Welcome again! This time we are going to go through another relatively simple CTF: Pickle Rick. https://tryhackme.com/room/picklerick
Forgive the different IP addresses throughout, I had to reboot the machine*
Scanning & Enumeration
As always, begin with enumerating the machine ports:
I used the (slightly modified) Threader3000 to get the open ports of the machine:
I then used nmap to scan those open ports found:
nmap -T4 -Pn -p22,80 -A 10.10.102.153
Breaking down the command:
-T4: speed of nmap scan is 4/5 (personal preference of mine)
-Pn: skip pinging the machine being scanned (we already know the host is up)
-p22, 80: only scan the ports specified (the ones we found open)
-A: do an extensive scan on these ports
Enumerating Services
Port 22- ssh
From the nmap scan we see that ssh is being hosted on port 22, but ssh usually isn't too vulnerable unless we have some verified credentials, so I'll come back to it later if necessary.
Port 80- http
A website is being hosted on port 80, so let's enumerate that and see if we can find something interesting!
A small clue that Rick's password may be somewhere to find is laying on the website. Let's check out the page source in case something was left there for us:
Sweet, we have a username! Now we need to hunt around for the password. Always a good idea to enumerate the website with something like dirsearch, or a tool of your choice:
sudo python3 /opt/dirsearch/dirsearch.py -u 10.10.34.131 -e * -r
Breaking down the command:
-u provides dirsearch with the URL or IP address that we are trying to enumerate
-e is some specified extensions, in this case I choose to look for all/any extensions it can find
-r specifies the search to recurse 1 layer further for whatever it finds
Using dirsearch we find some interesting pages! Let's give them a visit.
That looks like it can be useful... I'll keep it in the back pocket for now and check out the other directories we found.
Hmm... A login page, and we already know the username. Let's see if what we found on robots.txt is the password:
It is! We're in to the app.
Vulnerable WebApp
On the front page of the app it seems like we have some command execution. Let's test that out to see where we are:
ls
With a simple ls, we see we're in some type of file system. We also see that our first ingredient is here! Let's try to read that file:
cat Sup3rS3cretPick13Ingred.txt
Bummer, looks like we're not allowed to use the 'cat' command.
I do notice, however, that the other files in the current directory are: robots.txt, login.php, etc. We were able to reach those by navigating on the website earlier, so maybe we can do the same for the ingredient:
My hunch was right, and we have our first ingredient!
Ingredients 2 & 3
When we listed out the current directory, aside from the first ingredient, we also saw that there was a 'clue.txt' file. Let's go navigate to that and see what else is there:
Ah, so we know that the other ingredient is also in the file system! We don't know what it's called, so we can't do a find, unfortunately. I took a guess that it'd be in the user folder and happened to be right:
ls -lta /home/rick
Now, we can't 'cat' it out, as we saw earlier, but we do know that moving that file into the current directory the commands are executing from will allow us to navigate to it from the webpage. I first tried to copy it regularly:
cp /home/rick/second\ ingredients ./second.txt
But nothing happened when I did that. So I figured I might need more permissions. So I then checked what I could do with elevated permissions:
sudo -l
From that we can see we can do anything! I can repeat the same copy command as earlier and I know I'll have success this time:
cp /home/rick/second\ ingredients ./second.txt
ls
Checking our directory again and we were successful this time!
Now going to the webpage we can read our ingredient!
Making another educated guess, I looked in the root directory to see if our final ingredient was there:
sudo ls /root
Indeed it is! We can repeat our process from earlier to read that one out:
sudo cp /root/3rd.txt .
ls
Now navigating to that page we have our final ingredient!
That's all for now, thanks for reading :)
If you want to reach out for questions/feedback you can reach me on the TryHackMe discord server under the name bobloblaw! under the name bobloblaw!
Comments