# Matrix-Breakout: 2 Morpheus BOOT2ROOT CTF VULNHUB WRITEUP Hey everyone, welcome back to my write-up! Today’s a special day — it’s my birthday — and to celebrate, I’ve decided to share something equally exciting: my walkthrough of the *Matrix-Breakout: 2 – Morpheus* machine from VulnHub. This is a **Boot2Root challenge**, and in this post, I’ll walk you through how I approached, enumerated, exploited, and rooted the box. Let’s dive into the rabbit hole and see what Morpheus has in store for us!

**Reconnaissance** Let's begin by scanning our target to discover open ports that could serve as potential entry points, using Nmap. `nmap -A -sC -T5 -p- -oN nmap_result.log `

Port 22 (ssh), Port 80 (http), Port 81 (http/nginx)

Let's visit the webpage!

Next, I proceeded to enumerate all the subdirectories with **Gobuster**. I forgot to take a screenshot of the results, haha, but here’s the command I used. `gobuster dir -u http::/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt -t 10` During the scan, a file named `graffiti.php` appeared — let’s check it out.

The next step was to post a message to observe how it responds.

When I submitted a message(kuro), the webpage refreshed and displayed my post. What’s next? Let’s take a closer look at how it functions and handles data — time to intercept the traffic using **BurpSuite**.

It seems that whatever we submit on `graffiti.php` gets saved into `graffiti.txt`. Here lies a vulnerability — what if I modify the filename? What do you think would happen?

And it works!! As you can see, **kurokuro** is the only message posted in the response. To verify, let's visit the `kurokiri.txt`

Looks like the application allows full control over both the **filename** (`file` parameter) and the **content** (`message` parameter) when submitting data through `graffiti.php`. By intercepting and modifying these parameters using BurpSuite, I was able to create or overwrite arbitrary files on the server with custom content. This type of vulnerability is classified as **Arbitrary File Write** or sometimes **Unrestricted File Upload**. It’s particularly dangerous because an attacker can upload malicious files—like web shells—which may lead to **remote code execution (RCE)** if the server executes those files. Now it's time to abuse this vulnerability to gain a reverse shell! Good thing that I have my own collection of payloads in my [Github](https://github.com/kUrOSH1R0oo/reverse-shell-payloads), all we need to do is to copy the PHP payload and treat as the message, modify the IP and Port, then turn the filename to a PHP file.

Success! Now it’s time to execute the payload through the browser — but first, let’s set up our **Netcat** listener to catch the reverse shell. `nc -lnvp 1234` Trigger the payload in the browser, and we should receive a reverse shell connection!

Time to make our shell interactive! `python3 -c 'import pty;pty.spawn("/bin/bash")'` then ^Z `stty raw -echo && fg`

After looking around and finding nothing of interest, I decided to run **linPEAS** to check for any potential privilege escalation opportunities.

The system appears to be vulnerable to **DirtyPipe** (CVE-2022-0847), a critical Linux privilege escalation exploit discovered in 2022. It affects kernel versions 5.8 and above, allowing an unprivileged user to overwrite read-only files by abusing flaws in the way the kernel handles pipe buffers. This can be leveraged to inject malicious content into sensitive files, potentially leading to full **root access**. Given the kernel version on the target, this vulnerability presents a clear path to privilege escalation. I used **SearchSploit** to locate and retrieve the exploit script.

To retrieve the exploit `searchsploit -m ` Next thing we did is to transfer the exploit to our target using **wget**

Let's compile it using **gcc**

Now, let's execute our exploit!

It seems we need to specify a SUID binary to hijack — in this case, since we're aiming for root access, we'll target `/usr/bin/su`.

We are root!!!! We've successfully pwned Morpheus!!

This CTF challenge showcased two impactful vulnerabilities that led to a full compromise of the target system. The first was an **Arbitrary File Write (AFW)** vulnerability, where I was able to manipulate both the filename and the file content via HTTP parameters. This flaw allowed me to write a reverse shell script directly to the server and execute it, establishing a foothold. With initial access obtained, I explored the system further and discovered that it was running a Linux kernel version vulnerable to **DirtyPipe** (CVE-2022-0847). This critical privilege escalation exploit allowed me to overwrite read-only files and hijack a SUID binary — in this case, `/usr/bin/su` — to escalate my privileges and gain full **root access**. By chaining AFW and DirtyPipe, I successfully completed the Boot2Root challenge.