 Hello everyone, my name is John Hammond and in this video I want to showcase the Pickle Rick CTF from tryhackme.com So I'll hop on over to my screen and we'll get to the good stuff. This is the Pickle Rick room It says a Rick and Morty CTF help Rick turn back into a human. I've joined the room here and we can start to roll through I'm gonna go ahead and deploy the machine Deploy the virtual machine on this task and explore the web application so I will fire up a terminal here so I can move into the tryhackme directory there and I will sudo open vpn John Hammond YT is that is the account that I'm using for this one. This is a free room So I believe anyone even if you're not a subscriber should be able to access it Let me make a directory for YT Pickle Rick Pickle Rick. All right, there we go Pickle Rick and let's get a readme file going Just so we can have a space to take notes throw stuff in And I'll also go ahead and make a nmap directory so I can nmap the box. I will attack sc attack on nmap Initial and let's grab the IP address now that that should be spun up let me go ahead and Ping this box Yep. Okay. It looks like he's good Fire up that nmap scan While that's going we can start to build out our notes I'll export the IP address so we can save that as a variable for the future. Let's do task one Let's actually make a spot for nmap results because I just kind of throw stuff in even though I already have specific files might as well Looks like there are only three questions in this room. What are the what is the first ingredient that Rick needs? Okay Second and final that's it. So we're just trying to find pieces of the puzzle here There we go and Let's see what we got so SSH is open 80 is open on the web page. Okay, and it says Rick is super cool Looks like that's it. Okay. Let's let me copy that export command so I can work with that. I'll do the same down here and Because I know that 80 is running. I will fire up a little Nikto scanner and I'll tee that results to Nikto Log he can go and let's go check some things out We can poke around we could try and brute force SSH with Hydra That would be a little lame because we don't exactly know where we're going yet So let's just grab the IP address and go interact with the Website says help Morty. I need your help I've turned myself into a pickle again and this time I can't change back. I need my Password, I don't know what it was help Morty help. So there's not a whole lot going on on this page. Let's go check it out View the source here. It looks like we have This image We might be able to download this image and maybe check it in case there are any strings in there or things That they might be trying to hide from us But I do see this giant gaping HTML comment says note to self remember the username username equals Rick rules Okay, so now we have a little bit of an inclination where maybe we could go with this if you wanted to use Hydra and Like brute force this Rick rules username with some passwords to try and beat up SSH and maybe potentially log in For other Enumeration we could be running go buster or we could be running Nikto as we're doing so now that I mentioned go buster. Let's actually go ahead and slap that in Get some enumeration going in the background. So I will use go buster and it needs a URL so our IP address We'll use the word list op rock you. I think my face is in the way No, we don't we use we don't want to use rock you because we're not cracking passwords We will use the directory listing That would come with Durbuster and I'm actually going to specify tack X to specify some file extensions that I might want to look for I'll look for PHP. I'll look for SH text CGI I like to use SH and CGI in case there's any like shell shock stuff or some of the things that might be running Obviously HTML JSS excuse me JS for JavaScript CSS maybe Python files to just it may as well and The fountain next that HTML that's good. That's where we already are Let's go check out that robots dot text because I saw that Nikto said robots that text was retrieved But it does not contain any disallow entries, which is strange Okay Let's go check out our robots dot text and it says Wubba Wubba dub dub so perfect. Let's save that in our notes and We also Have that thing as well Maybe that Wubba Wub dub might be something if it's there's probably there for a reason, right? our other Go buster scan found a login PHP. Okay, so assets portal dot PHP It looks like that has a status 302 so we might not be able to access that just yet But it seems to exist. So let's hop on to go check those out. I'll go to portal dot PHP. Oh Looks like we need to log in first. So redirected me to log in log in has this image and a username and log in so The only pieces of information that we have thus far are this username Rick rules and Whatever this string is what level dubbed obviously the Rick and Rory reference, but maybe that's a password. We could try to log in Okay, looks like it logged in. No, I don't want to add that to the last pass. Thank you So seemingly command panel we execute a command. What else is in here? Only the real Rick can view this page potions creatures Beth Clona, okay, so we can't do anything with that seemingly Let's