medium.com

Vulnhub: MATRIX-BREAKOUT: 2 MORPHEUS

Om Chaudhari
5–7 minutes

Om Chaudhari

Nmap Scanning


adjust_timeouts2: packet supposedly had rtt of -254727 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -254727 microseconds.  Ignoring time.
Nmap scan report for morpheus.bbrouter (192.168.1.40)
Host is up, received arp-response (0.0043s latency).
Scanned at 2023-01-04 19:41:58 EST for 29s
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   256 aa83c351786170e5b7469f07c4ba31e4 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWNDAE21hrPYFpJ4+PvruHbth1s+HHqXYEKk12tnsBQE90v34m4qITkv/TFumnzT24uw98ntLc2QnqC1lH3rVA=
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.51 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Morpheus:1
|_http-server-header: Apache/2.4.51 (Debian)
81/tcp open  http    syn-ack ttl 64 nginx 1.18.0
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Meeting Place
|_http-server-header: nginx/1.18.0
MAC Address: 08:00:27:4A:4D:7C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.4
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/4%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=63B6
OS:1CF3%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4
OS:ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=N)IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 9.990 days (since Sun Dec 25 19:57:26 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT     ADDRESS
1   4.32 ms morpheus.bbrouter (192.168.1.40)
Read data files from: /usr
/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

In nmap scan we’ve discovered the ports 22,80,81.

Lets enumerate the port 80 which is http port…

Visited : http://192.168.1.9/

Press enter or click to view image in full size

First step we do when we discover a port 80 is to find the directories by using gobuster…

Gobuster results

─# gobuster dir -u http://192.168.1.9:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.9:80
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
===============================================================
2023/02/01 15:58:02 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 276]
/.php                 (Status: 403) [Size: 276]
/index.html           (Status: 200) [Size: 348]
/javascript           (Status: 301) [Size: 315] [--> http://192.168.1.9/javascript/]
/robots.txt           (Status: 200) [Size: 47]
/graffiti.php         (Status: 200) [Size: 451]
/graffiti.txt         (Status: 200) [Size: 139]
/.html                (Status: 403) [Size: 276]
/.php                 (Status: 403) [Size: 276]
Progress: 188652 / 882244 (21.38%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/02/01 16:00:32 Finished
===============================================================

In the gobuster result, we have found the graffiti.php and graffiti.txt files

Lets see whats in those files

Get Om Chaudhari’s stories in your inbox

Join Medium for free to get updates from this writer.

Visited : http://192.168.1.9/graffiti.php

Press enter or click to view image in full size

This is just priting the message on the page…

Press enter or click to view image in full size

Lets intercept the request of graffiti.php by using burp.

Lets add the php reverse shell in the message section and write that to some file by giving extension of php

And send the request

Press enter or click to view image in full size

After calling that file or visiting to http://192.168.1.9/1.php we receieved the initial shell which is www-data

Press enter or click to view image in full size

reading the user flag.

Press enter or click to view image in full size

For the priveledge esclation I did not find anything interesting by doing manual enumeration so I run linpeas.sh on target

Press enter or click to view image in full size

In the linpeas results, I found that this machine is vulnerable to dirty-pipe exploit…

Reference: https://gitcode.net/mirrors/r1is/CVE-2022-0847/-/blob/main/Dirty-Pipe.sh

Press enter or click to view image in full size

Lets run our exploit.sh to get the root.

Boom go the root

Lets read the root flag…