Monday, August 27, 2018

RickdiculouslyEasy 1 Walkthrough


Author: Luke
Difficulty: Beginner

I'm a big fan of Rick and Morty (insert IQ joke here XD). When I saw this VM on vulnhub, I wanted to give it a go.


Let's start.

We fire up netdiscover to lookup the address the VM is assigned.


Once we have the VM’s IP ,we conduct a full tcp port scan to find all the open tcp ports.

-oG is used to save the output in grepable format. Alternatively, you can use -oA to save the output
in three different formats (.gnmap,.nmap and .xml).

Let’s get more information about the open services.


Looks like Anonymous FTP login is allowed and we can also see a text file called FLAG.txt

Open up Firefox to get FLAG.txt

And we get our 1st flag (10/130 total points)!

Now let’s move on to ssh.
When we try to connect to the box using ssh ,we get following error.

So we move on to the service, http.


We check out the source code but we don’t find anything interesting.


We then run nikto to scan the web server for vulnerabilities
and we find a directory called passwords. Let’s check it out.


We get our 2nd flag (20/130 total points)!

passwords.html might have something interesting, let's check it out

On examining the source code, we find a password.


We use dirb to check if the web server has additional hidden directories


On examining robots.txt, we find additional directories.


Let’s first check root_shell.cgi

The source code of root_shell.cgi doesn’t give us any information, so we move on to
tracertool.cgi

We find a limited shell to ping a machine.



Let’s see if we can read the passwd file


It looks like we can’t use cat to read passwd. Let’s use head to read passwd file.


Yes! We get the list of all the users in the system. You can also use more /etc/passwd or grep to read the passwd file.

Let’s now check out port 9090.


And we find our 3rd flag (30/130 total points)!

On connecting to port 13337 using netcat, we find our 4th flag (40/130 total points)!

Let’s check the port 60000 using netcat

We find our 5th flag (50/130 total points)!

Now let’s connect to port 22222
nc  reveals that the service is actually ssh.

Let’s try to ssh into the system. We have obtained a bunch of usernames (RickSanchez,Morty,Summer)  and a password (winter) during our enumeration.

Let’s try out the password winter for the username Summer.

and boom we are in!


We also get our 6th flag (60/130 total points)!

Let’s go to Morty’s home directory and see what we can find

Safe_Password.jpg seems interesting. I tried strings on Safe_Password.jpg but turns out that
this box doesn’t have strings.

Let’s transfer journal.txt.zip and Safe_Password.jpg to our Kali box. We can use python SimpleHTTPServer module for this.



Now let’s examine Safe_Password.jpg using strings


We find the password for the zip file.
Let’s extract the zip file.
We find our 7th flag (80/130 total points) and also information of some safe and a password.

Let’s now head to Rick’s home directory

We find 2 directories. Let’s check out RICKS_SAFE since the other directory was dead end.


We find a file called safe, let’s examine it using ‘file’.


Turns out safe is an executable file.

Summer doesn’t have execute permissions.

So let’s copy the file to tmp directory and execute it


We use the last flag(7th flag) as argument to safe.


We obtain our 8th flag (100/130 total points) and clues about Rick’s password.

A quick google search will tell us that, “The Flesh Curtains” is the name of Rick’s band.

Let’s use crunch to generate our wordlist



Let’s combine both the wordlists



We will use hydra and the generated wordlist to find Rick’s password.


Rick's password is P7Curtains,now let’s ssh into Rick’s account.



We check Rick’s permissions using sudo -l


Rick has sudo permissions, so we can pop-up a root shell using sudo -i


And we find our 9th flag (130/130 total points)!



This was a really simple VM. I had a blast working on it! Thank you Luke for making this fun VM and thank you vulnhub for hosting these awesome VMs!






No comments:

Post a Comment