RICKDICULOUSLY EASY
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe-Vz9QnPYffWPnE27RN905vk-WsmmpRAnEsMAGZhZFrqP55uK3ZdT9-rLlnlDBRegd23uU-wWp2gCmJn9R3m4GQnbYvjpYrdikCCgBZzaGbrPSbtfLqmI4ZVgbNTmUV7FskwXloHeJEX9/s16000/screenshot.88.jpg)
- The goal of this exercise is to develop a hacking process for the vulnerable machine RickdiculouslyEasy, from the VulnHub pentesting platform.
- RickdiculouslyEasy can be downloaded from here:
https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
- Once downloaded RickdiculouslyEasy and extracted with VirtualBox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB8LAVaE_CP8pdeCqWnhDulRCw0IMph_mZ1ZIDb_O1ZRCnVQ-h4fw2Xk-bk5q3uB521Vckkm2PWMVpykImOenL7ZGaiAZMwU0xyz143YBK2EgSoKFq3LnQ-lnPWuwsD53L1OiNtWOgjNl2/s16000/screenshot.1.jpg)
- Description of the virtual machine says that there are 130 points worth of FLAGs available:
- Searching for IP 192.168.1.29:
- Scanning with Nmap:
- Exploring FTP server we find that there is Anonymous login allowed:
- A 10 points FLAG (10/130) is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl6iVF5CiFWBG-Si3pLWLpZeY_5JkBvbIWUS-tEeWyJCXf_PSG9uQGGDZnn6-JMncVIsCKyjcxn9fnx7ngsStUVbrjfj8iI0tVIUR_TWL6ZyiewL5GuNsqGgs-MMlfsoIMm-mI8Vg-MQ01/s16000/screenshot.10.jpg)
- Scanning port 22 we don't find nothing special:
- Another 10 points FLAG (20/130) is available just by scanning port 13337:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfiB3cQtIA8gz824NaWRlzEqhCSa-QgrrAl3g5YoWUN8iQp1QwPlmQ0O-klPR66D-f4w9bCPcVhl0_swqaQhSnxo4fEXUkbxLgaXJ3-lmxxHGVrV7w0qQU9NNWpLeCAPtZ1VzctBNpAzy7/s16000/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwfiOm16iDeMUEvgJbUCO-rQ86OMuZOfXCiHKJ1K4NtqhWqu0mkDxwMiltW_F6ZQkX8RteiTvzPnHXV3CDq9XYWay2fuUdlBgWhUroYXgaS0Gby-Xsig1P9Z1Gd_u5FXW90M7pkxcppIj8/s16000/screenshot.22.jpg)
- Scanning port 9090 we find a web server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipRxRPxKa-Rha2ykp6QvjsstfBzji8CLMV3vgpR3Qda3kd9mdBnh2gPVNpdTTFZ-xGbay7uSSE8o1odf5T0SuJhbgQ85vnNyVWPEa2PPYM-_I1JnjBsrix-SZUcDfNQ-NXJX1MA98D3dBU/s16000/screenshot.8.jpg)
- Browsing the server at port 9090 we find a 10 points FLAG (30/130):
- Scanning port 60000 suggest the presence of a reverse shell available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYHXMNqG2LIJj-KmHGPhbKVZKEFiK9txxRdRV_EPxJ2WiJoQuaFO9gRjwtPI5wMoX2PleTlrYSaJgFDOc7jjLt4XUes3mWNSXKq89ShR0UsxQ2KVlwlZQVUYk7obeMGVQ5EwceBnsPaKJX/s16000/screenshot.23.jpg)
- Connecting to the port 60000 with NetCat we discover a 10 points FLAG (40/130):
- Scanning port 80:
- Dirbusting port 80 we find robots.txt and passwords:
- robots.txt points to two cgi scripts:
- Going to webpage passwords:
- Reading a 10 points FLAGS (50/130):
- Also, there are directions for a password that could be hidden:
- Just viewing the source we find the password winter:
- First cgi script is under construction:
- Second cgi script leads to a tracer:
- Trying to run commands at the tracer, it works with id:
- cat and more provide /etc/passwd, where we learn about users RickSanchez, Morty and Summer:
- Scanning port 22222, it is a SSH server:
- Trying credentials morty:winter access is denied:
- Trying credentials Summer:winter it works:
- Another 10 points FLAG (60/130) is available:
- Unfortunately user Summer does not have sudoer privileges:
- Looking for files into /home:
- Morty has interesting files inside his home folder:
