It is a fedora server VM created with a virtual box. The main objective is to gain root access of the machine. It is a simple Rick and Morty themed boot 2 root, where we have to get a total of 130 points by collecting various flags throughout the process of getting to root.

Initial Analysis:

The IP of the target’s Machine can be found out by netdiscover. We found the IP address to be 192.168.80.136.

With a basic nmap scan we try to find the open ports in the machine.

The scan gave us details on open ports. Also we also found our first flag returned as a banner for the service running on port 13337.We also found out anonymous FTP login was allowed on port 21 and it had a file FLAG.txt in it.

Here , we’ve found our Second Flag by logging in to ftp with username as ‘anonymous’, and password as blank.

From nmap result we found HTTP service is also running on port 80. So, we browsed Target’s IP in the browser.

Next , we listed directories using dirb. Dirb is a web content scanner, that helps us to find hidden web objects.

With this scan we found out two important directories ‘/passwords/’ and ‘/robots.txt’. Now, looking further into /passwords/ directory we find ‘FLAG.txt’ and ‘password.html’.

We find the third flag in the /FLAG.txt directory.

Then , we browse through passwords.html since we find nothing there we go through its source code and bingo we find a password ‘winter’ which we might probably need somewhere later.

Let’s check if any of the website pages are blocked by the robots.txt.

We found the ‘/cgi-bin/tracertool.cgi’ to be useful.On further inspection we found it to be apt for command injection.

Since cat wasn’t working i figured out some of the commands might have been filtered. So i used ‘more’ Instead of ‘cat’.

Summer could be linked to winter here.

Get Rav3nf0 -- Aadarsh T R’s stories in your inbox

Join Medium for free to get updates from this writer.

Next, We look into the port 60000 using netcat and we find another file, ‘FLAG.txt’.

We then also opened port 9090 in a web browser and find another flag here.

Exploit:

We then perform the ssh login using Metasploit with port 22222 using newly acquired credentials.And we found the flag stored in the file FLAG.txt.

After enumerating deeper we find three directories with the same name as users we found earlier in the etc/passwd file. From directory Morty, we downloaded two files ‘Safe_Password.jpg’ and ‘Journal.txt.zip’.

We find a password ‘Meeseek’ inside Safe_password.jpg by running strings on the file.

With this password we successfully unzip journal.txt file. We get a flag along with the number string ‘131333’.

We get inside ‘RickSanchez’ directory. There is a subdirectory named “RICK_SAFE”. Inside this, there is an executable file named “safe”. I downloaded this file into the main machine kali.

After providing permissions with the command ‘Chmod 777 safe’ . When executed by providing the string given with the previous flag, it displayed our next flag.

Inside it we also find hints for Rick’s passwords. I did a quick search on google to find the band’s name. I found out that the band was called ‘The Flesh curtains’.Next I use gedit to code a program with python using the given hints.

Now we run the program after giving it necessary permissions to run.Here i save the output in wordlist2.txt.

Now it was time to crack the password by brute forcing using Hydra. Using Hydra we try to login the service using all possible combination of users and passwords provided in the newly created wordlist2.txt.

Now that we have cracked the pass. I logged into ssh using the newly acquired credentials.With the sudo command we get to root.In the root directory we get our next flag in the FLAG.txt file.

But since cat wasn’t working we use the more command.

Now that I’m a root and have got all 130 points the box has been completed successfully.

Cheers!!

VulnHub Walkthrough: RickdiculouslyEasy

Get Rav3nf0 -- Aadarsh T R’s stories in your inbox