Matrix-Breakout: 2 Morpheus BOOT2ROOT CTF VULNHUB WRITEUP

Hey everyone, welcome back to my write-up! Today’s a special day — it’s my birthday — and to celebrate, I’ve decided to share something equally exciting: my walkthrough of the Matrix-Breakout: 2 – Morpheus machine from VulnHub. This is a Boot2Root challenge, and in this post, I’ll walk you through how I approached, enumerated, exploited, and rooted the box. Let’s dive into the rabbit hole and see what Morpheus has in store for us!

Reconnaissance

Let's begin by scanning our target to discover open ports that could serve as potential entry points, using Nmap.

nmap -A -sC -T5 -p- -oN nmap_result.log <target_ip>

Port 22 (ssh), Port 80 (http), Port 81 (http/nginx)

Let's visit the webpage!

Next, I proceeded to enumerate all the subdirectories with Gobuster. I forgot to take a screenshot of the results, haha, but here’s the command I used.

gobuster dir -u http::<target_ip>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt -t 10

During the scan, a file named graffiti.php appeared — let’s check it out.

Graffiti Wall = Freedom Wall??? XDD

The next step was to post a message to observe how it responds.

When I submitted a message(kuro), the webpage refreshed and displayed my post.

What’s next? Let’s take a closer look at how it functions and handles data — time to intercept the traffic using BurpSuite.

It seems that whatever we submit on graffiti.php gets saved into graffiti.txt. Here lies a vulnerability — what if I modify the filename? What do you think would happen?

And it works!! As you can see, kurokuro is the only message posted in the response. To verify, let's visit the kurokiri.txt

It works!!

Looks like the application allows full control over both the filename (file parameter) and the content (message parameter) when submitting data through graffiti.php. By intercepting and modifying these parameters using BurpSuite, I was able to create or overwrite arbitrary files on the server with custom content. This type of vulnerability is classified as Arbitrary File Write or sometimes Unrestricted File Upload. It’s particularly dangerous because an attacker can upload malicious files—like web shells—which may lead to remote code execution (RCE) if the server executes those files.

Now it's time to abuse this vulnerability to gain a reverse shell!

Good thing that I have my own collection of payloads in my Github, all we need to do is to copy the PHP payload and treat as the message, modify the IP and Port, then turn the filename to a PHP file.

Success! Now it’s time to execute the payload through the browser — but first, let’s set up our Netcat listener to catch the reverse shell.

nc -lnvp 1234

Trigger the payload in the browser, and we should receive a reverse shell connection!

Time to make our shell interactive!

python3 -c 'import pty;pty.spawn("/bin/bash")'

then ^Z

stty raw -echo && fg

After looking around and finding nothing of interest, I decided to run linPEAS to check for any potential privilege escalation opportunities.

The system appears to be vulnerable to DirtyPipe (CVE-2022-0847), a critical Linux privilege escalation exploit discovered in 2022. It affects kernel versions 5.8 and above, allowing an unprivileged user to overwrite read-only files by abusing flaws in the way the kernel handles pipe buffers. This can be leveraged to inject malicious content into sensitive files, potentially leading to full root access. Given the kernel version on the target, this vulnerability presents a clear path to privilege escalation.

I used SearchSploit to locate and retrieve the exploit script.

To retrieve the exploit

searchsploit -m <exploit_path>

Next thing we did is to transfer the exploit to our target using wget

Let's compile it using gcc

Now, let's execute our exploit!

It seems we need to specify a SUID binary to hijack — in this case, since we're aiming for root access, we'll target /usr/bin/su.

We are root!!!! We've successfully pwned Morpheus!!

Root Flag

This CTF challenge showcased two impactful vulnerabilities that led to a full compromise of the target system. The first was an Arbitrary File Write (AFW) vulnerability, where I was able to manipulate both the filename and the file content via HTTP parameters. This flaw allowed me to write a reverse shell script directly to the server and execute it, establishing a foothold. With initial access obtained, I explored the system further and discovered that it was running a Linux kernel version vulnerable to DirtyPipe (CVE-2022-0847). This critical privilege escalation exploit allowed me to overwrite read-only files and hijack a SUID binary — in this case, /usr/bin/su — to escalate my privileges and gain full root access. By chaining AFW and DirtyPipe, I successfully completed the Boot2Root challenge.