Pickle Rick

I started with a nmap scan which showed that port 80 and 22 were open.

The webpage didn't look too exciting but there was a comment in the html which will probably be useful

I started gobuster to try to find something more since there were no hints on the main page.

gobuster dir -u http://TARGET_IP -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

It found a login.php page which I tried to bruteforce with the username I found above.

ffuf -u http://TARGET_IP/login.php -X POST -d "username=R1ckRul3s&password=FUZZ&sub=Login" -H "Content-Type: application/x-www-form-urlencoded" -w rnm-list.txt

I tried bruteforcing this for so long but to no avail. I made use of ChatGPT to come up with custom wordlists and finally I found the correct password ('Wubbalubbadubdub'). I remember seeing this during the recon phase at robots.txt but didn't think more of it then...

Logging in with the correct username and passwords gets us here:

I tried just executing 'ls' and found some interesting stuff. I was not allowed to run 'cat' though....

But 'less' works and we got the first correct answer :)

And we can use 'less' again to get the clue.txt file.

After some digging around I found the second ingredient at /home/rick/'second ingredients'.

I checked the other users home folder as well and it had some interesting files.

That was a dead end though. I tried accessing the root directory but wasn't allowed to. So I ran 'sudo -l' to see if I was allowed to run anything with sudo and it turns out I could run EVERYTHING with sudo. So I used that to find the third ingredient.