Introduction
Hello fellow Hackers! Another day with another CTF machine for my tryhackme writup series. A Rick and Morty CTF. We need to help Rick to turn back into a human!. This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
You can access this machine from this url: https://tryhackme.com/room/picklerick
After hitting the deploy button we now have our IP address (before starting, check whether the IP is live by pinging ).
#Enum/Recon
I have used Nmap to check for open ports and services.
Command used: nmap -A -sV <machine IP>
From the nmap scan result we came to know that two ports are open and they are, 22/tcp ssh and 80/tcp http. Let’s check out port 80 on the browser.
Well, seems like Rick is in danger!! In the webpage, I couldn’t find any clue but when I viewed the page source, I got the username: R1ckRul3s
Since we got the username, let’s start looking for password using brute force techniques. First, I did the directory brute forcing with my favorite tool Gobuster and got /robots.txt with status: 200.
command used: gobuster dir -u <url> -w /usr/share/dirb/wordlists/common.txt
When I checked in my browser, I think I got the password!!
password: Wubbalubbadubdub
With the collected login credentials, I tried to connect to the server via SSH and the permission was denied.
Well at this point I felt pretty stupid as rick said and then realized that enumeration is the key. So, I looked around in /assets in my browser and this is what I got…A big nothing except gifs and images and nothing interesting.
Now I tried with Nikto tool to get even more results and observed that there is /login.php.
command used: nikto -h <machine IP>
I just tried it and bingo! I got the login page.
Login Credentials
username: R1ckRul3s
password: Wubbalubbadubdub
#Exploit
Now, we should execute some linux commands get the ingredients flags.
command used: ls -la
We got the .txt file. If we use cat command, we won’t get the flag because the command is disabled.
So, I used less command instead of cat and got the first flag.
command used: less Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
For the second flag the command used: less /home/rick/’second ingredients’
1 jerry tear
Now it’s time for 3rd and the last flag. To get this, I just checked the user permission by typing sudo -l and we can see that there is no restrictions and the existing user can run commands as sudo.
for the 3rd flag, the command used: sudo less /root/3rd.txt
3rd ingredients: fleeb juice
Finally!!! all the three flags were captured and the task is completed successfully. Thanks for reading and hope you enjoyed too. as I always mention in my every blog, suggestions are always welcome and open for discussion so that we can discuss about other methods to complete the same task (exchanging ideas).
Happy Hacking….