The TryHackMe Pickle Rick room is available at https://tryhackme.com/room/picklerick
Reconnaissance
First lets find out what is running on the machine
sudo nmap -sS -p- -T4 -vv x.x.x.x- -sS for Syn/Stealth Scan
- -p- to scan all 65535 ports
- -T4 for a fast aggressive scan
- -vv for very verbose to monitor the scan
Which gives us the result
- PORT STATE SERVICE REASON
- 22/tcp open ssh syn-ack ttl 63
- 80/tcp open http syn-ack ttl 63
Now lets find out a little more about those ports.
sudo nmap -sS -p22,80 -sV -T4 -vv x.x.x.x - -sS for Syn/Stealth Scan
- -p22,80 to only scan ports 22 and 80
- -sV to find out version information
- -T4 for a fast aggressive scan
- -vv for very verbose to monitor the scan
Which gives us the result
- PORT STATE SERVICE REASON VERSION
- 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
- 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So we know it’s running a webserver, lets see what it shows
Now lets do a little more scanning. First lets use dirb to find any interesting files or folders
dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txtWhich gives us the results
- —- Scanning URL: http://x.x.x.x/ —-
- ==> DIRECTORY: http://x.x.x.x/assets/
- + http://x.x.x.x/index.html (CODE:200|SIZE:1062)
- + http://x.x.x.x/robots.txt (CODE:200|SIZE:17)
- + http://x.x.x.x/server-status (CODE:403|SIZE:301)
We should check out the /assets/ folder and the robots.txt file
And lets run nikto to see if it can find any issues
nikto -h http://x.x.x.x Which gives us the results
- – Nikto v2.1.6/2.1.5
- + Target Host: 10.10.115.220
- + Target Port: 80
- + GET The anti-clickjacking X-Frame-Options header is not present.
- + GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- + GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- + HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
- + GET Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
- + OPTIONS Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
- + GET Cookie PHPSESSID created without the httponly flag
- + OSVDB-3233: GET /icons/README: Apache default file found.
- + GET /login.php: Admin login page/section found.
Looks like there is an login.php page we can check out.
Exploitation
Visiting http://x.x.x.x doesn’t give us anything. But when we look at the source code for the site, we find something useful. A login name
Next, lets visit http://x.x.x.x/robots.txt, this might tell us something about directories we shouldn’t know about. This robots.txt is not standard. But maybe the text could be something else.
And now visiting the http://x.x.x.x/login.php we found with niko, and the info we found in the page source and robots.txt, we can login.
Which brings us to this
Command Injection
From the OWASP website
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell
Running the command ls -l gives us the file listing and the file with the first answer
It looks like the cat command is blocked, but not the less command. So we can run the following command to get answer number 1.
less Sup3rS3cretPick13Ingred.txtDirectory Traversal
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.
Let’s run the command
ls /This gives us a list of directories from the root
Next, lets run the command
ls /home/This tells us that there are two home directories on this server.
Since this is a Rick and Morty themed machine, lets see what is in the rick home folder.
And there is the file with answer number 2. You can use less to read the file, but, since the file has space in it, we need to use the quotation marks. So use the command
less "/home/rick/second ingredients"Privilege Escalation
Privilege Escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. And the authors at TryHackMe like to make at least on flag only readable by root.
Lets see if there are are command we can run with sudo that give us root access. So run the command
sudo -lWhich gives us a very scary output
Basically this means that you can run ANY command with sudo. Never do this on a real machine, its a major security issue.
So lets try
sudo ls /root/
And there we can see the third and final answer.
sudo less /root/3rd.txtRun the following command and you have all the ingredients to turn Rick back into a human from a pickle.
My Digital Domain 