Matrix 1: A walkthrough

I came across the Matrix:1 VM hosted on VulnHub by Ajay Verma and decided to give it a whirl. With a difficulty level of Intermediate, one flag to find and content inspired by the Matrix trilogy, this was a fun machine to root. You can download this VM from here and stop reading if you want to complete the challenge yourself!

Host Discovery

I started off with a network scan to find the target with netdiscover.

netdiscover -r


There it is:

Information Gathering

My next step was to scan the machine with Nmap and discover the open ports. nmap Nmap found 22/tcp, 80/tcp and 31337/tcp open. On accessing port 80, at the first glance, it seemed like there was nothing. Except, a message asking us to “Follow the White Rabbit”. On closer inspection, I noticed a tiny rabbit on the bottom of that page and I decided to inspect it. port80 I then saw that the name of that image was “p0rt_31337”. whiterabbit Taking the hint, I decided to move on and take a look at the webpage on port 31337. Nothing caught my attention on the Cypher webpage. However, on inspecting the page source, I found a string that looked like it was Base64 encoded. port31337 source Passing it through a decoder gave me: echo “Then you’ll see, that it is not the spoon that bends, it is only yourself.” > Cypher.matrix. This looked like a command in bash to save the string “Then you’ll see, that it is not the spoon that bends, it is only yourself.” into the file “Cypher.matrix”.

On accessing the URL, I downloaded a file containing some junk (or what I thought was junk) characters. brainfuck


This is where I got stuck for a while and I was not really sure of what to make of that file or its contents. Finally, after some Google-Fu, I found Brainfuck, a programming language known for its minimalism. I used an online interpreter and deciphered the file: bfdecode

So the file said that the password of the user “guest” starts with k1ll0r and we need to figure out the last two characters. I decided to use Crunch and create a wordlist, with all possible combinations, that I can use as a password list for bruteforcing the SSH service. crunch

After the wordlist was created I proceeded to bruteforce the SSH service using Medusa. Success! The password is k1ll0r7n. passwordfound

Restricted Shell

After accessing the server via SSH, I found myself in a frustrating restricted shell - rbash.


I logged out and logged back in using the following command, making use of the fact that SSH executes appended commands upon login, and broke out of rbash.

ssh guest@ -t "bash --noprofile"



On enumerating the machine, I checked the sudo configuration for the guest user and found that the user has permissions to execute all available commands: sudo It was then a matter of just switching to the root user! root


Well, here is the flag! flag