CTF Solution: RickdiculouslyEasy: 1


Posted on by Divya Aradhya

Link to the VirtualBox download: https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/

Goal: 130 points

Step 1: Loading my Kali and the CTF on VirtualBox.
I chose to put both on their own subnet.

Step 2: Fired up the CTF.

Step 3: Noting the Server IP: 192.168.56.101 and hitting the port displayed: 9090

https://192.168.56.101:9090/ on the browser shows-

And yes, the very first flag, right in our face!

Flag: THERE IS NO ZEUS, IN YOUR FACE

Score: 10 points

Remaining: 120 points

Step 4: Running an nmap scan to discover open ports: nmap -Pn -p- -sV 192.168.56.101

Open ports: 

21, 22, 80, 9090, 13337, 22222, 60000

Step 5: Running netcat on the unknown ports

nc 192.168.56.101 13337 gives us our second flag

Flag: TheyFoundMyBackDoorMorty

Score: 10 + 10 = 20 points

Remaining: 110 points

nc 192.168.56.101 60000 takes us to a shell-

An ls shows us FLAG.txt and a cat displays the flag-

Flag: Flip the pickle Morty!

Score: 20 + 10 = 20 points

Remaining: 100 points

Step 5: Running an aggressive nmap scan: nmap -A 192.168.56.101

And we see that Anonymous FTP login is allowed

Step 6: Logging in with the anonymous FTP login

username: anonymous

password: <blank>

Step 7: Working on the ftp console

A dir shows us a FLAG.txt

And a get downloads the FLAG.txt over FTP to the Kali box

FLAG.txt has our next flag-

Flag: Whoa this is unexpected

Score: 30+10 = 40 points

Remaining: 90 points

Step 8: Spidering the web server

Attempting to find all files on the web server with a dirb command

We see the cgi-bin directory, index.html,  a passwords directory and robots.txt.

We’ll hit up each one in sequence in the following steps-

Step 9: Viewing /index.html in the web browser

A static HTML page with an image is displayed: not very helpful

Viewing the source doesn’t tell us much either.

Step 10: Viewing /passwords/ directory

What do we see?

A FLAG.txt and passwords.html

This is what FLAG.txt has-

Yes, our next flag!

Flag: Yeah d- just don’t do it.

Score: 40+10 = 50 points

Remaining: 80 points

And this is what passwords.html has-

And here’s the source of passwords.html-

There’s a password there: “winter”

I’m not sure what to do with it right now – I’ll just wait and watch to find a lock to fit this key in…

Step 11: Viewing /robots.txt

Step 12: Exploring /cgi-bin/root_shell.cgi

It’s red herring! This is what the source shows-

Step 13: Exploring /cgi-bin/tracertool.cgi

This one is more promising!

On the face of it, it is a web interface for an IP address trace

However, an input textbox is a prime candidate for command injections.

And sure enough, a little trial and error shows that I can use the semi-colon to run more commands-

And as the CTF is a Fedora box, I thought to try loading the /etc/passwd file and I ran-

;cat /etc/passwd

Oopsie! Look like the “cat” command has been over-ridden to display ASCII art of a cat!

But there is more than one way to skin the “cat”, isn’t it? If you pardon the terrible pun…

So I then try

;more /etc/passwd

and voila!

RickSanchez, Morty, and Summer, all look very interesting!

And “Summer” immediately reminded me of the “winter” password that was found earlier, so I jumped over to the console to SSH…

Step 14: SSH

The nmap results earlier had told us that 22222 is the SSH port for the server-

ssh Summer@192.168.56.101 -p 22222

and entering the password as “winter” displayed this-

Yes! winter was for Summer!

An ls brought up FLAG.txt

Step 15: Inspecting FLAG.txt

more FLAG.txt

Yes, a flag.

Flag: Get off the high road Summer!

Score: 50+10 = 60 points

Remaining: 70 points

Step 16: Inspecting Morty

Remember “Morty” whom we had found alongside Summer, in Step 13?

ls ../Morty/

Step 17: Copying journal.txt.zip and Safe_Password.jpg to Kali

First, we copy the files from “Morty” to “Summer”

Next, we SCP the files from “Summer” to our Kali

Step 17: Inspecting Safe_Password.jpg

Opening the image brings up-

and a strings Safe_Password.jpg brought up-

The Safe Password: Meeseek

Step 18: Opening the Safe – journal.txt.zip

Trying to open journal.txt.zip prompted for a password-

and yes, feeding it “Meeseek” did the trick-

Yes, another flag (about time!)

Flag: 131333

Score: 60+20 = 80 points

Remaining: 50 points

And there also seems to be some interesting stuff about a safe…

Meanwhile, need to head back to follow up on “RickSanchez” whom we discovered in Step 13

Step 19: Inspecting RickSanchez

And probing further-

So, yes, ThisDoesntContainAnyFlags/NotAFlag.txt is really NOT a flag (can you tell I don’t believe everything I read?)

But RICKS_SAFE/safe looks interesting and we’ll download it to our Kali

Trying to open safe displayed-

So I guess it needs a password!

The previous step had something about 131333 being a safe password…

And…!

Yes, a flag-

Flag: And Awwwaaaaayyyy we Go!

Score: 80+20 = 100 points

Remaining: 30 points

And clues to get to the root password: 1 uppercase character, 1 digit, and One of the words in Rick’s old band’s name...

Step 20: Getting Root…

Now I don’t know Rick’s old band’s name, but Google tells me it is:

The Flesh Curtains

Ignoring “The”, the word in the password could be either “Flesh” or “Curtains

Turning to crunch to generate wordlists for a targetted brute dictionary attack…

crunch 7 7 -t ,%Flesh -o ./flesh.list

crunch 10 10 -t ,%Curtains -o ./curtains.list

and merging them together-

cat flesh.list curtains.list > ./words.list

And now to call on hydra to work her magic!

hydra -l RickSanchez -P words.list ssh://192.168.56.101 -s 22222

And…we hit gold!

password: P7Curtains

Logging in as RickSanchez-

and using sudo as that’s what the clues in Step 19 told us to do-

What’s in FLAG.txt…

more FLAG.txt

Our last Flag!

Flag: And Awwwaaaaayyyy we Go!

Score: 100+30 = 130 points

Remaining: 0 points – All Done!

Well, that was fun!

 

Tools and Commands used:

  • nmap
  • netcat (nc)
  • ls
  • ftp
  • ftp get
  • dirb
  • more
  • ssh
  • cp
  • scp
  • crunch
  • cat
  • hydra