in this tutorial comes already with Kali Linux/Parrot, this time I’ll be using Parrot Security OS.

Discovery

First, we need to recognize the IP that the machine is using, I use arp-scan for the job but you can use netdiscover or nmap to do the trick, with arp-scan is like this:

arp-scan -l

This puts out a list of all the machines in the network that a re sending ARP packets, the output looks like this:

The IP of the machine identified

With that, we can proceed to do some footprinting using our trusted nmap, the command used in this case was:

nmap command to do information gathering on the server.

The output for this command is equal to:

Okay, we get that 3 ports are open, port 22 for SSH and ports 80 and 31337 for HTTP.

Accessing to port 80 doesn’t bring too much:

Except for the message that says follow the White Rabbit, thing is, if you look the page source in this site, you’ll find a clue for what to do next:

As you can see in the last picture, img will give you a hint to follow the port 31337.

Accessing port 31337 gives us this page:

And if you check out the page source, you’ll get the first big finding:

Getting access

The string founded in the page source is:

ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=

And it’s encoded in Base64, passing it through a decoder gives you this:

echo “Then you’ll see, that it is not the spoon that bends, it is only yourself. “ > Cypher.matrix

This looks like a command in bash, echo is for printing and “>” is for concatenate strings in files. So what the last command is doing is printing the message “Then you’ll see, that it is not the spoon that bends, it is only yourself.” in the file “Cypher.matrix”.

Why don’t we try to access this file?

When you go the URL:

http://192.168.201.124:31337/Cypher.matrix

It automatically downloads a file which contains the next cypher:

You’re probably thinking “WTF”, don’t worry. I was thinking the same thing.

After some Google Fu, I found that this is code for Brainfuck, a programming language that just exists for, you guessed it, messing up your brain.

When you compile it, it prints out this:

You see, here’s telling me that there is a user called guest and that the password starts with k1ll0r, and ends with two other characters, guess it’s time to create our dictionary for brute forcing SSH. Luckily for us, there’s a tool that can do the trick and it’s called mp64:

This command creates a wordlist using the word “k1ll0r” and generating all possibles combination for the last two characters using the ?a option.

After the wordlist is created I proceeded to brute force the SSH service using hydra:

And after a couple of minutes we find the password:

Which is k1ll0r7n.

Now, let’s access the server through SSH using the recently obtained credentials.

Privilege escalation

Once here, if you try to do anything, you’ll find you don’t have access to use any command :

This is because you’re using a restricted shell, this is commonly use for restricting the users to certain actions, in this case, I’ll need to find a way to break the shell jail. Using the export command gives us a better idea of what we can do inside the machine:

It shows that our PATH is “/home/guest/prog” and the SHELL is “/bin/rbash” which is for restricted bash.

If we look into the path direction we have for the user, we’ll find there is only one program we can access which is vi:

This is perfect as we can escape a restricted shell using vi, here is a better explanation about that. Lucky for us typing :!/bin/bash was good enough to escape the restricted shell:

Opening vi as guest
Breaking out of restricted bash through vi

And we are free:

Let’s see if we can export a new path for bash with:

export PATH=/usr/bin:/bin/

And we are able to do it:

Now with that we are able to use most of the commands in linux.

After messing and enumerating a while inside of the server, I found out that the user has permissions to execute every command available:

That means that we can change to root user using the command sudo su:

With that, we just need to read the flag:

Rooted

Conclusion

The VM was really fun to root, it emphasizes jail breaking of a restricted shell and Google searching, I give it a 4.8/10 in difficulty level and I can say that I learn something new with this VM.

Shout out to the creator of it, Ajay Verma.

Nelson Colón

Written by

Just a potato salad lover.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade