This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle!

Discovery

We've been given an IP address for the website. Entering this IP address to the web browser shows you the home page as shown below.

To discover more pages, we can use directory brute-forcing tools such as gobuster. Running gobuster will gives us two more pages to check. After checking the pages, I found nothing useful.

Enumeration

For the next step, we're going to do some enumeration to discover exploits. One of the first thing we can do is to view the source for the home page, which gives us something interesting. While it isn't a vulnerability, it won't hurt to write it down:

Then, we can try using nmap with the --script vuln parameter see discover more vulnerabilities. Which in turn show us a few more useful informations. Here, it gives us two new pages to check which gobuster didn't gives us previously.

Going to /robots.txt page shows us a text which is gibberish and we don't know what is the purpose for this text but we should take a note of it, just in case.

Going to /login.php page shows us the login portal. This is where the previous username we found in the home page's source should be useful but we don't know the password for it just yet. I tried bruteforcing it with Burpsuite to no avail. I then try use the gibberish text from /robots.txt as a last hope and guess what, it works.

We get redirected to the admin portal with a command panel there. The other pages aren't useful so our main focus here will be the commands page.

Exploitation

I had a feeling that we can run commands there. Using whoami and ls commands show that it was possible to run commands there.

whoami
www-data

ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

There it is! The first flag and a clue! I then try using cat command which sadly doesn't work. Quick research shows us that we can use commands such as more and less as an alternative to cat. Using more command doesn't work but using less work, which gives us the first flag and a clue.

less Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair

less clue.txt
Look around the file system for the other ingredient.

The clue shows us that it might be possible to do path traversal. We can use pwd command to show where we are in the server. We then can try using cd and ls command to confirm that it is possible to exploit path traversal vulnerability.

pwd
/var/www/html

cd ../../../../ && ls
bin
boot
dev
etc
home
initrd.img
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz

I then try checking the home folder that shows us there exists 2 user, rick and ubuntu. Using ls inside rick shows us the second flag. We then can use the less command again to display the flag inside.

cd ../../../home/rick && less "second ingredients"
1 jerry tear

Next step we can do is try looking inside the root folder. Using sudo command fortunately works without a password. We can try using both sudo and ls command to see what's inside the root folder which gives us the third flag. We can use the less command again to display the third flag.

sudo less /root/3rd.txt
3rd ingredients: fleeb juice