Matrix-Breakout:2 Morpheus
Vulnhub: Matrix-Breakout: 2 Morpheus
OS: DebianWeb-Technology:
IP: 192.168.1.9
=========================================================================
NMAP RESULTS:
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 256 aa83c351786170e5b7469f07c4ba31e4 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWNDAE21hrPYFpJ4+PvruHbth1s+HHqXYEKk12tnsBQE90v34m4qITkv/TFumnzT24uw98ntLc2QnqC1lH3rVA=
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.51 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Morpheus:1
|_http-server-header: Apache/2.4.51 (Debian)
81/tcp open http syn-ack ttl 64 nginx 1.18.0
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Meeting Place
|_http-server-header: nginx/1.18.0
Web Services Enumeration:
→ Visited http://192.168.1.9
⇒
=========================================================================
→ Gobuster
└─# gobuster dir -u http://192.168.1.9:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3- medium.txt -x php,html,txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.9:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
2023/02/01 15:58:02 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 276]
/.php (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 348]
/javascript (Status: 301) [Size: 315] [--> http://192.168.1.9/javascript/]
/robots.txt (Status: 200) [Size: 47]
/graffiti.php (Status: 200) [Size: 451]
/graffiti.txt (Status: 200) [Size: 139]
/.html (Status: 403) [Size: 276]
/.php (Status: 403) [Size: 276]
===============================================================
2023/02/01 16:00:32 Finished
===============================================================
⇒ In the gobuster results, we've discovered the graffiti.php and graffiti.txt files. Lets check those or enumerate those files.
⇒ Visited : http://192.168.1.9/graffiti.php
⇒ 
⇒ It just rendering or echoing the message to the same webpage
⇒ 
⇒ Lets intercept the request made by graffiti.php using burp suit.
⇒ 
⇒ Lets add the php reverse shell in message section and write that to some file by adding the php extension.
⇒ 
⇒ Let send the request.
⇒ 
========================================================================
========================================================================
GETTING THE INITIAL SHELL:
⇒ Lets call that 1.php which we created in burp request and start the netcat listener on port 9001
⇒ 
⇒ Lets read the user level flag.
⇒ 
========================================================================
PRIV-ESC:
⇒ Nothing more interesting found in the manual enumeration of machine, So I run linpeas on target
⇒ 
⇒ Found that the machine is vulnerable to dirty-pipe exploit or cve.
⇒ 
⇒ Transferred the cve to target machine and run it...
⇒ 
⇒ Boom we got the root.
⇒ Boom we got the root.
⇒ Lets read the root flag.
⇒ 
Comments
Post a Comment