CTF Write-Up – RickdiculouslyEasy 1

It's time for another vulnhub.com CTF challenge: RickdiculouslyEasy 1 by Luke.

For this CTF I'll be using a Kali Linux VM and connecting to the target through a virtual network set up with VirtualBox. As always, let's start with a network scan to identify the target:

nmap 10.0.2.1-20

Here we see that our target is identified by 10.0.2.15. We see ftp, ssh, http, and Fedora admin interfaces. Let's go for a full service ID scan on all ports:

nmap -sV -p1-65535 10.0.2.15

Well that's interesting... In the custom ports we have a second SSH interface, a flag, and "Rick's half baked reverse shell". Here is the first flag on port 13337:

FLAG:{TheyFoundMyBackDoorMorty}-10Points

I poked at 13337 with telnet and there were no further interactions available. Since I'm extra curious about the custom shell on port 60000, I hit that next:

telnet 10.0.2.15 60000

It yields a very limited shell that gives us another flag:

FLAG{Flip the pickle Morty!} - 10 Points

Now let's take a look at the web interfaces. Port 80 returns a simple web page that is under construction with no apparent user-interaction. I ran dirb to see if there are any common directories or files available:

dirb http://10.0.2.15:80/

The cgi-bin directory returns a 403 forbidden. Navigating to the passwords directory gives us access to two files, FLAG.txt and passwords.html. The flag:

FLAG{Yeah d- just don't do it.} - 10 Points

And the html file:

Now we know Morty's password. Let's see where we can use it, but first let's check the final dirb find: robots.txt:

Sure enough, it has some cgi scripts which I checked to be accessible. Let's look at those again later since I want to see where Morty's credentials can be put to use. Port 9090 is, as expected, the web admin console for fedora:

Here we have a new flag:

FLAG{THERE IS NO ZEUS, IN YOUR FACE!} - 10 POINTS

The form has only a username field, so I spent a while messing with the html to restore the password field and submission button, but I wasn't able to call the login javascript code. Maybe it will require further work later on, but for now lets look at ssh and ftp. I tried morty:winter credentials on ssh and failed. Here was my ftp attempt:

The Morty credentials did not work, but anonymous access was enabled and yielded a new flag:

FLAG{Whoa this is unexpected} - 10 Points

Next, I tried a set of character names from the show as usernames on both ssh and ftp to no avail. I guess we won't get to use the discovered password just yet. Let's look at the cgi scripts on port 80 again. Here is the disappointing root_shell.cgi:

And the tracertool appears to run a traceroute command on the target:

A quick attempt at command injection is immediately successful:

I spent a long time trying to wget various reverse shells onto the web server but could not get it to work. However, /etc/passwd was accessible and when exfiltrated it showed me the mistake I had made earlier:

I had not capitalized any of the usernames I attempted to use in ssh and ftp. I tried them all again with the winter password and was successful in ssh as Summer:winter:

Here I was trolled once again by the modified cat binary before finding a new flag:

FLAG{Get off the high road Summer!} - 10 Points

Summer conveniently had access to both Rick and Morty's home directories, and I started investigating Rick's. It contained an executable binary file named "safe" and a file called "NotAFlag.txt" that, after thorough inspection, turned out to be... not a flag. Copying the "safe" binary to Summers home directory gave us permission to run it:

It would appear to take a password as an argument. I checked out Morty's home directory next. It simply contained a journal.txt.zip file and a Safe_Password.jpg. I ran strings on the jpg and unzipped journal.txt with the password:

With some more flag points:

FLAG{131333} - 20 Points

Let's run that password as an argument to Rick's safe binary:

Another 20 point flag:

FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Now we have enough information to brute force Rick's password. A quick google search of Rick's band yields this image:

So I wrote a quick python script:

And unleashed hydra on the target:

hydra -l RickSanchez -P '/root/wordlist.txt' 10.0.2.15 -s 22222 ssh

After logging in as Rick:

sudo find / -name "FLAG.txt"

The only one we have not yet seen is /root/FLAG.txt which reads:

FLAG{Ionic Defibrillator} - 30 Points

According to the author, this is the final flag and we have our total 130 points. Time to find another boot2root challenge...

Leave a Reply

Your email address will not be published. Required fields are marked *