Who doesn’t love Rick and Morty? On this box our goal is to exploit a webserver and find 3 ingredients for Rick to turn back into a human. Once we start it up we should start our recon by looking through the web server.
Recon
Using BurpSuite and the BurpSuite browser, we can start poking around the site by navigating to the IP address, in my case 10.10.113.121. We’re presented with a basic landing page with some instructions left by a forgetful Rick. Immediately we can see with the source code a comment:
<--
Note to self, remember username!
Username: R1ckRul3s
-->That will probably be useful later on, so we can save that username for now. There is also a link to an image which is stored in an assets directory, which we can access directly! Nothing seems too useful here yet, so we can note the couple images and move on.
A next good check on these web CTFs is to look for a /robots.txt, which actually returns something – a single value of “Wubbalubbadubdub” which may or may not be useful at this time.
Time to hit the webserver with dirbuster, using the standard directory-list-1.0.txt wordlist. This gives us some results including portal.php which is aptly named for a Rick and Morty themed site. Checking it out we’re presented with a login screen. Bruteforcing this with rockyou.txt doesn’t work, but if we try using the username found earlier with Wubbalubbadubdub from robots.txt we’re able to log in.
Web Server Exploitation
Once logged in we’re presented with a page that just shows a “command panel” input field and nothing else. To see what’s going on, we can type in whoami in order to check what type of commands this covers.
A new field pops up that gives us www-data as a response, so there is likely some command injection we can take advantage of. Typing in ls gives us a list of files in the working directory right off the bat:
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txtHopefully these give us the ingredients, let’s try:
cat Sup3rS3cretPickl3Ingred.txt
> Command disabled to make it hard for future PICKLEEEE RICCCKKKK.Shoot. Well there are other options to read the file, like:
less Sup3rS3cretPickl3Ingred.txt
> mr. meeseek hairWe now have our first ingredient!
Taking a look at clue.txt we’re prompted to look around the file system, so this is probably all set for a directory traversal attack.
By doing this, we can find rick’s home directory, which has a file in it called “second ingredients”
The trick here is to put the whole command in quotes as “second ingredients” has a space which causes an issue.
less "../../../home/rick/second ingredients"
> 1 jerry tearOn to the last flag! These machines usually hide something that requires root privileges, so we can immediately try to see what commands we can sudo from the web command panel:
sudo -l
> Matching Defaults entries for www-data on ip-10-10-134-28.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
> User www-data may run the following commands on ip-10-10-134-28.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALLBased on this, we can sudo everything with no password (which is great for this non-interactive terminal). Let’s see if anything is in /root and read what pops up:
sudo ls /root
> 3rd.txt
> snap
sudo less /root/3rd.txt
> 3rd ingredients: fleeb juicePerfect, all set to turn Rick back from a pickle!
joe tatusko 