CTF - RickdiculouslyEasy

Home Blog


AUTHORS DESCRIPTION:

This is a Fedora server VM, created with Virtualbox.

It is a very simple Rick and Morty themed boot to root.

There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root.

FLAG 1: (10 points)

Lets get started. Instead of the nmap route firstly, I decided to see what was on the Victim VM. What I can gather, The Victim VM has given me an IP address already (192.168.56.3)

I opened up Firefox and browse to the IP address.

Lol! Its given me a picture of Morty (He’s my fav character!). Looks like its not finished yet. I love how there is a personal touch with this. On the Victim VM, I can see that port 9090 is open, lets browse to that location with the IP address. 192.168.56.3:9090

Easy! Managed to get the Flag! 10 Points for me!! (10/130 points)

DISCOVERY:

Since we don’t need to enter the command netdiscover because we already obtained the IP address, lets go straight to nmap.

nmap has given me a couple of results:

  • Port 21 — FTP seems to be opened with Anonymous login. This will be my first step.
  • Port 22 — I can see that it has given me valuable information such as Ubuntu 14.04.5 LTS version.
  • Port 80 — This is running Fedora Apache httpd 2.4.27
  • Port 9090 — This is running a Cockpit webservice. May need to google what this is.

FLAG 2: FTP (10 points)

Lets have a look at this avenue. I entered the command ftp 192.168.56.3. Entered in the username of Anonymous. I typed in ls to list the files in the directory. I can see that there is flag called FLAG.txt. I downloaded this to my host computer by typing in get FLAG.txt. To exit the FTP session, I typed in exit.

Form here, I cat FLAG.txt to see the contents. YAY!

So far, I retrieved 20 points. Lets go to the next enumeration. (20/130 points)

NIKTO:

Lets scan the webserver for known vulnerabilities. I do this by typing in the command nikto -h 192.168.56.3. Below are the results.

Something that caught my attention was the /password section of the results. Lets browse to that with a web browser and see what we can find. Also it states that HTTP Trace method is active, suggesing the host is vulnerable to XST.

FLAG 3: (10 points)

I opened up Firefox and typed in 192.168.56.3/passwords. I can see that there are two files that is located in this directory. Lets see what is in the FLAG.txt

Earned another 10 points!! So now, I have (30/130 points) all together. YASS  I’m going to go back and click on the passwords.html file to see what it says. Below are the results.

I love how the creator of this VM has done this, making it sound like Rick talking.. It’s so much more fun!! Lol, Morty, clueless as always storing passwords in password.html (But I love him anyway). It states that Rick has hidden this, so I’m going to view the source code. Right click on the blank space and click on view source code.

Awesome! Gives me a password: winter. I will be saving this later as I think this password will be useful. I think this is all for the /password directory.

NMAP.. again!

I’m going to try another nmap, however this time I will try different options instead. I have restarted my Victim VM, the IP adddress is now 192.168.56.4 instead. This will be the IP for the rest of this write-up.

nmap 192.168.56.4 -O -sV -p- -T4

I knew I was missing something — Above there are a couple of ports missing from the first nmap scan.

FLAG 4: (10 points)

I can see that there is another flag from the results of the new nmap scan! Lets see if we can probe port 13337.

New ports to investigate:

  • 13337 — unknown
  • 22222 — ssh
  • 60000 — unknown

Firstly the ports states its an unknown — So I tried different protocols to see which one works. I managed to get it working by typing in netcat 192.168.56.4 13337. I secured the next flag! (40/130 points)

FLAG 5: (10 points)

I did the same with port 60000. netcat 192.168.56.4 60000. This has given me a shell. I typed in ls to list the files. I can see that there is a file called FLAG.txt. I typed in get FLAG.txt which resulted in an error. I typed in cat FLAG.txt which given me the next flag! A total of 5 flags for me!! (50/130 points)

DIRB:

I’m going to try another webscanner called dirb. I type in dirb 192.168.56.4 -w /usr/share/wordlists/rockyou.txt

This targets the URL with the wordlist text file called rockyou.txt. The results are below:

As you can see from the results, we have identified a couple of directories which is interesting.

I opened up both of these webpages on firefox and able to see some interesting things.

Lets have a look at the first one called root_shell.cgi

Its given me an Under Construction in the Body. From here I right click and clicked on view source. Lol, I think Rick is trolling me.. I dont know how I feel about this..

