Helping Rick find his ingredients: PICKLE RICK CTF

Hello Hackers, 

Today we are going to solve the challenge PICKLE RICK by TRYHACKME.


So the story goes like this:

Our friend Rick has turned into Pickle [Really don't know how he ended up being a Pickle :P] and our goal is to find him 3 Secret ingredients so that he can go back to his original form.


Let's jump into the CTF.

First things first 

CONNECT TO OPENVPN & DEPLOY THE MACHINE😂





We'll see this page as we put the IP address into our browser.


REMEMBER: Whenever you visit a webpage, don't forget to check the source code. Sometimes, developers leave sensitive information such as credentials in the form of comments.


You can either do Right-Click --> View page source or press Ctrl+u.



You'll see that the username is leaked in the source code of that page!


Now let's try to scan the ports and see if we find something interesting.



Command used: nmap -sV -A -T5 {ip}


You'll see that ports  22 & 80 are open.

Wait, can the username be for the ssh service?

Let's try it out.

Type ssh {username}@{ip}

You'll see that actually, it was not for ssh.

No worries, let's try to carry out directory brute force.


The tool used: ffuf
Command used: ffuf -w {path to wordlist} -u http://{ip}/FUZZ -mc 200,301

You can use any other tool such as Gobuster, dirb, etc.

We see that there are 3 directories available that are accessible.
Let's have a look at them 

The index page is the same as the homepage that we saw.

Robots.txt


As you can see, that's surely not a normal robots.txt file because generally, it contains instructions for the pages that web crawlers are not allowed to crawl. This leads us to think that it might be the password!

Now we have the username as well as the password which makes it evident that there must be a login panel where we could put these credentials.

Let's check out the assets directory first and see if we find something interesting.

Nothing interesting in here :(

Coming back to the credentials, let's make some educated guesses about the name of the login panel.
It can be either login.html, sign in, admin.html, login.aspx, login.php etc.

You'll see that login.php is a correct guess.





Login by putting in the credentials.

You'll see a page like so.


Our NMAP results revealed that the webserver was Linux-based.

Let's try to execute some Linux commands.

Command used: ls



You'll see that there's a file named Sup3rS3cretPickl3Ingred.txt
 

Also, we have our assets directory here as well which means that our file is in the same directory as assets. So we put /Sup3rS3cretPickl3Ingred.txt after our IP address in the browser. 


Kudos! We just found out the first element.

Now, we also saw that there was a clue.txt file in the directory at the time of the ls command.

Let's open that up.

    



Well, we know what to do now. Looking in other directories!


Command used: pwd

So we're in the /var/www/html directory as of now.

Let's jump back to the main directory.

Command used: cd ../../../; ls


The ; is used to separate the two commands.

Let's move to the /home directory and see what's inside.

Command used: cd ../../../ ; cd /home ; ls




You'll see two directories. Rick and Ubuntu.

Let's see what's inside the Rick directory.

Command used: cd ../../../ ; cd /home/rick ; ls 


That's the file containing the second ingredient!

Unfortunately, the cat command is blocked :(

Don't worry just take the help of your friend GOOGLE.



We can make use of less command to fulfill our purpose.

Command used: cd ../../../ ; cd /home ; cd rick; less "second ingredients"



And there you have it! The second ingredient!


Let's hunt down the last ingredients as well. For this, you'll have to visit the root directory.

Type cd ../../../;  ls /root


That's what you'll see... An empty box!

Well since we're dealing with root, why not try sudo!

Command used: cd ../../../; sudo ls /root

You guessed it right! Our answer is in the 3rd.txt file.

Command used: cd ../../../ ; sudo less /root/3rd.txt




And that's it!


Congratulations! We've found all the three ingredients🎉

I hope Rick gets back to his original form soon. Until then cya!


Key Takeaways:

  • Have a habit of looking at the source code of the web pages.
  • Never miss out on making educated guesses.
  • Look for alternate commands if a particular command is blocked.


P.S Apologies for the blurry images😔. However, I hope that the content covered that up😄


If you like the content then do consider connecting with me and pour your knowledge into my DM!!😇

Instagram: bhavak_29

LinkedIn: https://www.linkedin.com/in/bhavak-kotak-3b6b071b1/

DO NOT FORGET TO CHECK OUT TRYHACKME FOR MORE INTERESTING ROOMS.


Comments

Post a Comment

Popular posts from this blog

Defeating RootME

Image
Hello hackers, Recently I started practicing on  Tryhackme  and came across this easy yet interesting machine named RootME by  ReddyyZ . I strongly recommend the beginners to try this machine out as it would clear the following several concepts of yours one of them being how to bypass file upload functionality and gain a reverse shell on the target system. Not only that, but you'll also have a basic idea about how privilege escalation works. So without taking up any more time of yours, let's jump into the walkthrough.                                                                                        : TASK 1 : Deploying the machine😅 While some of you might think what madness this is we already know that!! My dear friend, you're free to skip this portion then😊😌. Step 1: Connect to OpenVPN [Check the OpenVPN room so that you have an idea] Command used: openvpn {your openvpn file}   Step 2: Click on Start Machine or Start Attack Box. [ I think you can do this:) ] Step
Read more

TCS HACKQUEST PLAYGROUND WALKTHROUGH

Image
Hello Hackers! I hope you're doing well. This blog is a part of KeyCybr Internship. Recently I came across the TCS Hackquest Playground, and here I'll be giving an insight into the solution for the same. The link to register for the same is  https://play.tcshackquest.com/register   This playground is like a warm-up before the actual TCS Hackquest, which is probably scheduled for January 2022. Let's dive into the challenges. Challenge 1: Time to play with J.S.   As you click on "Link here" you'll be redirected to a page that looks like  You'll have to enter the value here to get the flag. Now, since there's nothing visible on the page, the fundamental thing that should strike you must be viewing the page source! As you visit the page source, you'll see The variable contains a base 64 string. On decoding it with the base 64 decoder You'll get submitthis: {text_to_be_submitted} As you submit the text and click on Retrieve the Flag, you'll rece
Read more

OWASP TOP 10 Explained

Image
  Hello World! Through this write-up, I’ll try to educate you about OWASP and the OWASP top 10 Vulnerabilities for Web Applications. What is OWASP? OWASP stands for O pen W eb A pplication S ecurity P roject. What does OWASP do? The Internet has connected almost everything to the online world. From making a call to sending messages, making payments, sharing stories, making groups, creating a thread on any topic, and having opinions from various people across the globe and what not! The Internet has made the world a very small place it seems! Now, when you’re spending so much of your time on the internet, it's obvious that your data goes online wherever you sign up. Being a citizen of the modern world, every person who is connected to the internet must know that their data is their ultimate strength and weakness. If in the wrong hands, your data can be used in a way that you cannot even imagine in the wildest of your dreams! Moreover, the recent data breaches and cyber-attacks
Read more