2020-07-15 15:43:14 +00:00
|
|
|
# Pickle Rick
|
|
|
|
|
|
|
|
![](../../.gitbook/assets/picklerick.gif)
|
|
|
|
|
|
|
|
This machine was categorised as easy and it was pretty easy.
|
|
|
|
|
|
|
|
## Enumeration
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
I started **enumerating the machine using my tool **[**Legion**](https://github.com/carlospolop/legion):
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (79) (2).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
So, I launched legion to enumerate the HTTP service:
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (234).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
After some seconds I reviewed what `disearch `has already discovered :
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (235).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (236).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
And as you may see in the last image a **login **page was discovered.
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
Checking the source code of the root page, a username is discovered: `R1ckRul3s`
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (237).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`
|
|
|
|
|
|
|
|
## User
|
|
|
|
|
|
|
|
Using those credentials you will access a portal where you can execute commands:
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (241).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
Some commands like cat aren't allowed but you can read the first ingredient (flag) using for example grep:
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (242).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
Then I used:
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (243).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
To obtain a reverse shell:
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (239).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
The **second ingredient** can be found in `/home/rick`
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (240).png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
## Root
|
|
|
|
|
|
|
|
The user **www-data can execute anything as sudo**:
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
![](<../../.gitbook/assets/image (238).png>)
|