Morty

Nmap Scan

A note at the indicating we should add mortysserver.com to out /etc/hosts file.

After adding hostname, I noticed an image with a hint of a possible password but it didn't work for SSH against both users Morty and rick.

Check the page source and noticed the above image source, steganography challenge perhaps.

downloaded image and ran steghide to extract file using the FL4sk#! string in the image as passphrase and it worked.

We got yet another password that doesn't work on SSH. out of options, decided to try DNS zone transfer since DNS service is running on TCP rather than UDP.

Did zone transfter and found two new subdomains.

rickscontrolpanel.mortysserver.com lead to a PhpMyAdmin login page where the password from the image worked.

Looking up the PhpMyAdmin version running and we found an RCE vulnerability.

https://www.exploit-db.com/exploits/50457

Edit the python script and confirm exploit works...Then I set up listener and ran reverse shell command.

No PE required!