4 minute read

Machine Information

pickle-rick

Pickle Rick is a nice and simple easy level Rick and Morty themed room. We exploit a web application to find three ingredients to help Rick make his potion to transform himself back in to a human from a pickle! Skills required are basic enumeration techniques of ports, services and Linux file systems.

Details  
Hosting Site TryHackMe
Link To Machine THM - Easy - Pickle Rick
Machine Release Date 10th March 2019
Date I Completed It 24th January 2021
Distribution Used THM AttackBox – Info

Initial Recon

As always, let’s start with Nmap to check for open ports:

root@ip-10-10-19-48:~# nmap -sC -sV -Pn 10.10.24.11

Starting Nmap 7.60 ( https://nmap.org ) at 2021-01-24 17:34 GMT
Nmap scan report for ip-10-10-24-11.eu-west-1.compute.internal (10.10.24.11)
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1c:d4:64:ba:20:29:90:d3:6c:29:7f:e7:55:47:64:8e (RSA)
|   256 8b:95:2d:c8:b1:6d:de:e3:96:9e:a9:38:f7:97:40:a8 (ECDSA)
|_  256 e1:f3:1b:a8:02:49:d7:ec:63:cf:47:0b:06:2a:fe:3c (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
MAC Address: 02:7B:7E:82:36:C3 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Just two open ports, lets start with the easy one by trying a web browser on port 80:

pickle-hone

We get a static page with nothing obvious. Let’s look at the source code by pressing CTRL+U:

pickle-home-source

We have a username, that was easy!

With nothing else obvious here let’s use Nikto to scan for web pages:

root@ip-10-10-19-48:~# nikto -h 10.10.24.11
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.24.11
+ Target Hostname:    ip-10-10-24-11.eu-west-1.compute.internal
+ Target Port:        80
+ Start Time:         2021-01-24 17:44:07 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x426 0x5818ccf125686 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2021-01-24 17:44:16 (GMT0) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Gaining Access

Nikto has found two files, the first one is this:

+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).

This sounds interesting, let’s have a look here first:

pickle-robots

Just one word, maybe that’s a password to go with the username we found before.

The second page Nikto found was this one:

+ /login.php: Admin login page/section found.

Seems like an obvious place to try the credentials we’ve found:

pickle-login

First Ingredient

The creds are correct and after login we end up here:

pickle-commands

Trying any other section along the top gives this:

pickle-rick

Back on the commands page let’s see what we can do:

pickle-ls

We can use ls to see what in the current directory, let’s look at this first text file:

pickle-supersecret

We find more is not allowed, let’s try less instead:

pickle-less

We have the answer to our first question. Let’s enter that and start looking for the next ingredient.

Second Ingredient

Let’s have a look at that other interesting text file:

pickle-clue

Ok, not very helpful!

There’s a few areas you always start at when enumerating Linux boxes. I like to start with /home to see what users exist:

pickle-userhome

Let’s look in the rick folder:

pickle-rickhome

A file called “second ingredients, with the contents we need for the second question:

pickle-second

Third Ingredient

Time to look for the last ingredient. With no more users to search, I should see what we can do to further enumerate.

First let’s see what we can do with the account we’ve logged in with. Always try sudo -l to see what your user can run:

pickle-sudo

Well that was nice and easy! We can run any command as root using sudo. Let’s first look in the root directory to see if there is anything interesting:

pickle-roothome

Hmm, 3rd.txt looks to be what we wanted:

pickle-third

Now we have our last ingredient.

As you can see this box was easily completed just using the browser and an insecure web application.

Alternate Method To Root

If you wanted to get a reverse shell, you could do it this way with the help of Pentest Monkey

Check for php:

pickle-php

Try the php reverse shell from Pentest Monkey:

pickle-phprev

We get a connection on our waiting netcat session, but it immediately disconnects:

root@ip-10-10-19-48:~# nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.24.11 57488 received!
root@ip-10-10-19-48:~# 

Let’s try another one:

pickle-perl

Perl installed, set a nc listening, then try: pickle-perlrevshell

Back on attack box we have a connection to our waiting netcat session:

root@ip-10-10-19-48:~# nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.24.11 57492 received!
/bin/sh: 0: can't access tty; job control turned off

Check who we are and then escalate:

$ whoami
www-data
$ sudo /bin/sh
whoami
root

Now we have a reverse shell and have escalated to root so can complete the questions as before.

All done. See you next time.

Comments