Time for a new Capture The Flag (CTF)! Pickle Rick is an easy room, but it is also the first CTF where we get no help.
Let’s see how we solve this #FromZeroToHacker challenge.
Table of contents |
Introduction |
What I have learnt today? |
Stats |
Resources |
Introduction to Pickle Rick
Not our first CTF but it is the first one where they don’t hold our hand through it. Let’s see what we can do!
We need to exploit a web server and find three ingredients. We just have an IP address and 3 questions. Nothing else.
Let’s go!
What I have learnt today?
Note: I wrote this writeup as I was doing this room: This may contain dead ends when trying things, but I left them because while during THIS challenge that didn’t yield any result, in other CTF it may. If you only care about the answers, go to the questions in bold.
The first step to a successful attack is to enumerate the website. We can use Nmap (we haven’t seen this tool yet so I won’t use it), Gobuster, Burp Suite, manual enumeration reading the code, etc.
First, let’s set Gobuster to find any directories it can find while we do a bit of manual enumeration:
Cool, we have learnt almost nothing.
In our Web Enumeration lesson, we learnt that the robots.txt file may offer us information about the website:
Cheers, just a practical joke. Or it isn’t? I’m gonna write down this, as it may be a username, password, filename or something like that.
Let’s visit the website:
Again, nothing to see. Not on the page, but what about the source code?
At the head, we see that there is a folder, /assets where our CSS, images and .JS are stored. But if you look at the bottom of the code, there is a comment with a username: R1ckRul3s. Maybe Wubbalubbadubdub is the password? But we didn’t find any login site when we ran Gobuster!
Gobuster found two folders: Let’s check the folder /assets:
Nothing there. Let’s see /server-status:
Seems like we would access here but we need to log in first. Let’s try SSH with the user we have found:
Neither.
I don’t know what to do, so I check my Web Enumeration notes. We have tried reading the source code and using Gobuster. WPScan makes no sense, as this is not a WordPress site (no /wp-XXXX folder on the Source code), so my last resort is using Nikto:
Nikto saves the day! There is a login.php file that Gobuster didn’t find!
Note: We used Gobuster to find FOLDERS instead of setting the -x flag that looks for file extensions, ups!
Let’s go to the login page. It is just a form and nothing else (I have checked the Source Code too!). Let’s try the username and password we have found before:
We logged in!
- The Commands tab lets us send Linux commands. We will try this later. Looking at the source code we have found a text in the comment section:
I’m pretty sure this is a Base64, so I decode it. I get another Base64 string, so I decode it. Guess what I got? Another Base64 string. I repeat the process about 8 times to just get a “a rabbit hole” text. Nice. Nice and worthless.
- Potions, Creatures, Potions and Beth Clone notes tabs are denied unless I am the Real rick.
The only section we can use is the command panel unless we can find the admin user. Let’s see what we can get from the command tab.
I used the whoami
command to get that I am the www-data user. Cool, I’m in a Linux server then. pwd
tell us we are in the /var/www/html so we are in an Apache server (we already knew thanks to Nikto and the extension of the portal URL). Let’s see what we have in the current directory with ls -la
:
Cool! The three PHP files (denied, login, portal) are already visited, as well as the robots.txt file, index.html and the assets folder. SuperSecretPickleIngredient looks interesting, let’s view that file:
As a normal user, cat
command is disabled. Instead of blowing up my computer, I remembered that there are alternatives to cat
such as bat
or tldr
. I tried almost all of them until I found one command that wasn’t disabled less
We have found the first ingredient!
Now, if we read the second file, clue.txt:
I tried a lot of commands to navigate but I found nothing. Finally, I craft a clever command to find ALL the .txt files: find / -name "*.txt*" 2>/dev/null
. Clever and worthless.
I took more time than I would admit unless I’m at gunpoint, but finally, I thought: Why I don’t visit /home? This directory has one folder for each registered user in a Linux OS. Lo and behold! There is a rick folder. After navigation using commands (We have to chain them for example: cd /home/rick/ && ls
) we found a file called second ingredients. Let’s read it:
Our second ingredient! We are on a roll!
Nice! But now we have no clue what to do next. I had so many options and none of them worked:
- Remember that we have 4 tabs in the portal that are only available if we are the admin? I tried to brute force my way in with Burp Suite Intruder. Didn’t work
- I tried to manipulate the login Cookie. Didn’t work
- But I realised something: It didn’t matter. It didn’t matter, because checking the source code, each tag points to the /denied.php link:
- So yes, I lost a lot of time trying to log in as an admin. Maybe it is an option, but not for me as I have no idea. Maybe we should be looking elsewhere…
- Looking over on the internet, I saw a command:
sudo -l
. This lists all the allowed commands for the current user with root privileges:
![[day_041_sudo_l.png]]
We can run… all the commands????
I’m tired and I find that the lazy way is the best way to work. Let the terminal work for us to find our third flag: sudo find / -name '*.txt' 2>/dev/null
This list all the .txt files in the system. The last bit gets rid of the error messages. After a few seconds of reading the long list of the .txt files found in the system, we found what could be the third ingredient:
sudo less /root/3rd.txt
reveals the third ingredient finally 🙂
Summary
Wow, this was a hard one. As a newbie, at least. The manual enumeration was easy, the one using Gobuster didn’t get me anything as I forgot to search for .php files instead of directories. Nikto did a good job finding the portal.php file where we could log in and have access to the command line.
I hit a lot of dead ends: Trying to log in as admin, trying to make ssh work, even I tried to create a shell, trying to modify the Cookie…
Luckily my notes and a lot of Google helped a lot, and I finally managed to find all three ingredients 🙂
Summary
This one was pretty close to what a CTF (an easy one) may look.
Yes, they hold your hand during this room, but you see what you expect to see during a CTF attack: Enumeration, SQLi, XSS, using Burp Suite, Brute-force, null byte, etc.
Pretty fun, to be honest!
Stats
From 111.371th to 108.791th. Top 5%!
Here is also the Skill Matrix: