A new Boot2Root came online on VulnHub and it looked like fun.  This one is themed around a cartoon show called “Rick and Morty”.

First order of business for me is to run an Nmap scan. I like to do a full TCP port scan with service enumeration.

Before hitting the well known ports, I will inspect the interesting ones.  Port 9090 is identified within the VM as being the management interface.  From there I connected via HTTPS and get the first flag:

FLAG {There is no Zeus, in your face!} – 10 points

Connecting to port 13337 with netcat reveals yet another flag:


Connecting to port 60000 gave me a sort of “fake” shell to play around with.  I saw there is a file named FLAG.txt so reading that file gave me the flag.

FLAG{Flip the pickle Morty!} – 10 Points

Running Nmap with scripts (-sC flag) shows that FTP is unauthenticated. I connected to it with within my web browser.

There was a flag file inside to download:

FLAG{Whoa this is unexpected} – 10 Points

Moving on now to the main web app, I reviewed the source code, but there isn’t much to look at. Running any spider application or just going to the common “robots.txt” file in the web root reveals this:

Root_shell.cgi is a troll, but tracertool.cgi is pretty interesting.  It is a web application that performs traceroute on a given IP.  As an obvious canidate for command injection, I inserted a semi-colon to run a seperate command.  I used netcat to send myself a reverse shell:

After getting a shell I started poking around.  Looking in the html directory I saw a passwords folder.

Hitting this in the web browser to reveals the FLAG.txt.

FLAG{Yeah d- just don’t do it.} – 10 Points

Also worth note is the passwords.html file.  Looking at it doesn’t tell much, but if when I viewed the source, I saw a password hidden in the HTML comments.

At this point I came to find that the “cat” command was aliased to some command that just printed a picture of a cat.  To read files still, I just used grep command that would pretty much match on anything:

Running this command I could see all the users on the system.

Knowing the password I found was “winter”, I figured this belonged to Summer.  Port 22222 was running OpenSSH so I used that to connect with the “Summer” user account.

Once logged in as Summer, I saw another FLAG.txt waiting for me.

FLAG{Get off the high road Summer!} – 10 Points

Summer also had read access on some other user’s home directories.

Morty had several interesting files in his home directory.  I exfiled them off with SCP.

Safe_Password.jpg was an image file, but viewing the EXIF data or simply running strings on the file shows that a password is contained inside.

I also pulled down the journal.txt.zip file.

Unzipping the file and supplying the password gave me the journal.txt file:

Reading this file gave me the next flag, and a password.

FLAG: {131333} – 20 Points

When looking in Rick’s home folder, I could see his safe.

Summer does not have execute permissions on the “safe” file and does not own it, but she does have read permissions.  I copied it to gain control.

Running the binary and supplying the password file gave me the next flag.

FLAG{And Awwwaaaaayyyy we Go!} – 20 Points

I was  also given a password hint for Rick’s password.  I don’t watch the TV show, but a quick Google search found that the band name was “The Flesh Curtains”.

I worte a simple python script to create all the different possible passwords given the constraints:

After running this script an saving the output to a file, I used THC Hydra to brute force SSH.

Once I found the valid password, I connected to Rick’s account.

I ran sudo -l to enumerate his permissions:

Rick had sudo permissions for ALL commands, so I just popped into an interactive root shell:

In the /root/ directory, there was another FLAG.txt.

FLAG: {Ionic Defibrillator} – 30 points

At this point I was root and had collected all 130 points.