I'm Pickle Rick!

By Narcissus

I'm Pickle Rick!

The link leads to this site:

site

Looking at the source code we find a few interesting scripts:

 

The background is a video:

 

The important part is the onended attribute.

The general flow of the site is as follows: The page loads and the background video is played. Next, when the video is over it calls the function pickleRick();. This function calls anatomyParkMembers("morty");, which in turn sets the result of /getMembers.html?visitor=morty into what's called localStorage. After that, every 10 seconds, the function statusAnatomyParkMembers(); gets called unless the localStorage was wiped.

Let's look into the pages /getMembers.html and /statusMembers.html accessed by anatomyParkMembers() and statusAnatomyParkMembers respectively.

If we take the result of /getMembers.html?visitor=morty: eNrTSCkw5ApWL8sszizJLypW5yow4tLIKTDmCsvNLyqp5Cow4UosDlZPzS3Iya9MTQUpMAUpMANqCipNSs0DCphzJQarO%2BblZaYCORYgTkB%2BXnJGPpBnCeIF5aenFgE5hgZghTk5YF2GhkCT9QDJ4iXE and send it to /statusMembers.html?data= we get: {"visitors": ["morty"], "employees": ["Ruben", "Annie", "Poncho", "Roger", "Allen"]}.

It looks like /getMembers.html adds the content of variable visitor into the json array, packs it somehow, and returns the result. /statusMembers.html?data= takes the packed data and unpacks returning the json.

Looking at the packet headers for each step we saw that the packing used is gzip, deflate. We wanted to see what would happen if we packed a command and sent that to /statusMembers.html?data=. We tried with some code:

 

And hurray! We got this response:

 

Now let's try to read flag.txt:

 

And the response:

 

Success