Rajoul@home:~##

RickdiculouslyEasy-1

Let’s start with scanning my local private network to get the adress IP of my target.

the adress of my target => 10.0.4.29 Our next step is to scan our target with NMAP.

nmap -sC -sV -o scan.nmap 10.0.4.29

there are three port open: 80=> server APACHE, 22 => SSH et 21 =>FTP ,9090 Let’s check the server Apache on port 80.

Starting by checking the ftp service that allow anonymous user and retrieve the first flag.

We start enumerate all ports if there is any other open ports.

Let’s exeminate the 9090 port.

Then the port 13337 with curl or wget command.

Then the port 60000 with netcat command.

Next enumerating directories, with gobuster tool.

we look what is in password folder.

We get an other flag with 10 points.

Inside password.html I found a password of a user.

After we look at robots.txt file.

then we get an input field that allow us to execute a ping command and also a second command

listing the contain of /etc/passwd file we discover 3 system users.

let’s enumerate service running on these ports.

Great, Ssh is running on 22222 port, let’s loggin with 3 users and winter password.

We get the third flag with 10 points. Switching to morty home directory and uploads morty’s file on my machine.

Great, inside the image there is a password to unzip the journal file

retrieving the journal.txt file that contain the Fourth FLAG with 20 points.

Going inside the last user Rick,

we found a safe file that can’t be executed on the target machine. So we upload it again and then run it with the last code founded.

Great, We get an other flag with 20 points and a hint of Rick password, googling for the rick old bands name

The idea is to brute force the Rick password. First we start by making the wordlist with crunch tool

Then we make our wordlist by respecting the description.

Great, we get the Rick password through brute forcing with hydra tool.

Next, we logged in and looking for priviledge of Rick user.So it can run any command as a root user.

Congratulation, We have a root acces and we can read the last Flag and get the 130 points.

summurizing all flags founded in different ports.

support me on twitter