2020-07-15 15:43:14 +00:00
|
|
|
# Pickle Rick
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This machine was categorised as easy and it was pretty easy.
|
|
|
|
|
|
|
|
|
|
## Enumeration
|
|
|
|
|
|
|
|
|
|
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
|
|
|
|
|
|
2020-11-30 15:34:43 +00:00
|
|
|
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
|
In as you can see 2 ports are open: 80 \(**HTTP**\) and 22 \(**SSH**\)
|
|
|
|
|
|
|
|
|
|
So, I launched legion to enumerate the HTTP service:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`
|
|
|
|
|
|
|
|
|
|
After some seconds I reviewed what `disearch` has already discovered :
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
And as you may see in the last image a **login** page was discovered.
|
|
|
|
|
|
|
|
|
|
Checking the source code of the root page, a username is discovered: `R1ckRul3s`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`
|
|
|
|
|
|
|
|
|
|
## User
|
|
|
|
|
|
|
|
|
|
Using those credentials you will access a portal where you can execute commands:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Some commands like cat aren't allowed but you can read the first ingredient \(flag\) using for example grep:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Then I used:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To obtain a reverse shell:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The **second ingredient** can be found in `/home/rick`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Root
|
|
|
|
|
|
|
|
|
|
The user **www-data can execute anything as sudo**:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
