image

Type: #TryHackMe
Links: https://tryhackme.com/room/picklerick

This room will allow me to start completing the ‘Starter Series’ on TryHackMe; a series of beginner ctfs to assist with developing my penetration testing skills.

Starting the Machine within TryHackMe, I opted to use a flag -sV with my Nmap script to enumerate versions of the services running on the target machine, the command resulted in the enumeration of port 22/ssh running OpenSSH 7.2p2 and port 80/http running Apache Version 2.4.18.

image

Visting http://10.10.51.201/ yielded a web server, there is no initial information on the webserver so I viewed the source of the page.

image

Viewing the page source revealed the username ‘R1ckRul3s’, this is a common weakness within web applications (CWE-312 : Cleartext Storage of Sensitive Information).

image

Before using a tool like gobuster to brute force potential directories, I used common web files such as robots.txt to attempt to further enumerate the webserver.

image

http://10.10.51.201/robots.txt contained ‘Wubbalubbadubdub’ which could be used alongside the username ‘R1ckRul3s’.

I attempted to log in to the SSH server on port 22 using these credentials but was denied, meaning more enumeration on the webserver is needed.

image

A gobuster scan quickly revealed /assets, visiting http://10.10.51.201/assets/ reveals a number of files.

image

These credentials can be used on a login page at http://10.10.51.201/login.php

image

The credentials allow for successful authentication and redirect to http://10.10.51.201/portal.php, on this page is an input box that allows for the execution of commands.

image

Using ‘ls’ to list directory contents results in a directory listing with ‘Sup3rS3cretPickl3Ingred.txt’, at this time the ‘cat’ command is not usable.

image

To attempt to gain a foothold I navigated to https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and started a listener on port 4444

image

To start I first used a Perl reverse shell

image

Initial attempts at gaining a reverse shell did not work and instead, I used a reverse shell from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

image

This resulted in a reverse shell, after this, I can start retrieving the flags for the ctf. The second ingredient being found within /home/rick, also confirms the existence of a rick user. The final flag for the ctf likely requires additional privileges.

Using sudo -l displays that www-data can run any command without a password.

image

Using “sudo su” results in root access, this can be confirmed using the “whoami” command. The third flag can be found within /root.

This was a fairly easy ctf, with the foothold into the machine being gained through CWE-312, allowing for access into /portal.php, where a vulnerable input box resulted in a reverse shell, and the lack of permissions resulted in a privilege escalation.

<
Blog Archive
Archive of all previous blog posts
>
Next Post
Mr Robot