Matrix: 3

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/matrix-3,326/

Walkthrough

nmap
alt text

default 80, follow the white rabbit
alt text

after some enumeration nothing found. pulled list of words using cewl
alt text

dirb using newly created list finds directory
alt text

matrix directory
alt text

after some time it becomes clear of what the directory should spell (neo64) and find secret file
alt text

gz file turns out to be txt file with credentials
alt text

hash in file is easily found on md5online
alt text

additional 7331 port requires authentication
alt text

default 7331
alt text

dirb using credentials find dir
alt text

data file for download
alt text

data file is .net
alt text

using dotpeek, credentials found
alt text

guest ssh works but restricted
alt text

vi is available and we can break out of jail
alt text
alt text

searching, find xxx file that is /bin/bash
alt text

checking sudo, /bin/cp can be used by trinity no password
alt text

create ssh keys
alt text

create authorized_keys file and using sudo copy it to .ssh under trinity profile
alt text

ssh as trinity using private key works
alt text

check sudo, file oracle can be run as root and is not yet created
alt text

echo /bin/sh to oracle file, make it executable and run with sudo…root
alt text

root flag
alt text

Written on July 14, 2019
Share on: