Pickle Rick (Tryhackme)
After hitting the deploy button we now have our IP address.
We see that this challenge is focused on finding vulnerabilities in a web server.
Let’s run nmap, nikto, and dirbuster to see what we find…
Executing nmap, we see that there are two port open – 22 (ssh), and 80 (http).
Moving on to nikto…
Running nikto we see that there is an login php file which is interested.
Finally, let’s look at dirbuster.
With dirbuster we have an access directory, as well as an index.html, and robots.txt file (both returning a 200 which is good). We also have a server-status which is returning a forbidden http code of 403.
We’ve done basic enumeration let’s move to the web app and see if we can find more clues.
Let’s answer the first question.
Success! We’re in the application.
Let’s run the ls (listing) command with the options of all and long listing and see what we have.
Also notice that the directory shows the asset directory that we found in dirbuster. Navigating to that webpage we see the following
The directory have gifs and jpgs, nothing of importance to solve the challenge.
We know this application is vulnerable to command injection, let’s see if we can perform a directory traversal to view other parts of the application. Going back to the directory listing we notice there’s a clue.txt file. Opening the file we see the following
In the above command we’re doing a directory traversal to move up to the root directory, list all of the files in long form (ls -al), and print the working directory to make sure we’re in the correct folder (pwd). Doing this we get the below screenshot.
We’re viewing the root level directory, so our command(s) were a success! We notice a lot of folders, but at this time two are useful for us. The first is home, which in every Linux system ever user has a home directory. The second is root (admin/super user) which can only be accessed through the admin. We’ll come back to root later. Let’s see if we can navigate to the home directory.
Executing the command above, we’re now in the /home directory! We notice there are two folders, rick and Ubuntu. The Ubuntu folder is from the operating system. Let’s explore the rick folder and see what we can find.
Changing to the rick directory we see the second ingredient!
Using the less command we open the second ingredient. Note: The filename is in quotations due to spacing. Without the quotations Linux would interpret the second in second ingredients.
We now have our second ingredient, let’s answer the final question.
Remember in the beginning of this walkthrough, I mentioned that another folder – root is of particular interest to us and only the admin or superuser is the only user to access this folder. Let’s see if we can elevate our privileges to the admin and view this folder.
Before we can access this folder, let’s run the sudo -l command to see what privileges we have on this box.
Executing this command we see that we can execute ANY command on this box WITHOUT a password (ALL NOPASSWD: ALL). This surely is NOT good security! Let’s use the sudo command with the listing (ls) with the root folder and see what we can find.
Executing the command, we see that there are two files in the /root folder. One of them is named 3rd.txt. Could this be our third ingredient? Let’s see.
Executing the sudo command in conjunction with the less command on the 3rd.txt file, we see that we do indeed have the third and final ingredient.
Challenge solved!
Last updated