Post

VulNyx Matrix靶机复盘

难度-Medium

Posted Updated
By
4 min read
VulNyx Matrix靶机复盘

网段扫描

1
2
3
4
5
6
7
8
9
10
11
12

└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.26.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.26.2    00:50:56:e8:d4:e1       (Unknown)
192.168.26.1    00:50:56:c0:00:08       (Unknown)
192.168.26.202  00:0c:29:28:0a:0b       (Unknown)
192.168.26.254  00:50:56:ec:c0:9f       (Unknown)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.908 seconds (134.17 hosts/sec). 4 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

└─# nmap -p- -sC -sV 192.168.26.202
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-30 21:28 EST
Nmap scan report for 192.168.26.202 (192.168.26.202)
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey: 
|   256 67:78:c9:d2:e3:ff:be:fc:9e:13:9a:af:9d:59:17:66 (ECDSA)
|_  256 1a:78:b1:e6:f1:f0:d1:b3:ab:c8:3f:95:fd:46:52:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Enter The Matrix
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 00:0C:29:28:0A:0B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.11 seconds

获取webshell

图 2
图 0
图 1 图 6
图 3
图 4
图 5

到这里我很有感觉但是感觉端口缺了

图 7

把域名都检查了一下没有东西

图 8

也不是这个,有点懵了,没啥线索了,我直接扫目录,不然就得爆破,目前看用户名是知道的,密码不知道

图 9

这里还有一个域名

图 10

有些眉目了

图 11
图 12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

            // Chat logic with AJAX
            const messages = document.getElementById('messages');
            const sendButton = document.getElementById('sendButton');
            const spinner = document.getElementById('spinner');

            /**
             * Serializes an object to PHP format (similar to serialize() in PHP)
             * @param {string} message - The string message to serialize
             */
            function phpSerialize(message) {
                return 'O:7:"Message":1:{s:7:"message";s:' + message.length + ':"' + message + '";}';
            }

            function sendMessage() {
                const input = document.getElementById('input');
                const text = input.value.trim();

                if (text) {
                    addMessage(text, 'user');
                    input.value = '';

                    // Disable button and show spinner
                    sendButton.disabled = true;
                    spinner.style.visibility = 'visible';

                    // Serializar los datos al formato PHP
                    const serializedData = phpSerialize(text);

                    // Enviar el mensaje al servidor usando AJAX
                    const xhr = new XMLHttpRequest();
                    xhr.open('POST', '', true);
                    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
                    xhr.onreadystatechange = function () {
                        if (xhr.readyState === 4) {
                            // Enable button and hide spinner
                            sendButton.disabled = false;
                            spinner.style.visibility = 'hidden';

                            if (xhr.status === 200) {
                                addMessage(xhr.responseText, 'bot');
                            } else {
                                addMessage('Error: Unable to reach the server.', 'bot');
                            }
                        }
                    };
                    xhr.send(`data=${encodeURIComponent(serializedData)}`);
                }
            }

            function addMessage(text, sender) {
                const message = document.createElement('div');
                message.className = `message ${sender}`;
                message.textContent = text;
                messages.appendChild(message);
                messages.scrollTop = messages.scrollHeight;
            }

图 13

图 14
图 17

图 15

图 16

这玩意是有一定的那个消息回显的,你输入的东西够多就能回显出一个想要的东西

图 18
图 19
图 20
图 21

这里很烦主机访问不了,得去kali,kali还卡死

图 22

巨卡,我感觉可以利用hackbar去做

图 24

图 23
图 25
图 26

提权

1
2
3
4
5
6
7
8
9
10
11
12
13

www-data@matrix:/var/www/M47r1X.matrix.nyx$ stty rows 43 columns 208
www-data@matrix:/var/www/M47r1X.matrix.nyx$ ls -al
total 40
drwxr-xr-x 2 www-data www-data 4096 Jan 31 12:59 .
drwxr-xr-x 4 root     root     4096 Jan 28 21:00 ..
-rw-r--r-- 1 www-data www-data   31 Jan 31 12:59 cmd.php
-rw-r--r-- 1 root     root      361 Jan 27 02:47 filtrate-backend-matrix.php.txt
-rw-r--r-- 1 root     root     1765 Jan 27 01:04 hoja.css
-rw-r--r-- 1 root     root     4782 Jan 28 23:55 index.php
-rw-r--r-- 1 root     root      806 Jan 27 00:48 matrix.js
-rw-r--r-- 1 www-data www-data  173 Jan 31 12:55 messages.txt
-rw-r--r-- 1 www-data www-data    2 Jan 31 12:49 shell.php
www-data@matrix:/var/www/M47r1X.matrix.nyx$

图 27
图 28

这个密码是里面的su不能使用ssh

1
2
3
4
5
6
7

smith@matrix:~$ sudo -l
[sudo] contraseña para smith: 
Matching Defaults entries for smith on matrix:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User smith may run the following commands on matrix:
    (ALL) PASSWD: /usr/bin/rsync

好了到这里就算是结束了

图 29

userflag:13fd11421e33199c2029bc8e5ed94626

rootflag:5f3cae74fbcf1919cc7db7604317187a

VulNyx
php domain sudo
This post is licensed under CC BY 4.0 by the author.