Write-up
Step-by-step guide on the approach taken to pwn the machine.
Objectives
In this machine, we are tasked with finding three specific items.
Reconnaissance
As usual, we start by scanning for open ports using nmap:
We discover two open ports:
22 SSH
80 HTTP
Let's start with port 80 by visiting the webpage:
We find a message from Rick asking for help, stating he can't remember his password. Examining the source code with Ctrl+U, we find a username: R1ckRul3s.
Directory and Login Enumeration
To attempt brute-forcing the password for SSH, we run Hydra:
However, SSH does not support password authentication, so we shift our focus to directory enumeration using dirbuster.
The scan reveals the /portal.php directory, which redirects to login.php. Upon inspecting robots.txt, we find a string that we try as the password.
Using R1ckRul3s as the username and the discovered string as the password, we successfully log in.
Gaining a Shell
Inside the admin panel, we see a terminal for executing commands. Other sections are restricted to "the real Rick."
We start by checking our user context:
Then we list the files:
We find Sup3rS3cretPickl3Ingred.txt. Attempting to read it with cat fails due to restrictions.
Instead, we use base64 encoding and decoding:
We obtain the first ingredient.
Next, we attempt a reverse shell for easier interaction. Checking for Python availability:
With Python available, we use the reverse shell from pentestmonkey:
We set up a listener on our machine:
Executing the command on the URL connects us to the target machine.
Privilege Escalation
To check sudo privileges:
We can run /bin/bash as sudo, so we execute:
We are now root. We check the home directory for the third ingredient:
Finally, we search for the second ingredient in Rick's home directory:
Last updated