Vulnhub: Rickdiculously Easy Boot2Root VM

Introduction

For my inaugural Boot 2 Root blog post I’m going to run through the process which I followed to gain some flags on the super fun and reasonably straight forward “Rickdiculously Easy” VM created by Luke and hosted by the amazing vulnhub

The aim of the RickdiculouslyEasy VM is to exploit various security flaws on the box to read the flag files which contain point values depending on the ease of exploitation. Complete pwnage of the box is achieved when the attacker has received 130 points from the flag files.

Basic Analysis

Initial step is to establish which IP address the VM resides on:

netdiscover -i eth0 -r 192.168.56.0/24

This informs me that the VM is listening on 192.168.56.104. Perfect.

Next step is to establish which ports are open. This is a reasonably straightforward VM so I’m not worried about doing anything clever or stealthy with my port scan, I just tell nmap to go for it as fast as it could, doing banner grabbing where possible to get some info about the running services on the whole range of ports.

nmap -sV -p- 192.168.56.104 -T5

Running the port scan yields the following results:

 


Cool, so a very quick glance informs us that VSFTPD is running (so we’ll do a bit of sleuthing to see if version 3.0.3 is vulnerable to anything), SSH is running (as usual), and an Apache web server’s up on port 80.
Additionally, there are some services running on non-standard ports 9090, 13337, 22222 (Second SSH service? very interesting..!) and something running on port 60,000.

Let’s go from the bottom up, because I do what I want.

Port 60000 and our first flag!

So port 60000 is unknown to nmap, and a quick Google search didn’t yield anything particularly interesting, so I use the Swiss Army Knife of network functionality, Netcat, to find out what’s going on on that port.

Huzzah! Our first flag, and with pretty much zero effort on our part.

Port 22222

Is a red herring. Basically the default port of 22 isn’t accepting connections, but port 22222 appears to be just a plain-jane SSH port. I’ll come back to this or port 22 later if I get stuck!

Port 13337, 10 points

Using Netcat on this port yields a simple message saying
FLAG:{TheyFoundMyBackDoorMorty}-10Points
Another nice, easy flag to add to the list!

Port 9090, and another 10 points!

Nmap’s description of “Cockpit Web Service” led me to trying this particular port in the browser, and after a (non-interesting) SSL warning, another flag was handed to us on a plate!
I spent some time poking around here, but couldn’t find anything else interesting at a quick glance. There’s no login button or password field, so I feel like this is a dead end.

Port 80, HTTP

A quick glance at the website on port 80 completely blew my mind, giant tiled images of Morty’s face with a lurid yellow caption over the top.
There was nothing interesting on the page, and nothing forthcoming in the page source.. Hmm.
At this point I went old-skool and searched for a robots.txt. Bingo:

 

They're Robots Morty! It's ok to shoot them! They're just Robots!
/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*

root_shell.cgi sounds like something that I’d be interested in, right? Tracertool.cgi immediately makes me think of tracert, which makes me think “command injection!”
We’ll investigate that in a second, but first let’s kick off a quick “dirb” run to see if there are any other interesting directories on the server.

Dirb

Dirb is a simple directory brute forcer which reads from a file of common directories found on webservers.
Upon running dirb on the URL, the following output is produced:
+ http://192.168.56.104/cgi-bin/ (CODE:403|SIZE:217)
+ http://192.168.56.104/index.html (CODE:200|SIZE:326)
==> DIRECTORY: http://192.168.56.104/passwords/
+ http://192.168.56.104/robots.txt (CODE:200|SIZE:126)
a directory named passwords, eh? let’s have a look.
A mysterious page named passwords.html and another flag inside of FLAG.txt! FLAG{Yeah d- just don’t do it.} – 10 Points
 
Passwords.html had a HTML comment inside containing “password: winter”.. we’re not sure what this password unlocks yet, but presumably it’s for one of the files under cgi-bin, let’s have a look.

root_shell.cgi

Yielded no results sadly, the page is under construction and there’s a HTML comment inside which is laughing at our misfortune. Bleh. Let’s move on to the tracertool and see if we have any better luck.

tracertool.cgi

 

