Navigating to http://10.0.0.4 lands on index.php, a Rick and Morty themed page. No login form, nothing interactive. Just flavor text.
Before moving anywhere, the first instinct: read the source code.
<!-- Note to self, remember username! Username: R1ckRul3s -->A username. Hardcoded. In an HTML comment. On the landing page.
Half the credential is already gone. Now for the password, and the actual entry point.
robots.txt:
WubbalubbadubdubNot a crawl directive. A password. Rick stored his password in robots.txt.
But we still have nowhere to use these credentials. Time to fuzz:
gobuster dir -u http://10.0.0.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php/portal.php comes back. That's the login form. Navigate there, enter the credentials:
R1ckRul3s : Wubbalubbadubdub
Join Medium for free to get updates from this writer.
Both leaked before we even thought to look for them. The fuzzing was just finding the door.