Ok now it's super dumb and not realistic at all but the wordWubbalubbadubdub
contained in robots.txt was not a troll but the actual password of R1ckRul3s.
So here no vulnerability to identify or brute-force to do with hydra.
Once authenticated there are a bunch of pages were we can see the following message:
Only the REAL rick can view this page..
So we don't have the proper profile to see those pages, but we can access
/portal.php that contains a form entitled Command Panel were we can
directly write a system command to be executed (ultra realistic again).
Let's try some basic commands:
ls -lhA
But when we try to read the suspicious file with cat Sup3rS3cretPickl3Ingred.txt
we obtain the following message Command disabled to make it hard for future PICKLEEEE RICCCKKKK.
(ultra realistic again) and the source code is containing the following comment (ultra realistic again):
It's a nested base64 string (base64 string containing a base64 string etc.) but with
incorrect padding so we to remove or add some which make it unhandy to pipe
base64 command on the terminal so I rather used ctf-party
to decode the string. Here is the toxic message I got:
You know what? Another toxic unrealistic step! It's a shame we don't know the
author of the box to shame it.
Let's get back to Sup3rS3cretPickl3Ingred.txt where the command cat is
forbidden. We can do tee < Sup3rS3cretPickl3Ingred.txt instead:
1st ingredient: mr. meeseek hair
It seems to be the first ingredient.
Note: Of course if you don't know the restricted shell escape trick we tee you
could just request http://10.10.8.120/Sup3rS3cretPickl3Ingred.txt via HTTP as it
is on the the web server root folder.
Note2: tee < portal.php shows the forbidden commands were:
$cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
We can use tee with sudo because of the redirection operator so let's use another
shell escape technique: Quotes / Concatenation on the binary name. We can also
sue PHP, etc.