⬅ Back to Homepage

Morty

os - linux

difficulty - medium

Nmap scan

let’s start with port 80

potential usernames morty and rick and add the domain to your /etc/hosts file going over to the site shows this below

found a password Fl4sk#! tried for it ssh but it didnt work.

so the image looks sus let’s download the image and extract it with steghide using the password found earlier

wget http://mortysserver.com/screen.jpeg

steghide extract -sf screen.jpeg

passphrase: Fl4sk#!

so reading the extracted file gives rick’s password.

tried it for ssh but it didn’t work too

so, let’s move to the other port which is dns (port 53)

enumerating port 53

let’s perform a dns zone transfer**

dig axfr @10.150.150.57 mortysserver.com

This procedure is abbreviated Asynchronous Full Transfer Zone (AXFR).

let’s add the domains to our /etc/hosts file too

so, visiting the rickscontrolpanel.mortysserver.com shows phpmyadmin login page

let’s try loggin in with ricks username and pasword we found earlier

dope it worked!

After spending some time trying to upload a webshell which i wasn’t able to’ coz i couldn’t find a writable path.

i found out that the phpmyadmin version is vulnerable to RCE

using searchsploit to find exploit

so get the exploit using searchsploit -m 50457

then run it to get a reverse shell

Thanks.