Pickle Rick – a fun and basic web ctf
This is a writeup of the Pickle Rick Room of tryhackme.
Its a pretty basic – yet fun – web CTF Room
There are a couple of interesting writeups out there already – I wanted to add this one because I found some of the writeups more complicated than neccessary for such a basic room.
I like to dump it down. Use as few tools as possible to solve the problem.
Lets dive in.
We see a basic webpage. No input fields or buttons. Just text and image.
Lets look at the source code since this is all we have for now:
Ok. Now we have a username.
But nowhere to put it in.
At this point we use gobuster to look for a login form or any other interesting stuff that might be hidden from us.
Since we want to find a login form to make use of the username we probably want to look for .php files. And since we are looking for what might be hidden from us we also want to look for the robots.txt file – somtimes we find interesting paths there.
gobuster dir -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t50 -u 10.10.135.91
We are using a wordlist from kali here. We tell gobuster to be quiet (-q) so we only see whats interesting. 50 threads (-t 50) and look for extensions php and txt (-x php, txt)
Perfect. We found a login.php, a portal.php and the robots.txt. Lets look at robots.txt first – maybe it reveals some more hidden URLs
We just try to look at it through the browser.
Great. That worked. But very differently than expected.
It’s not really a robots.txt file. Just a weird string. We will try that as a password for the username we already have.
Lets look at the login.php
Lucky enough – it works. The info we found in the source and in the robots.txt is in deed a valid username / password combination.
That looks interesting. We can enter commands.
We don’t expect any fancy proprietary command interpreter here – so our first guess is that its som kind of web shell.
pwd; whoami; ls -la
Ok. Great. It is a webshell.
We are user www-data and the webshell runs in the /var/www directory.
Since it worked with the robots.txt we just try to view them through the web browser as well.
Here we have our first ingredient. Awesome.
mr. meeseek hair
This is not too helpful. But it suggests that we can use ls, cd or so to look around. lets do that.
In CTFs like this, flags are usually hidden in the users home directories.
So let’s look at home first.
ls -la /home
ls -la /home/rick
There is our second ingredient. Great. Let’s cat it out.
cat /home/rick/second ingredients
(There is a space in the filename so we escape that with the backslash)
Hm. That’s a bummer. Some commands are not available in this webshell – and cat is one of them. So we can’t use cat to look into the second ingredient.
Obviously we can’t do it through the browser either because it’s outside of the webserver’s reach.
So we need another command that is able to print out the content of a file.
The strings command comes to mind. Usually it is used to print out strings from binaries – it of course works on text files as well.
Lets see if this command is available
strings /home/rick/second ingredients
There we have our second ingredient.
1 jerry tear
one more ingredient to go.
Again: we are in a CTF environment and we are looking for the final flag.
Let’s assume it has something to do with root. And maybe it is in root’s home directory.
When we do a
ls -la /root
we get no return – which makes sense since we are user www-data and probably can’t read root’s home directory.
If we are REALLY lucky we can use sudo to execute commands as root.
sudo ls -la /root
Ok. that is really good now. We can use sudo to list root’s home and we find a file 3rd.txt in there.
If we use the strings command now to look into it we will certainly find our 3rd ingredient.
sudo strings /root/3rd.txt
So here is our 3rd ingredient:
As said earlier: a pretty basic web CTF. I think the fun here is thinking of how to do it with the least number of steps and least number of tools.
Let me know what you think in comments below