Vulnhub:RickdiculouslyEasy: 1

Back again with another vulnhub challenge, this time with a rick and morty themed one. The description of the challenge states that there are 130 points worth of flags and that you should also get root, so I presume you’ll need root to get the last flag.Being a fan of the show, I felt that I had to beat this one, so lets get started.

As per usual, lets fire up nmap and scan the VM.

Nmap scan

# Nmap 7.60 scan initiated Tue Nov 7 02:28:55 2017 as: nmap -p- -sSVC -O -oA nmap 192.168.1.36

Nmap scan report for 192.168.1.36

Host is up (0.00032s latency).

Not shown: 65528 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| -rw-r–r– 1 0 0 42 Aug 22 05:10 FLAG.txt

|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:192.168.1.35

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 3

| vsFTPd 3.0.3 – secure, fast, stable

|_End of status

22/tcp open ssh?

| fingerprint-strings:

| NULL:

|_ Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)

80/tcp open http Apache httpd 2.4.27 ((Fedora))

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Apache/2.4.27 (Fedora)

|_http-title: Morty’s Website

9090/tcp open http Cockpit web service

|_http-title: Did not follow redirect to https://192.168.1.36:9090/

13337/tcp open unknown

| fingerprint-strings:

| NULL:

|_ FLAG:{TheyFoundMyBackDoorMorty}-10Points

22222/tcp open ssh OpenSSH 7.5 (protocol 2.0)

| ssh-hostkey:

| 2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)

| 256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)

|_ 256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (EdDSA)

60000/tcp open unknown

| fingerprint-strings:

| NULL, ibm-db2:

|_ Welcome to Ricks half baked reverse shell…

3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port22-TCP:V=7.60%I=7%D=11/7%Time=5A0178AF%P=x86_64-pc-linux-gnu%r(NULL

SF:,42,”Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\.4

SF:\.0-31-generic\x20x86_64\)\n”);

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port13337-TCP:V=7.60%I=7%D=11/7%Time=5A0178AF%P=x86_64-pc-linux-gnu%r(N

SF:ULL,29,”FLAG:{TheyFoundMyBackDoorMorty}-10Points\n”);

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port60000-TCP:V=7.60%I=7%D=11/7%Time=5A0178B5%P=x86_64-pc-linux-gnu%r(N

SF:ULL,2F,”Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.

SF:\.\n#\x20″)%r(ibm-db2,2F,”Welcome\x20to\x20Ricks\x20half\x20baked\x20re

SF:verse\x20shell\.\.\.\n#\x20″);

MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 – 4.8

Network Distance: 1 hop

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Tue Nov 7 04:11:54 2017 — 1 IP address (1 host up) scanned in 6180.25 seconds

Looking through the output, the first flag is right there for you.

FLAG:{TheyFoundMyBackDoorMorty}-10Points (10/130).

There’s also a backdoor on port 60000 and a proxy on port 9090, I’ll save these for later.

A visit to the website hosted on the VM gave a simple webpage. Downloaded the image and checked the source code for some clues but found nothing.home-page

So lets take a look at the proxy site.

flag2 Sweet that makes it flag 2 (20/130). Poked around a bit more, but found nothing.

Moving on, I fired up enum4linux which gave me nothing but nikto found some interesting directories and files.

– Nikto v2.1.6/2.1.5

+ Target Host: 192.168.1.36

+ Target Port: 80

+ GET Server leaks inodes via ETags, header found with file /, fields: 0x146 0x557458caf66e2

+ GET The anti-clickjacking X-Frame-Options header is not present.

+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ OPTIONS Allowed HTTP Methods: GET, POST, OPTIONS, HEAD, TRACE

+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-3268: GET /passwords/: Directory indexing found.

+ OSVDB-3092: GET /passwords/: This might be interesting…

+ OSVDB-3268: GET /icons/: Directory indexing found.

+ OSVDB-3233: GET /icons/README: Apache default file found.

Hhhhmmmm, I wonder whats’ in the password directory?
password

Diving into the FLAG.txt file gives us:

flag3

That makes 30/130 points. Going back and looking at the password.html source produced my next clue. Hidden in the source was the password winter, possibly a login for morty?

winter

Searched around a bit more, then decided to go over my nmap scan again to see what else is open. FTP, SSH and the reverse shell. Lets go with FTP first as anonymous login is enabled.

ftp

Downloading the FLAG.txt file to my machine gave me the flag:

flag4

making it 40/130 points.

Before attacking the ssh file I decided to go after the reverse shell.

netcat

That another flag, 50/130 points.

Tried to ssh as morty into the server and kept getting denied, so decided to look around for some usernames and came across the robots.txt file.

robots

Looked at root_sheel.cgi page gave me nothing.

However the tracertool.cgi page definitely gave me something. Since it takes in an ip address and executes a traceroute. This means the page could be vulnerable to command injection and

tracer-tool

boom, passwd file. Here we have a couple of users to try and ssh with now, Morty, Summer and RickSanchez.

summer

Logged in as Summer, tried using cat on the flag, but the creator decided to troll us and give us ascii art instead (not that I’m mad).

cat

So back to using the head command and flag 60/130.

flag6

Searching around, found some interesting files in the directories for Morty and RickSanchez. Ended up downloading them to my pc to inspect them and do what I need to do.

Started off with mortys’ directory. The Safe_Password.jpg file seems interesting, exiftool found nothing but strings came through with.

safe-password

Extracting the journal with the password, gave me a text file.

journal

Flag points 80/130. The journal mentions something about a safe and that the password is 131333. Checking out ricks directory and I find two other folders, RICKS_SAFE and ThisDoesntContainAnyFlags. Naturally, I go after the ThisDoesntContainAnyFlags directory and behold, he was right:

notaflag

Basically got trolled.

Now on to the safe, I couldn’t execute it on my computer, so ssh back in and copied it into Summers directory. Run the file and I get rolled again. Run the file for the second time with the password as an argument:

safe

Now on 100/130 points. The file states something about ricks password being 1 upper case and 1 number plus one of the words from his old band. Turns out rick was in a band, Flesh Curtains. Using crunch to generate the password files and hydra to bruteforce ssh with the username RickSanchez.

hydra

Password: P7Curtains.

Now ssh into the machine as RickSanchez. Lets see what rights rick has:

rick-sudo

He has all the rights. Switch to root user and boom, final flag 130/130 points.

Overall, really liked this CTF and actually learnt something (this person must really like rick and morty to know rick was in a band). Hope we get more in the future which are more challenging.

 

<span>%d</span> bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close