Hello friends! Today we are going to take
another boot2root challenge known as Matrix. The credit for making this vm
machine goes to “Ajay Verma” and it is another boot2root challenge in which our
goal is to get root access to complete the challenge. You can download this VM here.
Security Level: Intermediate
Flags: There
is one flag (flag.txt).
Table of contents:
·
Port scanning and IP discovery.
·
Hitting on port 80
·
Hitting on port 31337 and
finding base64 encoded string
·
Decode base64 encoded string
·
Finding and downloading Bin
file
·
Decoding brainfuck encoded
string
·
Creating dictionary using
crunch
·
SSH login brute force using
hydra
·
Finding rbash
·
Escaping restricted shell
environment
·
Exporting environment variables
·
Getting root access.
·
Reading the flags.
Walkthrough
Let’s start off with scanning the network
to find our target.
netdiscover
We found our target –> 192.168.1.18
Our next step is to scan our target with
nmap.
The NMAP output shows us that there are 4
ports open: 22(SSH), 80(HTTP), 31337(HTTP)
We find that port 80 is running http, so we
open the IP in our browser.
We don’t find anything on the web service running
on port 80. So we start enumerating the web service running on port 31337.
We take a look at the source code of the
web service running on port 31337 and find a base64 encoded string.
We decode the base64 encoded string and
find a hint to that is related “Cypher.matrix”.
We open “Cypher.matrix” on the web service
running on port 31337 and find that it starts downloading a BIN file.
We take a look at the content of the file
and find “brainfuck” encoded string.
We decode the brainfuck encoded string using
this site here and find an
incomplete password for the user “guest”.
As the last 2 characters are missing we
create a wordlist using crunch so that we can brute force SSH login.
crunch 8 8 -t k1ll0r%@ -o dict.txt
We use hydra to brute force ssh login using
the dictionary we created earlier and find the password to be “k1ll0r7n”.
hydra -l guest -P dict.txt 192.168.1.18
ssh
Now that we know the password we login
through SSH using credentials “guest:k1ll0r7n”
After logging in we try to run “ls”
command but are unable to run it as we have an rbash shell.
ls
We check the PATH environment variable
and find that the path to be “/home/guest/prog”.
$PATH
Now as we cannot run “ls” command we
try to find commands that can run. After trying a few commands we find that we
can run “echo” command. We use “echo” command to find the
executables inside “/home/guest/prog” and find “vi” is available.
echo “/home/guest/prog/*”
Now we check SHELL environment
variable and find we have only rbash shell.
echo $SHELL
We run vi so that we can spawn /bin/bash
and escape the restricted shell environment.
!/bin/bash
After escaping the restricted shell
environment, we export /bin/bash to SHELL environment variable
and “/usr/bin” directory to PATH environment variable so that we
can run linux command properly.
export SHELL=/bin/bash:$SHELL
export PATH=/usr/bin:$PATH
After exporting into the environment
variables, we check sudoers list and find we can directly get root shell as we
have all the rights.
sudo -l
sudo su
We are unable to execute “su”
command as we haven’t exported “/bin” directory into PATH environment.
We exported “/bin” directory into PATH environment variable and
again ran the command to login as root using the password we find earlier.
export PATH=/bin:$PATH
sudo su
After logging in we go to root directory
and find a file called flag.txt. We take a look at the content of the file and
find the congratulatory message.
cd /root
ls
cat flag.txt
0 comments:
Post a Comment