-Transferring Safe_Password.jpg and journal.txt.zip from RickdiculouslyEasy to Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEtaF0uAIvn6APHhs2SUvohx0mPn7k7_FqdnGBA1Q920sEtUWdSKDQj55Z5DHkHvrbqfoEiFWdmTvBrKo43JzupYG-P89LA8_CDyawUT_sRHvLva3NDAr4uX-4eotW_tj2A9UhW6ayFlcA/s16000/screenshot.47.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIuOWsIRan37Ja1PvaHhzEGpjtDFUfgNTPz_E2rP-iPWdZn6tRKU-UofJDfC3hcWR1qbkw3jh6Mjbtk0eVDbin0f9APeG9Qp-5f47-wot3vGKmpr36_BnGOVZ2M1ObBJyUqEW0YbRhiztM/s16000/screenshot.48.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqVGBaZku8pl_tc36tEXVuzlILLqCL4_HZm-axx3kYauskELtvcy3WIrkrMLn-P3rqAz7717waCnVqgqeQwXEkrqzIaM482ciw4UbK8YFUu6DVIPxLbW7ifltqYJgr3loCrWdaqHOl_Zqr/s16000/screenshot.50.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjunS3drgORcTvFofkEzzk_8HrnylLMgl3ES5mrp4pdfH_SfgR5z-adP_nKfzN0r1N-ncbmB1eWz0Db1nL8A21OfJKwOpTUsd_CZ8p7NEd9VnueSumIWvORf4MaYDZRNxeLTl4Sg-qX_dgm/s16000/screenshot.51.jpg)
- Transfer is successful:
- Applying command strings over the picture Safe_password.jpg we discover password Meeseek, needed for opening journal.txt.zip:
- Unzipping with password Meeseek we find a 20 points FLAG (80/130). It says that the flag 131333 could be a safe password, and interesting hint for later:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix6HBiwCtvG_tLzxKiMc6Ieh9IAU3vmfqCBKNeaVS0cZGzvIjPwJrQkkHkPA81GcrurjlFkRXbvNlCkO4DhWw39WYYCgax_ilQQmkD_F3XpWKBl60w_DeHXYdeLM41i5bckZmTRq4R1jbi/s16000/screenshot.56.jpg)
- Now, let's explore user RickSanchez's home folder:
- There is the executable file safe:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX1YzqrB0mu37_wfr88_CMIilQb4GLsjxYWHfId-gcY9D8m82-cyJgDuOxOh8f0QRm3S6P5oNg_BOi-sCNJVWVKfZO2-n03wbCk_WnU3KIuE2yFJrPWLeXzQ7e5_tZTXQLd5h9rjcpXL5C/s16000/screenshot.61.jpg)
- However it's not possible to run it:
- Let's transfer safe to Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwJNlsffshyxYLZAEZgnPAwf_90RVBeeKQVLnLrCUlAsQcA0emL1CHJJjpBZSlchl8myPqHsuaHhEzCSBDXdpS5NzQI_tPv9uAt-7PB6xqXMFjTAQEQEDLPwcXIb-CP2qH95VBUj0_bsYc/s16000/screenshot.66.jpg)
- Running ./safe, it seems some argument is needed:
- Inputing flag 131333 we discover a 20 points FLAG (100/130 points). Also, some directions to find RickSanchez's password:
- The other folder does not contain flags:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOxO2ACiNbzJfw8Nlp5MtOR1jMGz3HMhfNOou2SCUXnUM0pb3SxA1oJRqMMGQCNud1mQ0-hqwalaSJYnrzS1aFG73jfwi3eymK1sF6DsgNvnkOKNWPUbyNU0vK42iIfuxzi8HAQLOIgH44/s16000/screenshot.71.jpg)
- So let's try to apply hints found before for RickSanchez's password:
- First of all, we are able to find information about RickSanchez's band just by using Google:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhefQdfE3jJqC10csIw_3Qms9juu2dcfTTiO1xsfoRgRbhs_cfzBX79m-EutXAMGGXoMBNDqe3lOafWdoDjhE_8pIVgu3Bka-2INIYsyuWdAmDQt265ZR-NbP2H3Ub9IcjsVVGwZeX_wj8V/s16000/screenshot.76.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3K5J-3MPt5if6ELnmtvsQB1q8b-p5yZOsklRWkhEsQGJaCBhyBw243NgsOoi_hw7xbXWgv9UOnOnoN_Aan7EZxELHlo81N3UHV7vJRtj6UdYNCW6EzmxMgcKb4VOOq5s48pwczPAuCPG9/s16000/screenshot.77.jpg)
- Now, taking the 3 words of the band (The, Flesh, Curtains), and applying crunch:
- Joining the three files into one:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtVp4K3B0WYT6w8mXNvRBdA7vT0k-rjyQ8lneIvhvWF4C-yDIWJp14EuL-rWC3JD4PidUlwMvzKxiGIngo_cAWng6eXgrqzqaWJAvsuaGXSUu1fiFpldMzk9nZScQCE-COPeteusYHQMPt/s16000/screenshot.84.jpg)
- Applying Hydra to user RickSanchez and passing ps.txt for passwords at port SSH 22222, we find the new password P7Curtains:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVc6reJuz8xD15gfK7VbhAyanNaxYipHmfLQKEYQME5yGepCNcgtaKbhIhcGKcXvAQDRoywyKbcvFBffavbNgHYM2UW_5_M3TdNC4LRH5HtG4oSezb4Dqc8_stgj_WV6RPvJmBXVkgC-ZP/s16000/screenshot.85.jpg)
- SSH-ing with credentials RickSanchez:P7Curtains is succesful:
- It happens that user RickSanchez has (ALL)ALL sudoer privileges:
- Getting a root shell:
- Reading the last 30 points FLAG (130/130):