Information
Room#
- Name: Pickle Rick
- Profile: tryhackme.com
- Difficulty: Easy
- Description: A Rick and Morty CTF. Help turn Rick back into a human!
Write-up
Overview#
Install tools used in this WU on BlackArch Linux:
1 | $ sudo pacman -S nmap ffuf ruby-ctf-party |
Network Enumeration#
Port scan with nmap:
1 | # Nmap 7.91 scan initiated Tue Mar 9 19:36:57 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.8.120 |
Web discovery#
If we look at the source code of the home page of the web app, we can see a HTML comment leaking a username:
1 | <!-- |
Web enumeration#
Let's find some pages:
1 | $ ffuf -u http://10.10.8.120/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403 |
robots.txt
contains a troll message, portal.php
redirects to login.php
probably because we are not authenticated.
1st ingredient#
Ok now it's super dumb and not realistic at all but the word Wubbalubbadubdub
contained in robots.txt
was not a troll but the actual password of R1ckRul3s
.
So here no vulnerability to identify or brute-force to do with hydra.
Once authenticated there are a bunch of pages were we can see the following message:
Only the REAL rick can view this page..
So we don't have the proper profile to see those pages, but we can access
/portal.php
that contains a form entitled Command Panel
were we can
directly write a system command to be executed (ultra realistic again).
Let's try some basic commands:
ls -lhA
1 | total 32K |
But when we try to read the suspicious file with cat Sup3rS3cretPickl3Ingred.txt
we obtain the following message Command disabled to make it hard for future PICKLEEEE RICCCKKKK.
(ultra realistic again) and the source code is containing the following comment (ultra realistic again):
1 | <!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== --> |
It's a nested base64 string (base64 string containing a base64 string etc.) but with
incorrect padding so we to remove or add some which make it unhandy to pipe
base64
command on the terminal so I rather used ctf-party
to decode the string. Here is the toxic message I got:
1 | $ ctf_party_console |
You know what? Another toxic unrealistic step! It's a shame we don't know the author of the box to shame it.
Let's get back to Sup3rS3cretPickl3Ingred.txt
where the command cat
is
forbidden. We can do tee < Sup3rS3cretPickl3Ingred.txt
instead:
1st ingredient:
mr. meeseek hair
It seems to be the first ingredient.
Note: Of course if you don't know the restricted shell escape trick we tee
you
could just request http://10.10.8.120/Sup3rS3cretPickl3Ingred.txt via HTTP as it
is on the the web server root folder.
Note2: tee < portal.php
shows the forbidden commands were:
$cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
2nd ingredient#
Same as for the 1st ingredient.
1 | $ ls -lhA /home |
2nd ingredient:
1 jerry tear
3rd ingredient#
We can run anything as root without a password:
1 | $ sudo -l |
We can use tee
with sudo because of the redirection operator so let's use another
shell escape technique: Quotes / Concatenation on the binary name. We can also
sue PHP, etc.
1 | $ sudo php -r "echo file_get_contents('/root/3rd.txt');" |
3rd ingredient:
fleeb juice