Link to the VirtualBox download: https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
Goal: 130 points
Step 1: Loading my Kali and the CTF on VirtualBox.
I chose to put both on their own subnet.
Step 2: Fired up the CTF.
Step 3: Noting the Server IP: 192.168.56.101 and hitting the port displayed: 9090
https://192.168.56.101:9090/ on the browser shows-
And yes, the very first flag, right in our face!
Flag: THERE IS NO ZEUS, IN YOUR FACE
Score: 10 points
Remaining: 120 points
Step 4: Running an nmap scan to discover open ports: nmap -Pn -p- -sV 192.168.56.101
21, 22, 80, 9090, 13337, 22222, 60000
Step 5: Running netcat on the unknown ports
nc 192.168.56.101 13337 gives us our second flag
Score: 10 + 10 = 20 points
Remaining: 110 points
nc 192.168.56.101 60000 takes us to a shell-
An ls shows us FLAG.txt and a cat displays the flag-
Flag: Flip the pickle Morty!
Score: 20 + 10 = 20 points
Remaining: 100 points
Step 5: Running an aggressive nmap scan: nmap -A 192.168.56.101
And we see that Anonymous FTP login is allowed
Step 6: Logging in with the anonymous FTP login
Step 7: Working on the ftp console
A dir shows us a FLAG.txt
And a get downloads the FLAG.txt over FTP to the Kali box
FLAG.txt has our next flag-
Flag: Whoa this is unexpected
Score: 30+10 = 40 points
Remaining: 90 points
Step 8: Spidering the web server
Attempting to find all files on the web server with a dirb command
We see the cgi-bin directory, index.html, a passwords directory and robots.txt.
We’ll hit up each one in sequence in the following steps-
Step 9: Viewing /index.html in the web browser
A static HTML page with an image is displayed: not very helpful
Viewing the source doesn’t tell us much either.
Step 10: Viewing /passwords/ directory
What do we see?
A FLAG.txt and passwords.html
This is what FLAG.txt has-
Yes, our next flag!
Flag: Yeah d- just don’t do it.
Score: 40+10 = 50 points
Remaining: 80 points
And this is what passwords.html has-
And here’s the source of passwords.html-
There’s a password there: “winter”
I’m not sure what to do with it right now – I’ll just wait and watch to find a lock to fit this key in…
Step 11: Viewing /robots.txt
Step 12: Exploring /cgi-bin/root_shell.cgi
It’s red herring! This is what the source shows-
Step 13: Exploring /cgi-bin/tracertool.cgi
This one is more promising!
On the face of it, it is a web interface for an IP address trace
However, an input textbox is a prime candidate for command injections.
And sure enough, a little trial and error shows that I can use the semi-colon to run more commands-
And as the CTF is a Fedora box, I thought to try loading the /etc/passwd file and I ran-
Oopsie! Look like the “cat” command has been over-ridden to display ASCII art of a cat!
But there is more than one way to skin the “cat”, isn’t it? If you pardon the terrible pun…
So I then try
RickSanchez, Morty, and Summer, all look very interesting!
And “Summer” immediately reminded me of the “winter” password that was found earlier, so I jumped over to the console to SSH…
Step 14: SSH
The nmap results earlier had told us that 22222 is the SSH port for the server-
ssh Summer@192.168.56.101 -p 22222
and entering the password as “winter” displayed this-
Yes! winter was for Summer!
An ls brought up FLAG.txt–
Step 15: Inspecting FLAG.txt
Yes, a flag.
Flag: Get off the high road Summer!
Score: 50+10 = 60 points
Remaining: 70 points
Step 16: Inspecting Morty
Remember “Morty” whom we had found alongside Summer, in Step 13?
Step 17: Copying journal.txt.zip and Safe_Password.jpg to Kali
First, we copy the files from “Morty” to “Summer”
Next, we SCP the files from “Summer” to our Kali
Step 17: Inspecting Safe_Password.jpg
Opening the image brings up-
and a strings Safe_Password.jpg brought up-
The Safe Password: Meeseek
Step 18: Opening the Safe – journal.txt.zip
Trying to open journal.txt.zip prompted for a password-
and yes, feeding it “Meeseek” did the trick-
Yes, another flag (about time!)
Score: 60+20 = 80 points
Remaining: 50 points
And there also seems to be some interesting stuff about a safe…
Meanwhile, need to head back to follow up on “RickSanchez” whom we discovered in Step 13
Step 19: Inspecting RickSanchez
And probing further-
So, yes, ThisDoesntContainAnyFlags/NotAFlag.txt is really NOT a flag (can you tell I don’t believe everything I read?)
But RICKS_SAFE/safe looks interesting and we’ll download it to our Kali
Trying to open safe displayed-
So I guess it needs a password!
The previous step had something about 131333 being a safe password…
Yes, a flag-
Flag: And Awwwaaaaayyyy we Go!
Score: 80+20 = 100 points
Remaining: 30 points
And clues to get to the root password: 1 uppercase character, 1 digit, and One of the words in Rick’s old band’s name...
Step 20: Getting Root…
Now I don’t know Rick’s old band’s name, but Google tells me it is:
The Flesh Curtains
Ignoring “The”, the word in the password could be either “Flesh” or “Curtains”
Turning to crunch to generate wordlists for a targetted brute dictionary attack…
crunch 7 7 -t ,%Flesh -o ./flesh.list
crunch 10 10 -t ,%Curtains -o ./curtains.list
and merging them together-
cat flesh.list curtains.list > ./words.list
And now to call on hydra to work her magic!
hydra -l RickSanchez -P words.list ssh://192.168.56.101 -s 22222
And…we hit gold!
Logging in as RickSanchez-
and using sudo as that’s what the clues in Step 19 told us to do-
What’s in FLAG.txt…
Our last Flag!
Flag: And Awwwaaaaayyyy we Go!
Score: 100+30 = 130 points
Remaining: 0 points – All Done!
Well, that was fun!
Tools and Commands used:
- netcat (nc)
- ftp get