mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
62 lines
1.6 KiB
Markdown
62 lines
1.6 KiB
Markdown
# Pickle Rick
|
|
|
|
|
|
|
|
This machine was categorised as easy and it was pretty easy.
|
|
|
|
## Enumeration
|
|
|
|
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
|
|
|
|
|
|
|
|
In as you can see 2 ports are open: 80 \(**HTTP**\) and 22 \(**SSH**\)
|
|
|
|
So, I launched legion to enumerate the HTTP service:
|
|
|
|
|
|
|
|
Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`
|
|
|
|
After some seconds I reviewed what `disearch` has already discovered :
|
|
|
|
|
|
|
|
|
|
|
|
And as you may see in the last image a **login** page was discovered.
|
|
|
|
Checking the source code of the root page, a username is discovered: `R1ckRul3s`
|
|
|
|
|
|
|
|
Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`
|
|
|
|
## User
|
|
|
|
Using those credentials you will access a portal where you can execute commands:
|
|
|
|
|
|
|
|
Some commands like cat aren't allowed but you can read the first ingredient \(flag\) using for example grep:
|
|
|
|
|
|
|
|
Then I used:
|
|
|
|
|
|
|
|
To obtain a reverse shell:
|
|
|
|
|
|
|
|
The **second ingredient** can be found in `/home/rick`
|
|
|
|
|
|
|
|
## Root
|
|
|
|
The user **www-data can execute anything as sudo**:
|
|
|
|
|
|
|