đź”— Room Link

Difficulty: Easy
Tags: Security, Engineer, CTF, Web Exploitation
Target IP: 10.114.144.190

Objective

Exploit a vulnerable web server to discover three specific ingredients required to help Rick transform back from a pickle into a human.

Reconnaissance & Enumeration

Initial Access

The challenge begins by accessing the web service via the target IP: http://10.114.144.190 1

Upon visiting the homepage, inspecting the Page Source reveals a critical comment exposing a username. 2

  • Username: R1ckRul3s

The source code also hints at a subdirectory (assets/). Navigating to http://10.114.144.190/assets/ confirms the server environment. 3

  • Server: Apache/2.4.41
  • OS: Ubuntu
  • Open Port: 80

Directory Bruteforcing

Using gobuster with a standard wordlist to find hidden directories and files:

gobuster dir -u http://10.114.144.190 -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Discovered Paths: 4

  • /login.php
  • /robots.txt
  • /clue.txt

Exploitation

Credential Discovery

Reviewing the content of /clue.txt provides a hint regarding the ingredients. 5

Based on the context of the content from /robots.txt, the password is likely the famous catchphrase: Wubbalubbadubdub. 6

Attempting to log in at /login.php with the credentials: 7

  • User: R1ckRul3s
  • Pass: Wubbalubbadubdub

Result: Successful login. 8

Command Execution & Privilege Escalation

Once logged in, the dashboard restricts access to most sections, leaving only the “Commands” tab available. This suggests a restricted shell or command injection vulnerability. 9

Step 1: Environment Check

Executing basic commands to understand the environment:

  • whoami → Returns current user. 10
  • pwd → Returns current working directory. 11
  • ls → Lists files in the current directory. 12

A file named Sup3rS3cretPickl3Ingred.txt is visible. Attempting to read it with cat fails because the command is disabled. 13

Step 2: Reading Files (Bypassing Restrictions)

Since cat is blocked, we try alternative commands like tac (which prints files in reverse line order, but still reads the content):

tac Sup3rS3cretPickl3Ingred.txt 14

Output: mr meeseek hair

Ingredient #1 Found: mr meeseek hair

Step 3: Finding the Second Ingredient

Next, we attempt to locate the user’s home directory to find the next clue:

ls ../../../home ls ../../../home/rick 16

A file named second ingredients is found. Note the space in the filename, requiring proper quoting:

tac '../../../home/rick/second ingredients' 17

Output: 1 jerry tear

Ingredient #2 Found: 1 jerry tear

Step 4: Finding the Final Ingredient

The final flag is typically located in the root directory (/root/). We check if the current user has sudo privileges:

sudo ls /root/ 18

Surprisingly, the user can execute sudo without a password (a common misconfiguration in easy-level CTFs). We can now read the final file:

sudo tac /root/3rd.txt 19

Output: fleeb juice

Ingredient #3 Found: fleeb juice

Conclusion

By enumerating the web server, finding credentials via source code and clues, and exploiting a restricted shell with sudo privileges, we successfully retrieved all three ingredients.

Mitigations and Remediations

To prevent these specific vulnerabilities in a production environment, the following measures should be implemented:

  1. Secure Coding Practices: remove all hardcoded credentials and internal paths from source code comments before deployment. Use automated scanning tools to detect secrets in code repositories.
  2. Input Validation & Sandboxing: never pass user input directly to system shell commands. if command execution is required, use a strict whitelist of allowed command and sanitize inputs to prevent injection attacks.
  3. Least Privilege Principle: the web server process should run with the minimum necessary permissions. Specifically, the user running the web application should not have sudo access, especially with NOPASSWD privileges.
  4. Hardened Configuration: disable unnecessary commands (like tac) in restricted shells and configure the web server to block access to sensitive files types (e.g., .txt, .log) in public directories.

Final Answers

  1. First Ingredient: mr meeseek hair
  2. Second Ingredient: 1 jerry tear
  3. Final Ingredient: fleeb juice