Capture The Flag

Rickdiculously Easy Writeup

Welcome to another vulnhub box writeup. This time I’m trying ‘Rickdiculously Easy’ which is a Rick and Morty themed box. I love Rick and Morty, so how could I not give this one a go!

This is a CTF style box, so there’s a bunch of flags to collect as well as compromising the server.

There’s FTP, and nmap even shows that FTP is accessible anonymously and is showing us some files on the server. There’s also SSH, HTTP and port 9090 running possibly another web application.

I’ll start directory scanning the website, and at the same time I’m going to use FTP and try to grab that flag.

Dirb found a few interesting things. There’s a robots.txt file and a directory called passwords.

The passwords directory is interesting. There’s another CTF flag and an HTML file appropriately named passwords.html.

The password.html file has a message from Rick but there’s no password… Or is there 😉

I’ll grab the password and the flag and move on. The robots.txt had some entries I want to look at. The first entry just lands on an under construction page but the tracertool looks like something we can interact with.

This little application is intended to show a traceroute when you enter an IP address, but lucky for us we can also abuse it with a command injection vulnerability, meaning the application will execute other system commands for us. I’ll grab the /etc/passwd file while I’m here.

I’m going to quickly check the web application running on port 9090. There’s a flag there, but not much else from what I can see. I’ll move on for now, but I might come back.

Now that I have a list of the users on the system, I’m going to try FTP again, and noting also that I found a password hidden on the password.html file earlier. RickSanchez doesn’t work, Morty doesn’t either. I remembered what the password actually was so the user account it’s attached to actually now seemed obvious, I can log into Summer’s account and there’s another flag.

I wasn’t finding much else after this, so I did another nmap scan, this time scanning all ports and found some things that I’d missed before.

Using telnet, I tried connecting to the other ports. The first one revealed another flag.

The second seemed to be another SSH daemon running. Which is interesting because when I tried to SSH to port 22, the connection was closed.

Using telnet to connect to the newly discovered port, the connection was dropped, so I tried again with SSH and was able to connect. I don’t have anyone else’s password yet, so I’ll log in with Summer and hope she used the same password as her FTP login.

Seemingly the Linux command ‘cat’ doesn’t do what it’s supposed to, but I’ve found the same FLAG from Summer’s FTP session, but at least I’m in now.

Summer doesn’t seem to have higher privileges than a standard Linux user and can’t sudo to anything, so I’ll need to try and access another account or elevate my privileges somehow.

I still have one more unusual port to try. Let’s give it a go and see what it is.

That’ll do it 🙂

As the banner says, this IS a half-baked shell. I’m root apparently, but I can’t do much. I’m in a blackhole. There’s a flag though, so that’s nice.

Back to Summer’s account, seems like I can access the files in both Rick and Morty’s home directories. I’ll copy them over and download them to Kali for investigation.

The requires a password, which I don’t have.

The Safe_Password.jpg is just an image, but if I run it through ‘strings’, I find some hidden information, which reveals the password to the file. Bingo.

I also downloaded Rick’s ‘safe’ binary from in his RICKS_SAFE folder. I can execute it, but it gives some cryptic nonsense about using command line arguments. Ok that’s probably a clue.

I’ll unzip the journal using the password I found in the image. It reveals a text file with another note from Morty about Rick’s safe password, it’s also another flag.

I’m going to try giving the password in the flag as an argument to the safe program.

Another puzzle about the password being a combination of an uppercase letter, a number and Rick’s old bands name. 😀

I’ll admit I had to do a bit of research here. For starters, what the hell was Rick’s old bands name?

I also needed to make a wordlist made up of combinations of an uppercase letter, a number and a word from Rick’s bands name. I found a tool with a bit of Googling called ‘MaskProcessor’ that did the job so I generated the wordlist and tried to crack Rick’s SSH account with Hydra.

Hydra took a few minutes to crack the password, but eventually I was able to get it and SSH into Rick’s account.

Rick has sudo privileges to be able to do everything on the system.

I used sudo -i to log into the root account and grab the last Flag.

This box is pwned.