This walkthrough will go over the Pickle Rick CTF found on TryHackMe. The focus behind this box is to teach the importance of cleaning up developer comments in files, improper storage, and input validation for web applications.
Step 1: What's Out There?
My methodology might be different than yours when it comes to recon and trying to identify what type of technologies exist on my target. To avoid being loud, we're going to take a less intrusive approach and enumerate the web server to see what we can find. First, let's take a look at the home page.
Right off the bat, we can tell that there is no functionality for this page. It's a static display of an image and text. No indication of a way for us to try an injection attack. However, after taking a peek at the source code, we discovered a username
In addition to gaining a username due to the developer having poor cybersecurity hygiene, we can see that there is a directory called
assets. Let's take a look at this and see if there's anything that can help us get a foothold on the box.
The only thing that stands out to me here is
Apache/2.4.18, this lets me know that we're dealing with a Linux-based system, which will come in handy later. The version is vulnerable to a privilege escalation attack, but this doesn't do us much good as it is a Local Privilege Escalation and will require us to get a shell on the box. But something to take note of, nonetheless. So, where to from here? Well, before we start using tools to further enumerate directories, let's see if we can access
robots.txt, perhaps there's something useful there.
Not really sure what
Wubbalubbadubdub is, but let's put it in our back pocket along with
R1ckRul3s, I'm sure there's some importance to it. Now, let's dig deeper and see what type of content we can pull out of this site. For this, we will be using
dirb. This tool essentially runs a dictionary attack against a website to help us find web objects. There are other tools out there that can achieve the same or similar results, like
gobuster, but I like this one.
Well, this doesn't tell us anything more than what we already know. But there has to be something out there just purely based on the fact that a username exists, there are images in
assets that are being used other than on the home page, so perhaps there's a filter that is blocking us from discovering more. At this point, we know there's a login page for an admin because the description on the home page hints at it. So, let's manually look for login pages and see what we come up with.
I found this page after trying
login.php. Now, let's try using
R1ckRul3s as our username and
Wubbalubbadubdub as our password.
Step 2: Finding the Ingredients
We're in! And what's this? A command panel...very interesting. Considering how we identified the operating system to be Linux earlier when we took a peek at the
assets directory, we might be able to run some commands here to find the ingredients.
First, we will check and see who we are by typing
Just as I expected, we're logged in as a non-privileged user
www-data. We should still be able to view some documents and maneuver around. Let's see if we can execute the looksee command to view content in our current directory. We'll follow it with
pwd to print our working directory.
ls -lah; pwd
A lot of goodies in the base
/var/www/html directory. I bet
Sup3rS3cretPickl3Ingred.txt contains one of our ingredients, let's see what's inside.
Well, looks like we are not allowed to use
cat, but we can use another command like
less to see the content of the file.
When a hacker has a will, a hacker will find a way. We found our first ingredient,
*** ******* ****. Now, let's see what this
clue.txt has for us.
Alright, looks like we need to do some more digging for the other ingredients. Taking into consideration that we're in
/var/www/html on Linux, we need to take three steps back for us to get to the base for our directory traversal.
cd ../../../; ls -lah; pwd
Let's start by looking in
/home for our next ingredient. Just like Windows OS, this directory houses folders like Documents, Downloads, and Pictures. I don't know about you, but this is where I would store something important.
cd /home; ls -lah; pwd
We found two folders,
ubuntu. We'll start with
rick since it's owned by
cd /home/rick; ls -lah; pwd
Nice, we found our second ingredient. One thing to note about this is that it is a file and not a directory. We know this by looking at the permissions
-rwxrwxrwx which allow us to read, write, and execute; however, if it were a directory then it would look like
drwxrwxrwx. Because of this, we will need to put quotes around the file name to ensure it runs due to there being a space between the words. If we don't, then it will escape and not give us any results.
less /home/rick/"second ingredients"
* ***** **** for our second ingredient. No idea what this is either, perhaps I should watch this show? I might just have to watch an episode and see if I like it. Anyways, back to hacking and getting that prize root folder we saw after our first looksee into the base directory. The first thing we should do in this scenario is see what we can run as
Well, this is good and bad. Good for us as we can literally run anything as
sudo since we don't need a password to authenticate us. Bad for the owner of this box because we can look into the
root directory without much effort.
sudo ls -lah ../../../root
With a bit of "Linux Fu", we are able to see the contents of
root. From here we should be able to get our last ingredient and complete this box.
sudo less ../../../root/3rd.txt
We obtained our third ingredient,
***** *****and are ready to submit all three and pwn this box.
Step 3: Pwned