Tryhackme: Pickle Rick
Pickle Rick is a TryHackMe easy machine in which we have to enumerate a web service and use some leaked credentials to access it. Finally we will exploit a command execution to get a shell on the machine.
As usual in TryHackMe, we must connect to the VPN or use the AttackBox. I will choose the VPN. We press the Start Machine button, and a minute after, they show us the IP address. Now, we proceed to do the initial recognition with Nmap:
nmap -p- -sV -Pn $IPThe -p parameter with the hyphen indicates to scan all ports, the -sV parameter to fingerprint the versions used, and -Pn to scan the machine even if it does not respond to ping.
We can see that the machine has few services open, only SSH and a web server. Let’s dig into the web server.
Web server enumeration
On the main page of the web, we can see a comment leaking a user name.
Also, we can see a strange robots.txt. Maybe it could be a password, but this is a little guessy…
By fuzzing directories and files, we found many endpoints.
We can test the user and the guessed password from the robots.txt file on the login portal.
Once logged in the application, we have access to a panel that allows us to execute commands but have a blacklist, although we can bypass it with base64 or using the less command. If we see the code, we can see that the blacklist is hard coded.
<?php
session_start();
if($_SESSION["login"] == false) {
header("Location: /login.php"); die();
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">Rick Portal</a>
</div>
<ul class="nav navbar-nav">
<li class="active"><a href="#">Commands</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Creatures</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Beth Clone Notes</a></li>
</ul>
</div>
</nav>
<div class="container">
<form name="input" action="" method="post">
<h3>Command Panel</h3></br>
<input type="text" class="form-control" name="command" placeholder="Commands"/></br>
<input type="submit" value="Execute" class="btn btn-success" name="sub"/>
</form>
<?php
function contains($str, array $arr)
{
foreach($arr as $a) {
if (stripos($str,$a) !== false) return true;
}
return false;
}
// Cant use cat
$cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
if(isset($_POST["command"])) {
if(contains($_POST["command"], $cmds)) {
echo "</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'>";
} else {
$output = shell_exec($_POST["command"]);
echo "</br><pre>$output</pre>";
}
}
?>
</div>
</body>
</html>As far as we can see the blacklist simply blocks the reading of fihceros so we can get a reverse shell without much trouble.
Enumerating, we can find that we can execute any command as root without using a password, then escalate privileges is trivial.
Finally , we can simply execute bash as root and get a shell with privileges.
I hope you enjoyed my article and found my content useful. See you in the next article.
