Being a fan of the show, I couldn’t pass out on the opportunity to do this challenge with a Rick and Morty theme. The flags to find where the 3 ingredients Rick needed to turn himself back into a human. Here’s my writeup of this easy TryHackMe room focused on web application vulnerabilities.
Table of Contents
Scanning and Enumeration
I started with poking around the source code and the usual suspects (robots.txt, sitemap.xml, etc.) while fuff and NMap where scanning the server.
I found a couple of interesting things, a username in the index.html page source code:
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
And I found a word inside the robots.txt (“Wubbalubbadubdub”, one of Rick’s catchphrases).
NMap didn’t return anything flashy (just the 22 and 80 ports open, and no apparent vulnerable service version), so I just focused on the website.
Originally I only run ffuf looking for folders, and didn’t think about adding a check for files like .php or .html, so at the beginning the scan didn’t return anything useful (or that I didn’t already found, like the /assets folder).
I decided to see if there’s was a /portal .php page (being this a Rick and Morty themed room, and also because there was an image called “portal” in the assets that made me think there could be a page called similarly) and that redirected my to /login.php
This is where I realized that I could have setup ffuf or gobuster to look for files and not just folders, because login.php should have been found by any of the several scans I run on this webserver.
With a new scan I did find that page, but nothing useful came out other than the ones I laready found by myself by looking at the source code.
Exploitation
The login.php page was a simple login with no particular checks, and I decided to try the username I found in the source code, and the word that was inside the robots.txt as a password.
It worked, and I was in a sort of admin panel with a field where I could run system commands.
The tabs at the top of the page (like the potions page, where I guessed there could be the ingredients I needed) they all pointed to a denied.php page.
I couldn’t see anything in the cookies or the content of the denied.php file that could point to a way to discriminate the real user (because the page said that only the ‘REAL Rick’ could access it) so I realized that those pages weren’t really useful for the challenge.
I’ve looked around the system using the command panel. The website didn’t allow to run other shells (like meterpreter or any other reverse shell) as they would cut the connection right away, but, even if a bit clunky, the command panel on the portal was good enought to find what I needed:
id uid=33(www-data) gid=33(www-data) groups=33(www-data) pwd cd .. ls Sup3rS3cretPickl3Ingred.txt assets clue.txt denied.php index.html login.php portal.php robots.txt
The first ingredient was inside a text file in the current folder.
Then I tried to find out more about the system and see what I had access to with the current users and if I had the possibility to elevate my privileges.
With the www-data user, I could already access the /home directory, which contained the /rick folder. Inside it I found the second ingredient. Other than that, I tried in several ways to find the third ingredient on the webserver but I had no success. So the only thing left to do was to find a way to become root.
When searching for ways to elevate my privileges, the only useful thing that came out was SUDO:
sudo -l
Matching Defaults entries for www-data on ip-10-10-54-171.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ip-10-10-54-171.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALL
This was good enough, I didn’t need to become root as with this level of access with sudo I could look inside the root folder.
And, indeed, there it was the last text file with the ingredient.
Overall it was a fun challenge, especially considering the theme. It took me longer than I’d like to admit as I went down some rabbit holes that I could have avoided with a little bit more of attention.
But all in all, it was a nice experience, and it’s definitely a TryHackMe room that I recommend to any beginner in web application hacking as it’s fairly simple to do and doesn’t require any particular software or advanced technique.
