Docs
Rickdiculously Easy

Rickdiculously Easy

I found the Rickdiculously Easy CTF on Vulnhub (opens in a new tab). It was a fun challenge based on the TV show Rick and Morty. The challenge includes a number of flags, which are worth up to 130 points total. To begin any virtual machine (VM) based CTF, the first step is to change the target and attacking machine to the network adapter. This ensures that I can attack the vulnerable system without disturbing anyone else and ensures that I am not opening myself up to vulnerabilities.

Information Gathering

After powering up the vulnerable VM, I was met with the following screen:

image4

The 'Admin Console' gives us the target IP straight away, but for practice sake I started with an nmap scan of the IP address range.

kali@kali:~$ nmap 192.168.56.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-24 00:54 EDT
Nmap scan report for 192.168.56.103
Host is up (0.000018s latency).
All 1000 scanned ports on 192.168.56.103 are closed
 
Nmap scan report for 192.168.56.104
Host is up (0.0032s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin
 
Nmap done: 256 IP addresses (2 hosts up) scanned in 37.70 seconds

No surprise, the only other IP on the network is the same one shown on the vulnerable machine.

Scanning

I did an nmap scan on the target IP:

kali@kali:~$ sudo nmap -Pn -sS -p- 192.168.56.104

This time I added some flags to ensure I did not miss anything.

  • The -Pn flag tells nmap to skip the ping test and scan every target host provided.
  • The -sS flag scans TCP ports and is stealthier than a connect scan.
  • The -p- flag will scan every possible port within a range, or simply all ports if no range is given.

This scan returned a slightly different result:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-24 01:03 EDT
Nmap scan report for 192.168.56.104
Host is up (0.0012s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
9090/tcp  open  zeus-admin
13337/tcp open  unknown
22222/tcp open  easyengine
60000/tcp open  unknown
MAC Address: 08:00:27:8C:C5:94 (Oracle VirtualBox virtual NIC)
 
Nmap done: 1 IP address (1 host up) scanned in 19.84 seconds

Gaining Access

After some basic port scanning, I attempted to gain access to the server. Port 80 being opened caught my eye so I tried to access the IP via a browser. I found 'Morty's cool website':

image17

Nothing was really revealed on the webpage, so I tried a dictionary attack using Dirb. Dirb is a tool that checks for directories on a web server from a common wordlist.

kali@kali:~$ dirb http://192.168.56.104

The dirb attacked found a few useful directories:

DIRB v2.22     The Dark Raver
-----------------
 
START_TIME: Tue Oct 24 01:20:00 2023
URL_BASE: http://192.168.56.104/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 
-----------------
 
GENERATED WORDS: 4612
 
---- Scanning URL: http://192.168.56.104/ ----
+ http://192.168.56.104/cgi-bin/ (CODE:403|SIZE:217)
+ http://192.168.56.104/index.html (CODE:200|SIZE:326)
==> DIRECTORY: http://192.168.56.104/passwords/
+ http://192.168.56.104/robots.txt (CODE:200|SIZE:126)
 
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Oct 24 01:20:04 2023
DOWNLOADED: 4612 - FOUND: 3

I tried to access the directories via the browser, first was passwords:

image14

This revealed the first flag and a passwords.html file:

image10

The passwords.html file revealed a password 'winter' commented in the html code. This would be useful if I could work out which user it belonged to. Next I decided to check the rest of the ports. First I accessed port 9090:

image21

Second flag, 20/130 points. Next I checked port 13337, this couldn't be accessed via the browser so I used a netcat listener to connect to the port:

kali@kali:~$ nc 192.168.56.104 13337
FLAG:{TheyFoundMyBackDoorMorty}-10Points

Third flag, 30/130 points. I also tried to connect to port 22222 but it was an SSH service and didn't provide any new information:

kali@kali:~$ nc 192.168.56.104 22222
SSH-2.0-OpenSSH_7.5

The last unkown port was 60000. I when I connected with a netcat listener I found a reverse shell, although it was quite useless.

kali@kali:~$ nc 192.168.56.104 60000
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt 
# cat FLAG.txt                    
FLAG{Flip the pickle Morty!} - 10 Points

There was also the ftp port open, I attempted to access this one via the web browser and found another flag:

image18

After checking all the ports, I went back to the dictionary attack. I checked the robots.txt file via the browser:

image19

This revealed a tracer tool in which I could inject code. With some help from another walkthrough I was able to reveal that Summer, Morty and RickSanchez were the user profiles created on the server. At this point I could've used a bruteforce login tool like hydra to break the ssh connection, however it seemed likely that the user who's passowrd was 'winter' would be Summer...

Privlege Escalation

I was able to connect using Summer's login via SSH:

image8

I navigated through the directories on the target system looking for more information, finding a flag in the meantime. This puts us at 60/130 points.

image11

After looking around I found a password that I used to unzip a zipped txt file. This revealed another flag:

image1

There was one more directory called RICKS_SAFE that contained one final flag. This flag was encrypted but I used the previous flag to decrypt it.

image2

This put us at 100/130 points. However at this point I got stuck and was unable to find the final flag. With the help of a walkthrough I was able to get there using a hydra password cracking attack.

Deathnote