, , , ,

Day 041 #FromZeroToHacker – Pickle Rick Writeup

Time for a new Capture The Flag (CTF)! Pickle Rick is an easy room, but it is also the first CTF where we get no help.

Let’s see how we solve this #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Pickle Rick

Not our first CTF but it is the first one where they don’t hold our hand through it. Let’s see what we can do!

Pickle rick logo

We need to exploit a web server and find three ingredients. We just have an IP address and 3 questions. Nothing else.

Let’s go!

What I have learnt today?

Note: I wrote this writeup as I was doing this room: This may contain dead ends when trying things, but I left them because while during THIS challenge that didn’t yield any result, in other CTF it may. If you only care about the answers, go to the questions in bold.

The first step to a successful attack is to enumerate the website. We can use Nmap (we haven’t seen this tool yet so I won’t use it), Gobuster, Burp Suite, manual enumeration reading the code, etc.

First, let’s set Gobuster to find any directories it can find while we do a bit of manual enumeration:

Gobuster DIR
Gobuster DNS

Cool, we have learnt almost nothing.

In our Web Enumeration lesson, we learnt that the robots.txt file may offer us information about the website:

Robots.txt file

Cheers, just a practical joke. Or it isn’t? I’m gonna write down this, as it may be a username, password, filename or something like that.

Let’s visit the website:

Main page

Again, nothing to see. Not on the page, but what about the source code?

Main page source code

At the head, we see that there is a folder, /assets where our CSS, images and .JS are stored. But if you look at the bottom of the code, there is a comment with a username: R1ckRul3s. Maybe Wubbalubbadubdub is the password? But we didn’t find any login site when we ran Gobuster!

Gobuster found two folders: Let’s check the folder /assets:

assets folder

Nothing there. Let’s see /server-status:

server status folder

Seems like we would access here but we need to log in first. Let’s try SSH with the user we have found:

SSH try

Neither.

I don’t know what to do, so I check my Web Enumeration notes. We have tried reading the source code and using Gobuster. WPScan makes no sense, as this is not a WordPress site (no /wp-XXXX folder on the Source code), so my last resort is using Nikto:

Nikto login file

Nikto saves the day! There is a login.php file that Gobuster didn’t find!

Note: We used Gobuster to find FOLDERS instead of setting the -x flag that looks for file extensions, ups!

Let’s go to the login page. It is just a form and nothing else (I have checked the Source Code too!). Let’s try the username and password we have found before:

Login page
Logged in

We logged in!

  • The Commands tab lets us send Linux commands. We will try this later. Looking at the source code we have found a text in the comment section:
Commands tab comment text

I’m pretty sure this is a Base64, so I decode it. I get another Base64 string, so I decode it. Guess what I got? Another Base64 string. I repeat the process about 8 times to just get a “a rabbit hole” text. Nice. Nice and worthless.

  • Potions, Creatures, Potions and Beth Clone notes tabs are denied unless I am the Real rick.

The only section we can use is the command panel unless we can find the admin user. Let’s see what we can get from the command tab.

I used the whoami command to get that I am the www-data user. Cool, I’m in a Linux server then. pwd tell us we are in the /var/www/html so we are in an Apache server (we already knew thanks to Nikto and the extension of the portal URL). Let’s see what we have in the current directory with ls -la:

Listing files

Cool! The three PHP files (denied, login, portal) are already visited, as well as the robots.txt file, index.html and the assets folder. SuperSecretPickleIngredient looks interesting, let’s view that file:

Command disabled

As a normal user, cat command is disabled. Instead of blowing up my computer, I remembered that there are alternatives to cat such as bat or tldr. I tried almost all of them until I found one command that wasn’t disabled less

First Ingredient

We have found the first ingredient!

Now, if we read the second file, clue.txt:

Clue

I tried a lot of commands to navigate but I found nothing. Finally, I craft a clever command to find ALL the .txt files: find / -name "*.txt*" 2>/dev/null. Clever and worthless.

I took more time than I would admit unless I’m at gunpoint, but finally, I thought: Why I don’t visit /home? This directory has one folder for each registered user in a Linux OS. Lo and behold! There is a rick folder. After navigation using commands (We have to chain them for example: cd /home/rick/ && ls) we found a file called second ingredients. Let’s read it:

Second Ingredient

Our second ingredient! We are on a roll!

Nice! But now we have no clue what to do next. I had so many options and none of them worked:

  • Remember that we have 4 tabs in the portal that are only available if we are the admin? I tried to brute force my way in with Burp Suite Intruder. Didn’t work
  • I tried to manipulate the login Cookie. Didn’t work
  • But I realised something: It didn’t matter. It didn’t matter, because checking the source code, each tag points to the /denied.php link:
Navigation
  • So yes, I lost a lot of time trying to log in as an admin. Maybe it is an option, but not for me as I have no idea. Maybe we should be looking elsewhere…
  • Looking over on the internet, I saw a command: sudo -l. This lists all the allowed commands for the current user with root privileges:
    ![[day_041_sudo_l.png]]

We can run… all the commands????

I’m tired and I find that the lazy way is the best way to work. Let the terminal work for us to find our third flag: sudo find / -name '*.txt' 2>/dev/null

This list all the .txt files in the system. The last bit gets rid of the error messages. After a few seconds of reading the long list of the .txt files found in the system, we found what could be the third ingredient:

Third ingredient

sudo less /root/3rd.txt reveals the third ingredient finally 🙂

Summary

Wow, this was a hard one. As a newbie, at least. The manual enumeration was easy, the one using Gobuster didn’t get me anything as I forgot to search for .php files instead of directories. Nikto did a good job finding the portal.php file where we could log in and have access to the command line.

I hit a lot of dead ends: Trying to log in as admin, trying to make ssh work, even I tried to create a shell, trying to modify the Cookie…

Luckily my notes and a lot of Google helped a lot, and I finally managed to find all three ingredients 🙂

Summary

This one was pretty close to what a CTF (an easy one) may look.

Yes, they hold your hand during this room, but you see what you expect to see during a CTF attack: Enumeration, SQLi, XSS, using Burp Suite, Brute-force, null byte, etc.

Pretty fun, to be honest!

Stats

From 111.371th to 108.791th. Top 5%!

Here is also the Skill Matrix:

Skills Matrix

Resources

Path: Web Fundamentals

Introduction to Web Hacking

TryHackMe: Pîckle Rick

Other resources

Web Enumeration
Base64 Decode Online