CTF – Rick and Morty

It is a very simple Rick and Morty themed CTF. There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root.  This was my walk through…

My Setup

Image at https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/

My Hints

If you are currently trying to solve this CTF yourself and have stumbled upon this page. Below are some hints you should try before giving in and looking and the solution.

  • did you nmap all TCP ports, or just the default?
  • try a nikto scan on TCP 80?
  • is there a robots file on TCP 80? whats it hiding?
  • if you are getting permission denied trying to run something, maybe try coping it else where?
  • for the last big flag look into crunch and hydra – both installed by default with Kali

My Solution

A quick nmap ping scan to find the target

A more detailed scan shows what open ports we have. Only later on did I realise there were more ports open…

Flag 1

Lets start with FTP as looks like there is an easy flag there. Using the kali built in lftp client to connect anonymously. 10 / 130 points

Flag 2

Next lets check out the open HTTP port. Lets run Nikto (a basic web server vulnerability scanner). This finds 2 interesting directories we can explore later.

Next opening up Burp Suite and setting browsers proxy to the default port Burp Suite is listening on. In Burp Suite turning off Intercept in Proxy settings then opening the page in Firefox doesn’t reveal much.

In Burp Suite spidering the host, reveals a robots.txt file that shows a few paths we can explore.

/cgi-bin/tracertool.cgi – brings up Morty’s tracert tool which appears to have some room for command injection. Typing in the localhost IP gives the results below.

But if we append a pipe “|” symbol to the end of the IP address and put another command like whoami, we can get this to execute additional commands. This shows below the user is apache.

It appears the cat command is filtered but we use the tail command instead and see what other users are on this machine. These will come in handy later on.

running a ls command in the /var/www/html shows what files/folders are on the webserver. Lets check out the passwords directory!

Located at /passwords/FLAG.txt we find the next flag. 20 / 130 points

Yeah Morty real clever, we also find in the source code of /passwords/passwords.html a password of “winter”

/cgi-bin/root_shell.cgi – sounds interesting but I couldn’t find anything here. Suspect its a red herring. As a side note if we try /cgi-bin/tracertool.cgi?ip=localhost|cat root_shell.cgi (or any other file with cat) we get a lovely picture of a cat. Running the tail command we see that there is nothing interesting in this file.

Flag 3

Moving onto the alternative HTTP login 9090 we find another easy flag. I spent some more time here looking for SQLi and through Burp Suite details but couldn’t find anything interesting. 30 / 130 points

Flag 4

Moving onto SSH, I had a few user names and a password I wanted to try particularly Summer/Winter. I spent a while here trying to figure this out seeing if we had to modify files like /etc/hosts.allow via command injection on the tracertool.cgi page. Also tried rebooting hosts and confirming ssh was actually working with another host.

I eventually ran a full nmap scan of all TCP ports (-p- or –p1-65535) as the default only scans a select few – lesson learnt. (“The default is to scan all ports between 1 and 1024 as well as any ports listed in the services file which comes with nmap“). Note this took an hour and a half to run.

nmap -p- 192.168.56.102

Examining the open ports more with nmap -A -p13337,22222,60000 192.168.56.102 gives another easy flag plus another port SSH is running on.

This looks better. Netcatting to 13337 confirms another flag. 40 / 130 points

Flag 5

Netcatting to 60000 gives another flag. While it showed I was root, there wasn’t really anything else in here I could access. 50 / 130 points

Flag 6

Lets try SSH again.

Another flag is found in Summers home directory. 60 / 130 points

A quick fancy search to see if we can find any other flags under Summers account. Unfortunately we have already found all of these. Anything else we don’t have access to yet.

Flag 7

Lets now try to elevate our privileges or move horizontally into Morty or RickSanchez accounts.

Starting with Morty we find 2 files in his home directory. When we try to unzip the journal file a password prompt appears. Assuming the image will help us unlock this.

As we can’t open images in the terminal, lets copy this back to our Kali box with the secure copy command to investigate.

Opening it up visually there is nothing in the picture itself

Tried a few methods which all were unsuccessful. Is image really a zip file using this method. Cat text and image method to new image. Image metadata with this method. Check with binwalk.

The solution I found to work was just opening the image in a text or hex editor hexeditor Safe_Password.jpg which showed the password “Meeseek”.

Trying to unzip the journal into Morty’s home folder will give you an error as summer does not have permissions here. But we can copy it back to her folder, then unzip. This had me for a while as i thought the password may have been wrong.

This gives another flag (yay flags) 80 / 130 points

Flag 8

Moving onto Ricks home folder we find 2 directories

The folder as stated has no flags in there. Well played Rick.

The other folder contains an ELF executable.

Again no permission to execute in there, so we copy it back. Running it shows nothing useful. Also tried to tail the file which shows nothing interesting.

Fiddled around with this for a while and eventually used the flag from Morty’s journal file. Rick also hints at command line arguments. Also when using ./safe –help it mentions decrypt so assumed it needed a key. 100 / 130 points

 

Flag 9

Assuming from the last hint we need to break Ricks password with the details given below.

Ricks password hints: (This is incase I forget.. I just hope I don’t forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order

  • 1 uppercase character
  • 1 digit
  • One of the words in my old bands name (assuming The Flesh Curtains?).

Lets use crunch to create the custom password list and hydra to brute force in via SSH.

#crunch <min> <max> -t <pattern> -o <output filename>

  • min = The minimum password length
  • max = The maximum password length
  • -t = The specific pattern we want eg @@% would be a-z,a-z,0-9
    • @ represents lowercase letters
    • , represents uppercase letters
    • % represents numbers
    • ^ represents special characters
  • -o = the output file name

crunch 5 5 -t ,%The -o /root/Documents/rickList1.lst which will generate passwords like A0The, A1The, A2The etc

This will give us 3 password lists which we can combine together to make 780 combinations. cat rickList1.lst rickList2.lst rickList3.lst > pwd.lst.

Now onto hydra -l RickSanchez -P /root/Documents/pwd.lst 192.168.56.102 -s 22222 -t 4 ssh . note the syntax in the man for hydra differed depending on the service you selected.

  • -l = login username
  • -P = password file to use (one we created in crunch)
  • -s = Port
  • -t =  number of connects in parallel (default is 16, but recommended is 4)

This took longer than expected as I had misstyped the user name (*face-palm*), so after trying variants of upper and lower case for the band name – eventually got it. Note all the failed login attempts.

Ricks last hint mentioned “sudo is wheely good” so once in lets see if Rick has any sudo privileges. Excellent.

A quick search for any more obvious flags we find one in the /root directory which is 30 points and that’s it 130 / 130 points. We also get root.

 

Other Alternative Solutions

Be sure to check out the other solutions below for solving this