Matrix: 2

[ vulnhub  boot2root  walkthrough  ]

Goal

root flag

Download

https://www.vulnhub.com/entry/matrix-2,279/

Walkthrough

nmap
alt text

default 80, nothing special in source
alt text

went back to a detailed nmap, reveals robots.txt and file_view.php on port 12322
alt text alt text

robots just lists file_view.php

alt text

file view shows nothing
alt text

looking at response in burp we need to add more
alt text

pushing to repeater, changing to a post, and adding a file reveals /etc/passwd
alt text

from the nmap we know we’re dealing with nginx
google of nginx conf paths shows there are multiple, found one that revealed some info
alt text

we find some credentials and we know they’re for port 1337 from the nginx conf
alt text

we crack the hash quick with john
alt text

port 1337 in a browser does prompt for credentials
alt text

we get a default page with a username used on the system
alt text

looking at source there’s a hidden image
alt text alt text

downloading image and throwing it at steghide; guessed password of ‘n30’ worked

alt text

we now have a password and no ssh, however looking back at the nmap there’s shellinabox on port 12320
alt text

we can login as n30
alt text

with little enumeration we find a suid file named morpheus
alt text

looks to be gawk
alt text alt text

testing, we can read shadow
alt text

and finally root flag
alt text

Written on April 11, 2019
Share on: