Open in app

Sign in

Write

Sign in

CTF Challenge: Rickdiculously Easy | MITRE Mapping

itsShotgun
4 min readDec 28, 2024

Hello World!!!
In this article, I’ll take you through my first-ever Capture The Flag (CTF) challenge featured on my Let’s CTF YouTube Series: Rickdiculously Easy. I’ve tried to sum up two part YouTube videos in this medium article.

If you’re a beginner in cybersecurity or someone looking to understand how penetration testing works, this write-up will offer a glimpse into my approach and thought process as I tackled this challenge. In this article I’ll also be linking each TTP to MITRE ATT&CK

Environment Setup

The CTF environment is a Fedora-based virtual machine downloaded from Vulnhub. The objective is to capture as many flags as possible while uncovering security vulnerabilities. I organized my workflow into three terminals:

  • Recon and attack terminal.
  • Hints documentation (a file to log insights).
  • Flags documentation (a file to record discovered flags).

Initial Reconnaissance

The VM displayed the IP address 172.16.82.3 with a running service on port 9090. I started by identifying active ports using nmap

sudo nmap -sV -p- 172.16.82.3

Findings:

  • Port 21 (FTP)
  • Port 22 (SSH)
  • Port 80 (HTTP)
  • Port 9090 (HTTP)

MITRE Mapping:

Reconnaissance (nmap scan)
MITRE Tactic: Initial Access, Discovery
MITRE Technique: Active Scanning (T1595), Network Service Scanning (T1046)

Exploring HTTP Services

Port 80:

Visiting the site showed a basic webpage titled “Morty’s Cool Website” with no obvious functionality. I proceeded with Nikto to check for vulnerabilities and accessible directories:

nikto -h http://172.16.82.3

This revealed a passwords.html file, which contained a flag and the hint:
Password: winter

MITRE Mapping:

Web Vulnerabilities (Nikto, HTTP)
MITRE Tactic: Initial Access, Credential Dumping
MITRE Technique: Web Shell (T1100), Credentials in Files (T1552.003)

Port 9090:

The webpage at http://172.16.82.3:9090 revealed another flag right away.

MITRE Mapping:

Port 9090 (Web Page)
MITRE Tactic: Initial Access
MITRE Technique: Web Shell (T1100)

Using Directory Brute-Forcing

Since automated scans like Nikto sometimes miss hidden files, I used Gobuster for directory enumeration:

gobuster dir -u http://172.16.82.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This uncovered:

  • /robots.txt: Included a list of disallowed paths but no immediate flags.
  • /cgi-bin: Contained a basic script under construction.

MITRE Mapping:

Directory Enumeration
MITRE Tactic: Discovery
MITRE Technique: Directory Enumeration (T1083)

FTP Anonymous Login

I attempted to log in to the FTP service with anonymous credentials:

ftp 172.16.82.3
Username: anonymous
Password: [empty]

It allowed access, revealing a file named flag.txt. Using the get command, I downloaded and captured the flag:

get flag.txt

MITRE Mapping:

FTP Anonymous Login
MITRE Tactic: Initial Access
MITRE Technique: Exploit Public-Facing Application (T1190)

Command Injection Discovery

On further inspection, the /cgi-bin directory hosted a “trace route” feature, allowing users to input IPs. Testing revealed this feature was vulnerable to command injection. By terminating the trace command with a semicolon (;) and appending custom commands, I gained shell-like access.

Testing Command Execution:

172.16.82.3; echo hello

This executed successfully, confirming the vulnerability.

I used this to read the /etc/passwd file and identified valid users:

172.16.82.3; cat /etc/passwd

Discovered Users:

  • Rick Sanchez
  • Morty
  • Summer

MITRE Mapping:

Command Injection Discovery
MITRE Tactic: Execution, Discovery
MITRE Technique: Command and Scripting Interpreter (T1059), System Information Discovery (T1082)

Flag Summary

Here’s a summary of flags captured so far:

  1. Port 9090: Initial flag on the webpage.
  2. FTP Service: Flag in flag.txt.
  3. Passwords File: Flag in passwords.html.

MITRE Mapping:

Captured Flags
MITRE Tactic: Collection
MITRE Technique: Data Staged (T1074)

Next Steps

At this stage, the challenge becomes more complex. In part two, I’ll focus on privilege escalation by leveraging:

  • The identified users (rick, morty, summer).
  • Potential vulnerabilities in SSH or file permissions.

Part Two: Privilege Escalation and Root Access

Password Discovery

After further exploration and using the password hints in the system, I discovered that Rick Sanchez’s old band name was a key to the password. I deduced the band name from Rick and Morty lore: The Flesh Curtains. Using this hint, I crafted a password that combined the band name with other criteria (uppercase letter, digit).

I wrote a Python script to help generate possible password combinations based on the given criteria:

Brute-Forcing SSH Credentials

I attempted to perform a brute-force attack on SSH using Hydra:

StepMITRE TacticMITRE TechniqueBrute-Forcing SSH (Hydra)Lateral MovementBrute Force (T1110)

Privilege Escalation to Root

After logging in as Rick Sanchez, I attempted to escalate privileges using sudo:

sudo -l

This revealed that Rick had permission to run certain commands as root without a password. I used this to gain root access.

sudo bash

Now, I had root access.

MITRE Mapping:

Privilege Escalation (sudo)
MITRE Tactic: Privilege Escalation
MITRE Technique: Sudo and Sudo Caching (T1548.003), Sudo (T1548)

Root Access and Final Flag Collection

With root access, I had the ability to read any file on the system, including the final flags. I successfully retrieved all flags from the system.

MITRE Mapping:

Root Access & Final Flag Collection
MITRE Tactic: Collection
MITRE Technique: Data Staged (T1074)

Conclusion

By mapping each stage of this CTF challenge to the MITRE ATT&CK framework, we can see how common penetration testing tools and techniques align with real-world attack patterns. The MITRE framework provides a structured way to think about and understand the various tactics and techniques attackers use to compromise systems. This mapping can be helpful for improving defense strategies by identifying areas where security measures can be strengthened.

By understanding how attackers move through each stage of an attack and which techniques they use, security professionals can better defend their systems against these types of threats.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

itsShotgun
itsShotgun

Written by itsShotgun

1 Follower
1 Following

Hello World Shotgun here, I'm a cybersecurity Enthusiast https://www.youtube.com/@itsShotgun

No responses yet

Write a response

What are your thoughts?

More from itsShotgun

See all from itsShotgun

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams