TryHackMe | PickleRick CTF Day #1
Today's date is Monday, April 18th, 2022.
A link to the box can be found here! This CTF is going to be a bit of a challenge for me. there are a bunch of things to learn along the way to complete this CTF, but it was posed to me as a challenge to have completed by the end of the week.
The CTF in it's entirety is to find the three ingredients Rick, a mad scientist from the namely Rick and Morty adult cartoon, needs to create a potion that he can take, to undo the effects of a previous experiment gone wrong, wherein he turned himself into a pickle, hence the name, PickleRick.
The only tasks TryHackMe is concerned about is finding the ingredients for the potion. To do this I'll need to some reconnaisance.
Upon opening the website, I am prompted by rick to help him remember his password... I don't even know where to log in using a username or a password let alone where they are... time to open up the dev tools.
Upon inspecting the home page, I'm able to find a username left as a comment in the HTML code. it's 'R1ckRul3s'.
This site is using Bootstrap v3.4.0, and jquery v3.3.1 There are no cookies present at this time that could be manipulated yet. There are no service workers present at this time.
Give I have nothing else to go on... I think it's time to use some tools. I'll do an nmap scan of the site using the following command:"nmap -sC -sV (machine ip)"
while this is running, I mightaswell find whatever directories might be available, since that'll take some time, too.
using the following command: "gobuster dir -u https://10-10-193-191.p.thmlabs.com/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50"
while gobuster was running, nmap finished.
looks like port 22 and port 80 are open. 22/tcp ssh using OpenSSH 7.2p2 80/tcp http using Apache httpd 2.4.18 These are running on an ubuntu server.
While gobuster is running, I decided to start poking around at some commonly used directories.. robots.txt has a single line, "Wubbalubbadubdub", which is Rick's catchphrase. lol. I wonder if that could be his password, too. haha!
Come to think of it, I should try SSH with no username/password. just in case... No dice. Maybe with the username I found earlier? still no dice.
I wonder if there are ingredients listed in the actual show that could point me towards some answers.. would that be considered OSINT? Not in the spirit of the trial, at least. I'll maybe give it a watch when I'm done.
gobuster has come back with a few directories so far. /assets with a 301 (redirect) /server-status with a 403 (forbidden)
I decided to check out /assets, but nothing stood out to me as apparently vulnerable. I wonder if the site itself could be. I'll check out this version of apache on exploit-db, next. Either I don't know how to use exploit-db, or there was nothing I'm able to do yet without being able to upload a file.
I'm going to go back to nmap and try some more exhaustive scans, including a udp scan (-sU), as well as scanning all ports(-p-), rather than the top 1000. I feel like using a random port would be within the realm of possibilities for rick.
(10 mins or so passed here)
well, this is taking forever, I'm going to run a dirbuster scan on top of that gobuster scan... gobuster didn't find robots.txt and that seems strange to me... (some time passed..) hah! dirbuster found robots.txt. isn't that neato.
that UDP scan came back with some things. 68 - open|filtered - dhcpc 1001 - open|filtered - unknown 36893 open|filtered - unknown I feel like these are some clues, but I couldn't tell you what they point to at this moment...
dirbuster also found another page, index.html... given this is the default landing page for all apache sites, I probably should have guessed this would show up on the scan regardless.
Tomorrow i get to do some research into how open udp ports might be exploited, because I think that is my next step.
To be continued...
