Fourth Boot2Root RickdiculouslyEasy: 1
Hello Folks!
Link to the box :- https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
Rating :- Intermediate
Time :- 3 Hours
Welcome to the Forth Boot2Root as always we start with arp-scan -l found the box at 192.168.43.27
and nmap the box, this time i had to do an entire -p- scan because the SSH wasn't working on the port 22 it kept on giving connection refused so I had to do nmap -p- 192.168.43.27
so the nmap scan returned this :-
After this part I decided to visit the FTP
the anonymous worked and blank in password we got the first flag pretty easy so far so that 10/130 for total points
moving on to the port 80 i found this
Link to the box :- https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/
Rating :- Intermediate
Time :- 3 Hours
Welcome to the Forth Boot2Root as always we start with arp-scan -l found the box at 192.168.43.27
and nmap the box, this time i had to do an entire -p- scan because the SSH wasn't working on the port 22 it kept on giving connection refused so I had to do nmap -p- 192.168.43.27
so the nmap scan returned this :-
After this part I decided to visit the FTP
the anonymous worked and blank in password we got the first flag pretty easy so far so that 10/130 for total points
moving on to the port 80 i found this
nothing hiding in the source code plain and simple HTTP so as always i planned to visit the /robots.txt and see if that exist once i opened /robots.txt
that cgi-bin was really tempting me to try the shellshock without thinking too much but i decided to visit all the links from top down
first link was a troll as expected nobody gives out root shell info that easy xP
time to check out the second link maybe it'll be something we can use?
well well what do i know i tried a simple command line injection and it revealed a bunch of information so now we know there's 3 users "Morty/Summer/RickSanchez" we can use it to ssh maybe?
moving on to the last link was useless, so i planned to dirb for something useful maybe?
time to visit the /password directory it looks really something we can use with set of usernames we have
There we go with a password and a username "Summer and winter" sounds like something we can use together?
so that's total of 2 flags (20/130) getting there i guess now i planned to visit the zeus-admin page to see if i can find anything useful
so that adds up to (30/130) which is pretty cool now after this I started checking the open ports which we got from out nmap scan and i found few flags
so after scanning all the ports we came to know there's a ssh on 22222 and found two more flag that totals up to (50/130)
Let's get to the SSH then
so once we are done with this flag i planned to visit the /home and found this
Time to copy these files to the local host and enumerate the files further for some more clue
so once i copied them in I decided to run strings on the file and see if i can find anything in there
so with the password "Meeseek" i was able to open the zip file and further found this
so we found the next flag now so that's total (80/130) after reading the hint for safe i came up with the idea to visit the ssh again and see if we can find something inside the Sanchez directory
Back to ssh
time to copy that file and see if we can use the 131333 to our strength as a password and open this safe file?
so total score becomes (100/130)
After a little bit of google i came to know Sanchez band was "The Flesh Curtains"
so i decided to make a password list using crunch and bruteforce the SSH for Sanchez
so with everything ready let's bruteforce the SSH with hydra
We found the user and password is (RickSanchez:P7Curtains) let's SSH with the following information and see if we can get the final flag we also found in the safe file that sudo is wheely good so i did "Sudo -i" and entered the password and found this
AND it's a wrap 130/130 simply amazing box not really "easy"
Thank You!!
Comments
Post a Comment