TryHackMe — Pickle Rick: Rick Left the Door Open. I Just Walked In.
The Web App — Index.php and a Dead EndNavigating to http://10.0.0.4 lands on index.php, a Rick and M 2026-7-3 13:19:38 Author: infosecwriteups.com(查看原文) 阅读量:4 收藏

The Web App — Index.php and a Dead End

Navigating to http://10.0.0.4 lands on index.php, a Rick and Morty themed page. No login form, nothing interactive. Just flavor text.

Before moving anywhere, the first instinct: read the source code.

<!-- Note to self, remember username! Username: R1ckRul3s -->

A username. Hardcoded. In an HTML comment. On the landing page.

Half the credential is already gone. Now for the password, and the actual entry point.

robots.txt:

Wubbalubbadubdub

Not a crawl directive. A password. Rick stored his password in robots.txt.

But we still have nowhere to use these credentials. Time to fuzz:

gobuster dir -u http://10.0.0.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

/portal.php comes back. That's the login form. Navigate there, enter the credentials:

R1ckRul3s : Wubbalubbadubdub

Get Yuky’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

Both leaked before we even thought to look for them. The fuzzing was just finding the door.


文章来源: https://infosecwriteups.com/tryhackme-pickle-rick-rick-left-the-door-open-i-just-walked-in-e1a8f1f217fa?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh