Okay so, I had downloaded this (Matrix 1) box a week back or so but due to some random busy-ness I just could not start to give it a shot. Also the thing is that, I usually don't engage myself more into CTF's but when I feel extremely bored - like super bored then I just try to give myself a chance to engage into something interesting and learn new techniques. Anyways, let the story begin.
It all started with a virtual boot up of the recently downloaded virtual machine's OVA file.
As described in the release information for this box, it said "Matrix is a medium level boot2root challenge." Furthermore, "Difficulty: Intermediate" and "Your Goal is to get root and read /root/flag.txt". Intermediate level - Sounds good to me, lets continue.
A quick SYN scan of my network with 'nmap -Pn -sS 192.168.1.0/24 -v' gave me an information of the host running on port 22, 80 and 31337. Looking further down those port with '-sV' option gave me more detailed information on the services running on those ports. So, it seemed like an OpenSSH and Python SimpleHTTPServer was running.
Opened the browser, on the host IP on the web (HTTP - port 80) - showed me a simple looking web page with not much information but with some fancy looking Matrix message that said "Follow the White Rabbit" "Welcome to the real world, Neo. I'm glad you're here." I thought for a while, Okay! So, where's my White Rabbit? A Quick CTRL + U and I got to see something like '<div class="service"><img src="assets/img/p0rt_31337.png"/ width="15">'
This information here seemed interesting! I knew earlier that the port eleet was open, should be something related! For a couple of minutes I thought that this PNG here could have some hidden information (maybe something to do with steganography?) But no, my conscience was wrong.
I followed the White Rabbit for now and jumped to the port 31337 from my browser. Now, I see a new page with some other fancy looking message. Just by looking at the heading 'Cypher' I had in mind that this could now have something to do with deciphering the message or so. I then performed a quick CTRL + U and now there's that! '<!--p class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=</p-->' My instincts were right! "A long fancy looking text that ended on an equal to (=) sign could be a base64 encoding or so." - I said to myself. It indeed was a base64 encoding. The message was "echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix"
This made me feel like, "something is echoed into Cypher.matrix" and then I sent a GET request to /Cypher.matrix and yes, something was there. I was indeed following down the rabbit hole.
Inside the Cyher.matrix was a complete chaos, a disaster, all the operators, operands, brackets and signs were floating around in-front of my eyes. A quick search on regarding the use of these characters "+, -, <, >, [, ], (, )" took me down to information leading to Brainfuck. Sorry, did I said something inappropriate? No, let's continue.
So, it was basically an Esoteric programming language. After getting an insight of this information. I decoded the message that said "You can enter into matrix as guest, with password k1ll0rXXNote: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password." Okay so, seems like we are now getting deeper inside the rabbit hole! But we still don't have the full password to the system.
So, I used the command as "cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 2 > char-file" that would generate 2 characters long alphanumeric characters and output the list of all those characters inside the char-file. And from that file, I created a dictionary file for my bruteforce since we already knew that the SSH port was open.
"awk '{print "k1ll0r"$0}' char-file > password-list" would now create a password file that would be helpful for bruteforce.
I knew that metasploit is helpful in this case and fired up a shell and used msfconsole and used 'auxiliary/scanner/ssh/ssh_login' module. Username guest, my dictionary file and a wait for couple of minutes and bang! We now have a matching password and a session opened for us. An interaction with the session we just established as 'sessions -i 1'. A python spawn shell and we're in! We now have a working shell in the box!
I then listed the present working directory from the shell and saw that there's one unusual directory prog. 'Prog is a short for Programs, it probably should have an executable program and maybe I can reverse that program and spawn a root. Or maybe the executable has misconfigured access permission or something as such' is what I thought at the moment after noticing the Prog directory.
Excuse me, did I just saw a vi? 'vi is a text editor, it has always helped people to get down a root shell, am I getting luckier? or is the white rabbit calling me?' is what I thought again. I then opened a vi editor. ":/bin/bash -i" and bam! I then get a full fledged guest shell on the box from my python spawn shell.
Our goal is to root the box, collect the flag and move on. So looking for the allowed sudoers command with 'sudo -l' showed something like "(ALL) ALL". How cool is that? "sudo /bin/bash" - enter the guest password that we previously found and bingo! We're now root and officially pwn the box.
Cat the flag and we've got it!
Anyways, Matrix1 was interesting. I hope to follow the white rabbit more deeper down the path in the upcoming days. Thanks unknowndevice64 for building the matrix!
'I know what you're thinking, 'cause right now I'm thinking the same thing. Actually, I've been thinking it ever since I got here: Why oh why didn't I take the BLUE pill?' or 'Perhaps we are asking the wrong questions.'