We covered he solution of Rickdiculouslyeasy Vulhub where we demonstrated command injection in the web application running on the instance that allowed us to enumerate and extract sensitive information such as usernames on the machine. Using “string” tool to extract hidden passwords, we were able to login the FTP storage server and extract more hints that led to solving the challenge and extracting the flag.
Initial Steps & Flag Captures
I started with an nmap scan to identify open ports on the target machine. I quickly discovered an open port, 60000. Connecting to this port using netcat provided me with a reverse shell. Once I was in, I listed the directory contents using a command like ls, and there it was – the first flag! I then used a command similar to cat [flag_filename] to display its content.
I found another open port, and connecting to it yielded another flag: “they found my back door pouring.” I also noticed port 32222 was open and set up for SSH, but I didn’t pursue it further at that point.
I then checked out the web servers running on ports 80 and 9090. Navigating to the machine’s IP address on port 9090 in a web browser immediately revealed another flag. On port 80, a directory scan (I used a tool for this, though I didn’t explicitly name it in the video) uncovered a /passwords/ directory. Accessing /passwords/passwords.html and viewing the page source revealed a password: “wonder.”
Command Injection & User Enumeration
Next, I performed a directory brute-forcing attack, which helped me discover a robots.txt file. This file revealed a /cgi-bin/ directory (which was under construction) and a /tracer.php tool. I quickly realized that the tracer tool was vulnerable to command injection. I attempted to inject commands like [IP_ADDRESS] ; ls -l to list files or [IP_ADDRESS] ; cat /etc/passwd | head -n 100 to grab the first hundred lines of the password file. This allowed me to enumerate usernames like Summer, Morty, and Rick Sanchez.
I then associated the password “wonder” (found earlier) with the username “summer.” I made an FTP connection to the vulnerable machine using “summer” and the password “winter.” Navigating through directories within the FTP session, I found another flag in Morty’s directory. I also found and downloaded a file named safe_password.gpg (or something similar). On my attacking machine, I used the command strings safe_password.gbc (or the correct filename) to extract strings from this downloaded file. This revealed yet another flag and a password for a journal.txt.zip file.
Privilege Escalation
I suspected that “ricksanchez” might be the root user or have higher privileges. So, I decided to use Hydra to brute-force the SSH password for “ricksanchez” on port 32222. The Hydra command I used was similar to: hydra -l ricksanchez -P pass.txt [IP_ADDRESS] ssh -s 32222 (where pass.txt was my wordlist). Hydra successfully found the password!
With the password in hand, I SSH’d into the machine as “ricksanchez” using the command: ssh ricksanchez@[IP_ADDRESS] -p 32222. To escalate my privileges to root, I used the command sudo -i. When prompted by sudo, I entered the same password for “ricksanchez,” and just like that, I had root access! Finally, I accessed the last flag, located in the root directory, by using a command like cat /root/root.txt.
This machine was a great exercise in enumerating services, finding open ports, exploiting command injection vulnerabilities, and brute-forcing credentials to gain access and escalate privileges.