go poke around of this command panel and let our other things run in the background. So I will run LS Pickle and greed it dot text. Let's see what that is. I cat that out, please No command disabled to make it hard for future pickle Rick. What? Okay What else do we have here CD? As it's clue, I can't cat out clue. Can I just not cat out something that is a text file? Or I okay, I can't seem to run command. Well, what can I run? Um DIR work. Yep, I can head clue dot text That's also disabled. Well, that's annoying. Okay, please stop losing my page when I hit the back base button or the back back button So we know we seemingly can't run cat And I bumped around this for a little bit of time. I was like, what can I do to read files? I like to use map file as one technique But since that seemingly doesn't work in our case We could echo something the output of clue dot text. Maybe can we run echo? That doesn't seem to work for me How about Ralph Reed line? I can't run cat while we line do echo line While read not what am I doing while read line do echo that read in from Clue dot text does that work? Oh, okay. Excellent. It does. So that works One other technique that I thought of using was using grep and grep Capital R is really nice because it can work recursively. So this is gonna be a mess I'm gonna like get the results of every file in the actual file system Or we could actually just try grep on that clue dot text and match anything match any characters That work grep clue dot text period or is it pattern first grep period and then clue dot text as the file name Yeah, that's okay. So grep the pattern you're looking for and I'm using a period for the regular expression anything and I'm also gonna be using that file name We could use that grep tech are in search for the anything and that will return all of the files in this folder Which looks a little messy, but if we go check out the source code We can probably make sense of it because it thankfully will showcase the lines that we're reading So this will actually let us see the source code as well because we're just catting out not really But using grep or using that while read technique to read a file I like the while read technique because those are all built-ins while as a built-in read is a built-in echo is a built-in So that technique might be useful in other situations even more than this, but it looks like we can see that PHP code so We found robots dot text found our denied page Found the index. Oh and also found the login page. That's kind of cool. Okay So it's verifying the credentials that we found What else do we have okay super secret ingredient number one is mr. Meesey care cool look around the file system for the other ingredients That's our clue We could navigate move stuff around, but oh this is a portal page and that will check with the contains function if We have some string inside of another string some of the commands here Okay, so it looks like we have a blacklist in place for commands that we can run or can't run Cat head more tail nano vim and vi. That's not a lot. That's not a lot of commands. That actually gives us a lot of options, right so We also have some base 64 string. What is this? Let's try this Let's make neat to go away for those of you that have already completed this room You might already know What this is And I'm just gonna showcase it because for completeness sake and being thorough But it looks like it's nested base 64 like recursive base 64 So I keep adding on a base 64 attack D over and over and over again, and you're seeing the output It's a base 64. It's also seeing some other missteps, but I will base 64 attack D repeatedly repeatedly repeatedly until I get the answer rabbit hole which is a a Little mean I spent all that time and we wasted it. Okay So that's it. There's there's no real results to get from that But we know we have command execution We know we have a blacklist for commands that we can't work with we've found our way to mitigate not being able to run cat We can still read files with that while read line to technique and we can use grep so Now we want to probably leverage this more so we can actually move around the file system in a sane way not Just through this stupid web interface. So let's try and get a reverse shell Let's see if we have netcat. I think that's a fine option if we use netcat attack H Maybe it doesn't seem to run netcat attack version. I Don't seem to get any command output from that. So maybe that's not actually there Nope oh Cat isn't that name. So that's just going to yell at it and I keep hitting the back button So what could we do to get a reverse shell? We could try to use Python I'm just gonna verify that we actually have Python working whether or not it's Python 2 or Python 3 So if I print out what just regular Python doesn't work for me I could specify Python 3 and that looks like it does get some some output for me So what we could do is we could use the pentest monkey reverse shell cheat sheet And we could just modify Hey, the Python one-liner that we have to go ahead and give us a shell By using not just Python as a command but Python 3 if I add that in there. So I am going to need to I Guess modify this To get our IP address. So