Rickdiculously Easy – VulnHub Walkthrough

Rickdiculously Easy – VulnHub Walkthrough

Hi everyone, here is my solution for the Rickdiculously Easy VulnHub VM

Link: https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/

It’s pitched as a beginner CTF, but I couldnt resist a Rick and Morty themed boot to root! All up I probably spent around 30 minutes on this one to obtain all flags. Still fun though! To finish, the creator of the VM mentions getting all flags will net you 130 points in total.

As usual, get the IP of the box with netdiscover. Run an Nmap scan to see how we can interact with the VM.

Already from the Nmap scan we can see some flags so we will go after these ones first. Port 13337 has a flag straight up so its easy to grab.

Then moving on to port 21, we see anonymous FTP is allowed, giving access to the next flag.

Moving on to port 9090, we can see the flag displayed on the page as well

From here the last easy flag is on port 60000. Netcat to this port gives us a ‘half baked reverse shell’. It runs as root but only gives access to view the flag.

From here the remaining ports to check are 22 which is pretty uneventful, 80, and 22222 which seems to be the real SSH port. We will try 80 next as without credentials SSH will be the more difficult way in. We see Morty’s cool website when visiting port 80.

A quick scan with nikto shows us that there might be an interesting directory named “passwords”

Checking it we get our next flag.

We also find another file, passwords.html where Rick has removed the password and “hidden” it for Morty.

Viewing the source of this page gives us the password “winter” commented out in the HTML. We can probably use this for SSH but will need to dig deeper.

If we look at the robots.txt file for Morty’s page, we can see a few interesting files. The only one of which works is ‘tracertool.cgi’

The tool is a simple traceroute command that we can use for command injection by adding a semi-colon and running whatever we want after the traceroute command. Trying to cat /etc/passwd trolls us with a picture of a cat…

Instead we can use ‘less’ to output the /etc/passwd file

Some interesting usernames we see, RickSanchez, Morty and Summer. Trying to SSH to this VM we are allowed to use summer:winter as valid credentials.

The whole cat thing was getting irritating trying to read files, so i added an alias for cat pointing to the original cat which is named CATONALEASH. And with that we have Summer’s flag.

Time to explore! We can see we have read access to RickSanchez and Morty’s home directories. A tree of this shows the following.

Copying Morty’s files into our home directory, we try and unzip journal.txt.zip but its password protected. The Safe_Password.jpg is a dead end but we can find the actual password inside the content of the image.

Using the password “Meeseek” we are able to unzip the journal.txt.zip file, obtaining another flag and another password.

Copying Rick’s safe to Summers home dir, we are able to execute it with the password from the journal (131333) to obtain the next flag and a hint on cracking Rick’s password.

We’re also given the hint that Rick has sudo access and we can obtain root once getting his account. I did up a quick python script to trawl through potential passwords as per the clue given. I didn’t know what Rick’s band name was so a quick google revealed it was “The Flesh Curtains“.

With the generated passwords in hand, we can brute force with hydra to check for Ricks credentials.

Finally we get to login as Rick and obtain a root shell.

Very quick VM to get through but still fun regardless!

Leave a comment