“The Matrix” Vulnerable Machine Walk-through
I recently beta tested a pwnable machine called “The Matrix” that is now available on Github. Check out my write up of it below!
Requirements
This machine is a lightweight machine built on alpine linux. In order to solve this machine, you will need to install Kali Linux or another hacking operating system as a VM.
Walkthrough
The first thing that I did after installing the VM in virtual box was run an nmap scan on it from my Kali box:
nmap -Pn -p- PWN_ADDRESS
We see that two ports are open: 22 (ssh) and 1337 (waste). Further research reveals that waste is a l33t port, or a dummy port. So, I went to my web browser and navigated to PWN_ADDRESS:1337 to arrive in The Matrix:
Scroll down to the bottom left corner and you will find a text box that says “Follow the White Rabbit” that takes a URL for input:
I tried entering http://0 (a localhost url, and got an error page:
I then decided to inspect the source code and found the first flag!
This error indicated to me that this website is vulnerable to Server Side Request Forgery (SSRF). This allowed me to browse the file system. I had to figure out who the created user was so I could browse their system for secrets, so I consulted /etc/passwd:
I then found an interesting looking user, Neo. Further research showed that Neo is a character in the Matrix. Perfect!
Once I found that the user was Neo, I started looking to see if there was a metadata instance running on the machine:
http://169[.]254[.]169[.]254/latest/meta-data/iam/security-credential
I found the second flag, {flag2:enter the matrix}, later when looking through source code but the URL for metadata worked and got me to the picture below!
I then decided to start browsing their home directory for secrets in the default directory and checked /home/neo/.ashrc and found the 3rd flag!
I then figured out that I needed to SSH into the machine. I found the ssh keys in file://home/neo/.ssh/id_rsa and viewed it with the protocol handler of view-source://PWN_ADDRESSS:1337. I then downloaded the key, executed chmod 400 id_rsa on it so that I could SSH into the machine!
ssh -i id_rsa neo@PWN_ADDRESS
And congrats!
You’ve hacked the machine!
Special thanks to Ramnath Shenoy Kudpi for creating “The Matrix” and letting me beta-test it. Check his blog out at https://evilenigma.blog/ and follow him on Linkedin.
You can download the machine at https://github.com/EvilEnigma/TheMatrixVM
Megan Howell (CyberQueenMeg) is a cybersecurity student at Grand Canyon University and an Offensive Security Intern at Cisco Systems. She is a bug bounty hunter, has been featured in Forbes Magazine for her work in AI Bias hunting, open source contributor to programs like BeeF and BlackArch Linux, former DefCon speaker, SkillsUSA Cybersecurity national competitor, National Cyber Scholar, and Cyber Patriot competitor. You can find her social media profiles at linktr.ee/cyberqueenmeg.
