TryHackMe : Pickle Rick

TryHackMe Room : https://tryhackme.com/room/picklerick

Aim : Exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

Difficulty Level : Easy

Connect to the TryHackMe network using openvpn.

sudo openvpn /path/to/username.ovpn

At first I will open the provided url (will appear in picklerick room page) in firefox, the page we got :

There is nothing present directly on the page. Another thing we can do is , view the source code of the page . We get an username for some login page:

The next thing we should do is: get a password and a login url. For this we can use “gobuster” on entire domain:

gobuster dir -u victim_IP -w /path/to/wordlist/common.txt -t 200 -x .php -q
gobuster dir -u victim_IP -w /path/to/wordlist/common.txt -t 200 -q

we get some interesting results here, going to /robots.txt , we get a text

Well , it is Rick’s nonsense catchphrase.

also we have a /login.php page .

A portal !

upon trying the username we got earlier and this catchphrase as password , we are successfully logged in. We have command panel on which doing ls -la , gives us:

The 1st and 3rd txt file looks interesting.we should read its content
cat Sup3rS3cretPickl3Ingred.txt

hmm, the cat command have been disabled, what can we do is to look for alternative for cat : we have “head”, “tail”, “less” and maybe more. Upon trying head and tail, it seems they have been disabled too , but less works 🙂 , we got the 1st ingredient:

less Sup3rS3cretPickl3Ingred.txt

For the next clue , we will do same with clue.txt file:

less clue.txt
Ain’t it will be fun!

So , we have to explore the filesystem to get more ingredients:

we have got 2 directories worth exploring , “/home” and “/root”, lets go to “/home” first:

let’s see /home/rick now:
well, well , well…
ain’t that funny

we have found our 2nd ingredient ,now let’s go to /root , to see if we can find something of value there:

hmm… , obviously we have to use “sudo”
“3rd.txt”, seems interesting
we have got all the ingredients now!

It’s time to make the potion to transform Rick back into a human from a pickle.

Mission Accomplished

TryHackMe : Eternal Blue

TryHackMe ROOM : https://tryhackme.com/room/blue

Aim : Deploy & hack into a Windows machine, leveraging common misconfigurations issues.

Difficulty Level : Easy

Connect to the TryHackMe network using openvpn.

sudo openvpn /path/to/username.ovpn

I will use metasploit to do almost everything in this room . Run :

sudo msfconcole

Scanning

we will use nmap(db_nmap) that comes with metasploit to do the initial scanning:

db_nmap -sV --script vuln -vv -p1-1000 target_ip
we found a vulnerability here , ms17-010 (port 139 and 445 are always sight for sore eyes)

Gain Access

we will search for the vulnerability we have found during scanning

search ms17-010
we will use option 2 here

we will list the options and will set appropriate values for RHOSTS, LHOST, LPORT:

after that we will go forward and exploit:

we have got the highest authoritah (read in cartman’s voice) here , now we can look for the hidden flags. But before that we have one task to find the password of non-default user. we will run the command hashdump , this will dump all the passwords of the machine if we have enough authoritah:

the non-default user is Jon

using hashcat, or some online tool as crackstation we would easily get the password for Jon. Let’s find flags now:

FLAG : 1

Hint: Can you C it ?

changing our working directory and listing all items did the trick

FLAG : 2

Hint : I wish I wrote down where I kept my password. Luckily it’s still stored here on Windows.

we have to know where passwords are stored in windows , upon doing some research I found from here that I may have to look in c:\Windows\System32\Config\ directory.

we have flag2 with us too !

FLAG : 3

Hint : You’ll need to have elevated privileges to access this flag.

Upon seeing the hint I knew that I have to see something like user permissions .So I changed directory to C:\Users , and after looking for quite a time(like a lot, 1 hr), I was finally able to find the flag . Also the text written in flag could be a good advice for future ctf .

Mission Accomplished .
Design a site like this with WordPress.com
Get started