I do actually need that terminal What is my current IP address show 10 0 8 9 1 12 weird oddball? And let's use a port 999 or quad 9 and let's use Python 3 So let's close that shell out and get back to a regular shell and let's net cat LNVP quad 9 and Now we can go try and go execute that command because we know that Python 3 should work for us So if I execute looks like that's not responding. It's probably executing it and we have a shell Excellent. Okay, so this is kind of a crappy shell Just as we normally do when we run like net cat reverse shells We don't have our tab autocomplete or up and down command history or left and right arrow keys So it's very very frustrating and we could accidentally control C so I've showcased in other videos the stabilized shell technique using Python taxi Pty and Creating it with stty raw minus echo and exporting the term environment variable So I actually do that with my poor man's pentest project. If you haven't seen that I It might come in handy poor man's pentest That's in my github it's just using quake to send some keys that could automate the process of your interaction on a web shell or on a Reverse and shell and even upload and download files, etc. Etc. So I'm gonna actually use quake and I will run my stabilized shell 3 script because if I actually Check out what that is Stabilize still 3 Let's go ahead and subble that so you can see what that source code looks like I you just use Python 3 to run the Pty and make my Terminal in raw mode and turn off echo so I get a stable shell it's just an automated way so I don't have to type it and mistype it all the time that I do and We know that it's going to be using Python 3 because we just tested in Python as a command itself Doesn't really seem to be on the box. So let's go ahead and do that. Let's go ahead and run the stabilized shell Which is in my prompt. So I don't need the dot slash Stabilize shell 3 and okay now we have a stable dub dub dub data This is also handy because we could actually use some of the other upload file functionalities. So I don't have netcat Do I actually have netcat? Did it just not want to work for me? Yeah, it does whatever Okay, so let's go ahead and use some of the functionality that we have built out to upload Lin peas and then I'll go ahead and put it in dev shm kind of a hidden directory So if I wanted to do my enumeration I don't have to deal with creating the socket or netcatting things and doing it It's just kind of finding my p address and all that crap It'll just get lin peas or whatever file. I really wanted to on the box as fast as I can So pretty helpful for a king of the hill stuff as well Scrolling through this we found some interesting information Dub dub dub data may run the following command Everything as sudo without a password. So we could just as easily sudo bash and be root and that's it that okay now we've owned the box We've owned that machine so What else are we looking for well in the home directory of root looks like we found our third ingredient That's that Let's go ahead and I guess go submit that nothing to stop us. Oh and I never added the mr. Meesey care is that right? Yeah, cool What else do we have here? What else could we find for that second argument? It looks like he's in Rick maybe Second ingredients. Yeah cat that out one Jerry tear and just like that. We finished the room and own that box so to recap Just some command injection to the web page some robots dot text to find stuff some Durbuster with PHP extensions to find our log in The command injection didn't allow us to run common commands like cat because it had a blacklist going we can still evade that My built-in technique that I really like is a wow read line Echo things out and redirect into it that is helpful because even in a command shell where you don't have grep That would work because those are all built-in commands We use grep to work because we can read out all the files nice and easily find the source code know that blacklist and Then we were able to determine. Okay. What can we use in this machine to get a reverse shell? Python Python 3 in this case You just need to add that three there because Python still on the box, but not to just flat regular Python command Use Python 3 get our reverse shell I like to use my poor man's pen test project because it just automates a lot of things We actually have the Python 3 or version in there so I could just slap that in it and Stabilizing the shell and uploading lin peas and doing the reconnaissance that maybe we wouldn't have done naturally But if okay, if I were dubbed up to data, I could just simply sue attack L and know that so that's something Maybe we could do manually. We should do manually, but Lin peas will take care of that. So Okay, that's that video. That's pickle Rick. That's the try hack me run Kind of kind of fun kind of simple kind of good But I hope you guys enjoyed it if you did like this video Please do press that like button hit the subscribe button hit the comment button and then type things in and hit the enter button So you enter a comment All right, love to see you guys in discord server love to see on patreon paypal twitter facebook linkedin all of the things Have a great day. Bye