This walkthrough will go over the Pickle Rick CTF found on TryHackMe. The focus behind this box is to teach the importance of cleaning up developer comments in files, improper storage, and input validation for web applications.
Step 1: What's Out There?
My methodology might be different than yours when it comes to recon and trying to identify what type of technologies exist on my target. To avoid being loud, we're going to take a less intrusive approach and enumerate the web server to see what we can find. First, let's take a look at the home page.
Right off the bat, we can tell that there is no functionality for this page. It's a static display of an image and text. No indication of a way for us to try an injection attack. However, after taking a peek at the source code, we discovered a username R1ckRul3s.
In addition to gaining a username due to the developer having poor cybersecurity hygiene, we can see that there is a directory called assets. Let's take a look at this and see if there's anything that can help us get a foothold on the box.
The only thing that stands out to me here is Apache/2.4.18, this lets me know that we're dealing with a Linux-based system, which will come in handy later. The version is vulnerable to a privilege escalation attack, but this doesn't do us much good as it is a Local Privilege Escalation and will require us to get a shell on the box. But something to take note of, nonetheless. So, where to from here? Well, before we start using tools to further enumerate directories, let's see if we can access robots.txt, perhaps there's something useful there.
Not really sure what Wubbalubbadubdub is, but let's put it in our back pocket along with R1ckRul3s, I'm sure there's some importance to it. Now, let's dig deeper and see what type of content we can pull out of this site. For this, we will be using dirb. This tool essentially runs a dictionary attack against a website to help us find web objects. There are other tools out there that can achieve the same or similar results, like ffuf and gobuster, but I like this one.
Syntax:
dirbhttp://website.thm
Well, this doesn't tell us anything more than what we already know. But there has to be something out there just purely based on the fact that a username exists, there are images in assets that are being used other than on the home page, so perhaps there's a filter that is blocking us from discovering more. At this point, we know there's a login page for an admin because the description on the home page hints at it. So, let's manually look for login pages and see what we come up with.
I found this page after trying login.php. Now, let's try using R1ckRul3s as our username and Wubbalubbadubdub as our password.
Step 2: Finding the Ingredients
We're in! And what's this? A command panel...very interesting. Considering how we identified the operating system to be Linux earlier when we took a peek at the assets directory, we might be able to run some commands here to find the ingredients.
First, we will check and see who we are by typing whoami.
Just as I expected, we're logged in as a non-privileged user www-data. We should still be able to view some documents and maneuver around. Let's see if we can execute the looksee command to view content in our current directory. We'll follow it with pwd to print our working directory.
ls -lah; pwd
A lot of goodies in the base /var/www/html directory. I bet Sup3rS3cretPickl3Ingred.txt contains one of our ingredients, let's see what's inside.
cat Sup3rS3cretPickl3Ingred.txt
Well, looks like we are not allowed to use cat, but we can use another command like less to see the content of the file.
less Sup3rS3cretPickl3Ingred.txt
When a hacker has a will, a hacker will find a way. We found our first ingredient, *** ******* ****. Now, let's see what this clue.txt has for us.
less clue.txt
Alright, looks like we need to do some more digging for the other ingredients. Taking into consideration that we're in /var/www/html on Linux, we need to take three steps back for us to get to the base for our directory traversal.
cd ../../../; ls -lah; pwd
Let's start by looking in /home for our next ingredient. Just like Windows OS, this directory houses folders like Documents, Downloads, and Pictures. I don't know about you, but this is where I would store something important.
cd /home; ls -lah; pwd
We found two folders, rick and ubuntu. We'll start with rick since it's owned by root.
cd /home/rick; ls -lah; pwd
Nice, we found our second ingredient. One thing to note about this is that it is a file and not a directory. We know this by looking at the permissions -rwxrwxrwx which allow us to read, write, and execute; however, if it were a directory then it would look like drwxrwxrwx. Because of this, we will need to put quotes around the file name to ensure it runs due to there being a space between the words. If we don't, then it will escape and not give us any results.
less /home/rick/"second ingredients"
* ***** **** for our second ingredient. No idea what this is either, perhaps I should watch this show? I might just have to watch an episode and see if I like it. Anyways, back to hacking and getting that prize root folder we saw after our first looksee into the base directory. The first thing we should do in this scenario is see what we can run as sudo.
sudo -l
Well, this is good and bad. Good for us as we can literally run anything as sudo since we don't need a password to authenticate us. Bad for the owner of this box because we can look into the root directory without much effort.
sudo ls -lah ../../../root
With a bit of "Linux Fu", we are able to see the contents of root. From here we should be able to get our last ingredient and complete this box.
sudo less ../../../root/3rd.txt
We obtained our third ingredient, ***** *****and are ready to submit all three and pwn this box.
Step 3: Pwned
I hope you enjoyed this walkthrough of the Pickle Rick CTF built by TryHackMe and ar33zy. Keep on hacking.