Web Hacking 101: TryHackMe Pickle Rick “Capture The Flag” Challenge : Chris
by: Chris
blow post content copied from Finxter
click here to view original post
The Pickle Rick CTF (capture the flag) challenge requires basic webhacking techniques including:
- inspecting the source of a webpage for hidden text left by the developers,
- running an nmap scan to check for open ports and services, sniffing out hidden webpages with
dirbusterthrough a brute force attack based on a wordlist, and directory traversal to access files outside of the user’s home folder on the target machine.
The theme of the challenge is Rick and Morty, the animated tv show. The silly premise of this box is that we need to find the three hidden ingredients that Rick needs to change himself from a pickle back to a human.
For this challenge, I ended up using the attackbox, a browser-based kali linux instance available through TryHackMe. My openvpn connection was having some issues causing the target machine to disconnect periodically. The attackbox had a solid connection during the challenge.
Enumeration
First, we load up the IP of the target machine in our browser and discover a website with a picture of Rick and Morty running away in fear.
Checking the source of the webpage, we find a hidden note from the developers that includes the username: R1ckRul3s
Next, we do an nmap scan with the command:
sudo nmap 10.10.149.46 -sC -Pn -O -p- -T4
Flags Explanation:
-sCruns default scripts,-Pnskips host discovery,-Oenables operating system detection,-p-scans all ports, and-T4sets the scan speed.
The results of the scan show open ports 22 and 80.
22is running an SSH service and80is hosting the HTML for the website.
We still need to do further enumeration to find more interesting leads.
Next we do some directory sniffing with dirb (directory buster).
This attack uses a brute-force technique to discover more urls by running through a long list of common urls to probe.
sudo dirb http://<Target Machine IP> /root/Tools/wordlists/dirb/big.txt
Dirbuster found several things of note:
/assets/is probably worth checking out/robots.txtmay have more useful information
After checking the robots.txt file in our browser, we found the string: Wubbalubbadubdub.
Perhaps this is the missing password that goes with the username we found earlier hidden in the source HTML code.
An attempt to connect with these credentials via SSH on port 22 is denied. Using our results from the nmap scan, we can probe into the site a little more at http://<Target IP>/login.php
Checking on <TargetIP>/assets shows us an index of files on the target system.
Let’s take note of the line “Apache/2.4.18 (Ubuntu) Server at 10.10.66.103 Port 80” for possible use in looking up exploits.
The portal.jpg is a curious filename. Perhaps there is an url extension to a portal on <targetIP>/portal.jpg. It turns out that there is, and we are redirected to a login/password form.
We’ll use our user:password combination from our enumeration to log in.
Success! We are now presented with a single box form where we can issue commands to the system.
Exploitation
We can look around the filesystem a bit with “ls -la” to list files and “cd ..” to change directories.
However, this command always resets the pwd after each command is issued.
To work around this limitation we can chain together multiple commands by putting a ; between each sequential command. We attempt to cat out the txt file using:
cat Sup3rS3cretPickl3Ingred.txt
This attempt fails saying that the cat command has been disabled. Let’s try using a “less” command instead to see if it will print the files contents to the screen:
less Sup3rS3cretPickl3Ingred.txt
Bingo! We found our 1st ingredient.
***First Ingredient*** mr. meeseek hair
Let’s use the same technique to read the clue.txt file:
less clue.txt
The output is: “Look around the file system for the other ingredient.” Perhaps we can do some directory traversal to have a look at some other folders of interest.
Issuing these chains of commands helps us find the location of the 2nd ingredient:
cd /home; ls -la; pwd
Now we can see Rick’s folder.
cd /home/rick; ls -la; pwd
Now we see and can use “less” to read the contents of the file “second ingredients”.
cd /home/rick; ls -la; less second\ ingredients
The \ is an escape character that shows the filename includes a space between the two words “second ingredients”.
***Second Ingredient*** 1 jerry tear
Privilege Escalation
Let’s continue with our directory traversal by hopping over to the /root directory with the following command:
cd ../../../root/; pwd; ls -la
We now see our target file in the /root folder: 3rd.txt
Issuing the command “sudo -l” we can see that we have root permissions to all commands. So we can use the sudo command to read the 3rd.txt file in the /root folder with “less”.
sudo ls /root sudo less /root/3rd.txt ***3rd ingredient*** 3rd ingredients: fleeb juice
Voilà. Challenge solved! 
December 02, 2022 at 06:17PM
Click here for more details...
=============================
The original post is available in Finxter by Chris
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment