Matrix-2 is a Medium Level Boot to Root Challenge, based on Linux Kernel 4.9.0-8-amd64 and Debian version 4.9.130-2, It has an intermediate level of difficulty.
Machine IP: 192.168.1.109
Portscan
The initial method to start with any machine, Portscan.
Nmap scan result shows five ports open. Port (80, 1337, 12322) running “Nginx 1.10.3” HTTP service, port 12320 running ShellInABox & port 12321 running warehouse-sss.
Enumeration
As we enumerate the web application running on port 12322, we found a directory traversal vulnerability in the web application specifically on “https://192.168.1.109:12322/file_view.php”.
Using the vulnerability we discovered few files such as:
- “/etc/nginx/sites-available/default”
- “/etc/passwd”, “/var/www/p4ss/.htpasswd”, etc
And we found the credentials of another web application that is running on port 1337.
Username: Tr1n17y
Password (After Decryption): Admin
Gaining User Shell
As we enumerate deep into the web application, we found an image file on “https;//192.168.1.109:1337/h1dd3n.jpg”.
The file contains steganography and after cracking it with “n30” we collect the file “n30.txt” and get the user’s password for the ShellInABox service which is running on port 12320.
We logged in using these credentials.
Username: n30
Password: P4$$w0rd
Privilege Escalation
From “.bash_history” of the user “n30”, we found a script: morphous ‘BEGIN {system(“/bin/sh”)}’
We run the respective script and got the root shell.
Leave a Reply