So this is interesting. It’s running traceroute on the server host, probably using some kind of passthrough method which passes the user’s input straight through the shell. This kind of thing almost always offers a command injection vulnerability. Let’s have a look
As expected, command injection vulnerability. We’ve ended the first command, tracert, with the semicolon character and started a new command immediately afterwards, to find out who the logged in user is.
Let’s do some more poking about to see what else we can do. It’s pretty trivial to get a reverse shell on the box at this point, running as the Apache user.
Trying to ‘cat’ /etc/passwd, or indeed any file yields the following..
Hur hur hur.. Let’s be smart and read the file without the ‘cat’ command then.

Better. We’ve now got a list of users which live on the box. Let’s try and SSH into them using the password “winter” which we retrieved earlier.

Port 22222, SSH

After attempting to log in as RickSanchez, Morty, apache and Summer with the password ‘winter’, I gained access as Summer and found a nice FLAG.txt in her home directory.
FLAG{Get off the high road Summer!} – 10 Points
 
There was nothing of interest anywhere else in Summer’s home directory, so I did a few of the usual checks to see if I could execute anything as root, and if I could read the shadow file (nope), and finally ran a find command over the / directory to look for any accessible flags using:
find . 2>&1 -iname FLAG.txt | grep -v ‘Permission denied’ >&2
This yielded the following output –
/var/ftp/FLAG.txt
/var/www/html/passwords/FLAG.txt
/home/Summer/FLAG.txt
The one in Summer’s directory and the one in /var/www we already knew about but the one in /var/ftp was a new one to us, so we less the file and then record the contents.
FLAG{Whoa this is unexpected} – 10 Points
 
Cool! Next up let’s enumerate the other user’s home directories to see if there’s anything interesting.

Morty’s home directory

Morty’s home dir has two files. One password protected zip file named journal.txt.zip and one JPG file named Safe_Password.jpg. I copy both to Summer’s home directory where I have write permissions. On a whim I open the JPG in vi to look for strings (the box doesn’t have the strings command installed and I’m too lazy to SCP it out to my Kali VM.)
The following is uncovered in the JPG amongst the mess of binary –
The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
Nice, let’s try “Meeseek” as the password for the journal.txt.zip. Bingo!
FLAG: {131333} – 20 Points 
 
The above flag had an accompanying hint explaining that 131333 opens Rick’s safe. Let’s go and investigate Rick’s home directory.

RickSanchez’s home directory

Rick’s home directory yields an interesting binary named “safe” and a folder containing NotAFlag.txt.. Bleh.
I copy the safe binary to Summer’s home directory and run it with the command line argument of “131333”. Bingo again, another flag and a hint to get Rick’s password –
So, Rick’s band in the show is called “The Flesh Curtains”, so it’s time to dust off my Python skills and knock up a little password generator script to generate all combinations of “A0The”, “A1The”……”Z9Curtains”
Done –

bandName = (“The”, “Flesh”, “Curtains”)
letters = map(chr, range(ord(‘A’), ord(‘Z’)+1))
numbers = range(0,10)
 
for name in bandName:
for number in numbers:
for letter in letters:
print(letter+str(number)+name);

 

 
So let’s pipe that out to a file and use it to try and brute force SSH access to the box.
 
hydra -l RickSanchez -P passes.txt -t 4 ssh://192.168.56.104:22222
Yeah I know it’s a bit skiddy, if this fails then I’ll write a BASH script to get Summer to try and brute “su – RickSanchez” with the generated password file.
OK we got lucky with the brute forcing:

End Game

So we SSH into the account as RickSanchez with the password identified above, there’s nothing new available to us in Rick’s home directory but a sceptical sudo su – lets us switch user to root.
Inside of root’s home directory there’s the final FLAG.txt –
FLAG: {Ionic Defibrillator} – 30 points
 
Which gives us a grand total of 130 points = 100% compromise of the box.

Conclusion

I really enjoyed this Boot2Root – it had a bit of everything; binary analysis, scripting, thinking outside of the box, brute forcing and command injection.
Thanks for creating such a great VM, Luke and thanks for hosting it Vulnhub!

Add a Comment

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.