Introduction
Hello fellow Hackers! Another day with another CTF machine for my tryhackme writup series. A Rick and Morty CTF. We need to help Rick to turn back into a human!. This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
help!!!
After hitting the deploy button we now have our IP address (before starting, check whether the IP is live by pinging ).
#Enum/Recon
I have used Nmap to check for open ports and services.
Command used: nmap -A -sV
You can access this machine from this url: https://tryhackme.com/room/picklerick
From the nmap scan result we came to know that two ports are open and they are, 22/tcp ssh and 80/tcp http. Let’s check out port 80 on the browser.
Well, seems like Rick is in danger!! In the webpage, I couldn’t find any clue but when I viewed the page source, I got the username: R1ckRul3s
Since we got the username, let’s start looking for password using brute force techniques. First, I did the directory brute forcing with my favorite tool Gobuster and got /robots.txt with status: 200.
command used: gobuster dir -u -w /usr/share/dirb/wordlists/common.txt
When I checked in my browser, I think I got the password!!
password: Wubbalubbadubdub
With the collected login credentials, I tried to connect to the server via SSH and the permission was denied.
Well at this point I felt pretty stupid as rick said and then realized that enumeration is the key. So, I looked around in /assets in my browser and this is what I got…A big nothing except gifs and images and nothing interesting.
Now I tried with Nikto tool to get even more results and observed that there is /login.php.
command used: nikto -h
I just tried it and bingo! I got the login page.
Login Credentials
username: R1ckRul3s
password: Wubbalubbadubdub
#Exploit
Now, we should execute some linux commands get the ingredients flags.
command used: ls -la
We got the .txt file. If we use cat command, we won’t get the flag because the command is disabled.
So, I used less command instead of cat and got the first flag.
command used: less Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
For the second flag the command used: less /home/rick/’second ingredients’
1 jerry tear
Now it’s time for 3rd and the last flag. To get this, I just checked the user permission by typing sudo -l and we can see that there is no restrictions and the existing user can run commands as sudo.
for the 3rd flag, the command used: sudo less /root/3rd.txt
3rd ingredients: fleeb juice
Finally!!! all the three flags were captured and the task is completed successfully. Thanks for reading and hope you enjoyed too. as I always mention in my every blog, suggestions are always welcome and open for discussion so that we can discuss about other methods to complete the same task (exchanging ideas).
**Happy Hacking….**