Sad Adult Swim GIF by Rick and Morty - Find & Share on GIPHY

On to the next one which is /cgi-bin/tracertool.cgi. I opened up Firefox and typed in 192.168.56.4/cgi-bin/tracertool.cgi

Cool! So its given me a section where I can enter the IP address and click on Trace. Perhaps this is something like tracert? I enter the IP address of the Victim VM of 192.168.56.4 and receive the following

Funny thing is that it has given me the result of the localhost.localdomain. Then it has given me the IP address and the hops that has occured. Not sure what to do in this section, so I just typed in whatever I could to test what this tool does. Strange thing is that it has accepted the command localhost. Then I tried different commands such as localhost; id and localhost; pwd and localhost; ls

So what this tells me that I can use localhost; (command) to basically have command execution on the Vicim machine through this tracer tool! Pretty neat. From here, I ask myself, How can I find out some usernames or password on a Linux machine? Usually the /etc/shadow and the /etc/passwd directory can give me this. So my next step is to cat /etc/shadow and cat /etc/passwd.

I tested this on my personal laptop to see if this is possible without root access.

I was pretty sure that you need admin access to access the shadow directory, but not the passwd (needed to test this to validate my thought process). What I’ll do now is I’ll cat /etc/passwd to see what users are on the Victim Machine through the tracertool.

Ok, its given me a picture of a cat lol. RICK!!

I’m going to use another command to print the last part of the passwd file. I type in tail /etc/passwd

YAS! Ok!! This is good. Its given me a couple of user names. RickSanchez, Morty and Summer. Summer is Morty’s sister by the way!

I love Summers quote in one of the episodes:

“If you think my top is cute, you cannot execute.”

With this information (not the cute top, but the usernames) I will try the password that I have gathered in the /password directory earlier.. The password is winter. My thought process is thinking, I will try Summer as the username. Summer and Winter = It just makes sense to me..

FLAG 6: (10 points)

I typed in ftp 192.168.56.4. I typed in Summer:winter for the user credentials and I’m in! I listed the contents by typing in ls. Then I downloaded the FLAG.txt by typing in get FLAG.txt.

cat FLAG.txt confirmed that this is the right flag 

I have now a total of 6 Flags = (60 points / 130 points)

SSH SUMMER@192.168.56.4 -P 22222

I’m goin to try and ssh with the credentials that I just found as well. I type in ssh Summer@192.168.56.4 -p 22.

This didnt work. I will now try on port 22222 as the new nmap results states that this is opened. This worked!

I wanted to browse to see what kind of things I can find within this box. I typed in pwd, to see where I am located in the system. I typed ls to list the files that are currently in the directory. The FLAG.txt is there, which I have already captured through my FTP session with Summer. I cd to change directory back into home, then ls to list the files. I can see Morty and RickSanchez home folder.

I cd into Morty and ls the the files again. I can see that there are two files called journal.txt.zip and Safe_Password.jpg

I used the cp command to copy the contents from this folder to /home/Summer. As I have the username and password for Summer, I will have read and write access on this folder.

I cd into RickSanchez. I ls to list the files in the directory. I can see that there are two folders called RICK_SAFE and ThisDoesntContainAnyFlags.

I cd into RICK_SAFE. I ls to list the files in this directory and can see that there is a file called safe. I used the cp command to copy the contents to /home/Summer.

After this, I cd into the folder called ThisDoesntContainAnyFlags. I used ls to list the files in the directory and can see a file called NotAFlag.txt

I used the tail command to list the contents of the NotAFlag.txt…..

ARGHHH RICKK!!!

Rick trolls me again! Love it!! Now that the contents is in the /home/Summer folder. I will go ahead and use the FTP protocol and download it to my Kali Machine to see investigate further.

FTP SUMMER@192.168.56.4 -P 22222

I typed in ftp 192.168.56.4 and used the username and password Summer:winter. I list the contents within the directory by using ls -ahl, and can see it is identical.

I typed in the command get to download the files from the FTP session to my Kali machine.

Now that the files are on my Kali machine, I will go ahead and see if I can unzip the journal.txt.zip. I used the unzip command to achieve this. It has given me a password prompt, so I typed in winter. Doesn’t work. This would be Ricks password or something..

I gave up with this. I’ll have a look at what the other file does. I opened the Safe_Password.jpg file by typing in xdg-open Safe_Password.jpg

Its just Rick..

This took me a while to figure out as I used heaps of hints online. I learned that I can use the command called strings to print the characters within files. So thats exactly what I did… What do you know? strings Safe_Password.jpg

This printed a bunch of jibberish and I couldnt see much, so I pipe to less

The Password for the journal.txt.zip is Meeseek.

Lets use that password to unzip the journal.txt.zip.

FLAG 7: (20 points)

I typed in unzip journal.txt.zip. Entered the password Meeseek. I typed in cat journal.txt to view the contents. I GOT THE FLAG!! 20 points!! (80/130)

Further to this, it gives a little comment about Rick’s secret. Also the {131333} is interesting as the other flags previously has given me little captions or quotes within the the TV Series. Is that another passoword?

SAFE FILE: (20 Points)

Now onto the last file that I have downloaded onto my Kali machine called safe. Firstly, I wanted to see what kind of file this is, so I used the command file.

I can see that this is an ELF 64-bit LSB executable. I have no idea what this means, so I used a lifeline: google (lul)

So its just an executable file. I typed in ./safe on my Kali box and it wouldn’t work. Giving me a permission denied error. I’m going to ssh back into thebox with Summer:winter and try and run it there.

So I’m back SSH’ing into the box and typed in ./safe and it’s given me an output.

Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAHHAHAHGGGGRRGUMENTS!

I love the different episodes quotes! I’m going to try the {1313333} argument after the ./safe.

./safe {131333}

Ok this didn’t work. I’ll try ./safe 131333. Worked!! GOT THE FLAG!! 20 points!! (100/130 points)

Its also given me Ricks password hints. What this is telling me is that I need to write a script, that looks for 1 upper case character, 1 digit, and one of the words in his old band name.

I’m not that much of a fan to know his band name by heart, so I’m going to google. Be right back!

Cool! His old band name is Flesh Curtains

So I assume I would have to write a script that meets this criteria. After this, I would use hydra to brute force against his username which is RickSanchez, and against the word list that I just created..

Great! Now how do I write a script?

What GIF by Rick and Morty - Find & Share on GIPHY

CRUNCH:

Doing A LOT of research and googling, I found out that I can create a wordlist by using the tool called crunch. I pull up the man page by typing in man crunch.

Basically, what I need to do is to create two files, or maybe one file with the arguments that match the requirements. From the clues that were given, we need to have 1 upper case, 1 Number, and One of the words Flesh Curtains.

crunch 7 7 -t ,%Flesh > rickpassword.txt

What this means is:

  • 7–Seven Character limit
  • , — This will insert an upper case character
  • % — This will insert a number
  • Flesh — Flesh will also be used for the word list.
  • > — I re-direct this the input of crunch into an output file called rickpassword.txt

crunch 10 10 -t ,%Curtains >> rickpassword.txt

The only thing that is different with this is:

  • 10 — Ten character limit
  • >> — This means that it will re-direct the input of crunch onto the last line of rickpassword.txt. This means that the rickpassword.txt is not overwritten. It also means that it will have both inputs.

WORD LIST FILE:

As you can see here, I cat the file rickpassword.txt, It’s just a bunch of jumbled words we created by crunch with the parameters given. I did a wordcount and there are 520 lines. I will use Hydra against this word list to hopefully cracking his password.

HYDRA BRUTE FORCE:

I typed in:

hydra -l RickSanchez -P rickpassword.txt ssh://192.168.56.4 -p 22222

Hydra will brute force against the username RickSanchez, with the wordlist that I just created called rickpassword.txt. This will be done against the Victim Machine of 192.168.56.4 on port 22222

YASSS!! I managed to get his password!!! P7Curtains!!!

Lets try and ssh into the Victim machine with his username:password / RickSanchez:P7Curtains

SSH RICKSANCHEZ@192.168.56.4 -P 22222

I ssh as Rick and it works! I feel myself getting so close!!

Rick And Morty GIF - Find & Share on GIPHY

From here I typed in id, and can see he is in the group called wheel. From my working experience, I know that to be a part of a wheel group, the user will be able to sudo / root.

I immediately tried sudo -i, entering his password P7Curtains. Im ROOT! I ls to list the directory, observed that there is a FLAG.txt. I cat FLAG.txt, obviously this doesnt work and given me a cat in ascii format (I should of known).

So I tail FLAG.txt and get the last flag!! HOOORAYYYYYYYYYYYYYYYYYYYYYYYYY!!!! (130/130 points)

LESSONS LEARNED:

This was a massive one for me.. There were so many things that I didn’t know, but after doing a couple of the CTFS, I am getting the hang of it. Some hurdles that occured were:

  • Downloading files from SSH to my Kali Machine. I couldnt do it. I googled scp command and tried it so many times however it failed. Luckily the FTP port was opened so I used cp instead to the home directory, then used FTP to download it by the command get. However, if FTP was not enabled, then I would of been stuck.
  • Strings — This is a first for me, which I will keep in my tool box
  • Crunch — Learning to create wordlists was challenging to say the least.. However I’m happy about my basic Linux knoweldge to be able to pipe things across. Reading the manual and a lot of trial and errors (hours) helped me.
  • Tracetool — That tracetool took me a long time to figure out what it actually was. More or less a code execution platform. I have to remind myself that even the most basic things can arise in different forms. I just need to try harder.

SUMMARY:

This has been a real challenge for me. I’m super happy that I captured all the flags, although there were many nights that I revisted this, I’m excited about my progress so far.