Pickle Rick: A Rick and Morty CTF with Command Injection attack – THM Writeup

Pickle Rick: A Rick and Morty CTF with Command Injection attack – THM Writeup

This Rick and Morty themed challenge requires us to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle. Rick and Morty’s fans know which pickle what I am talking about.

We always make sure we are connected to the machine using ping utility:

As always, we will start this challenge with our dear friend NMAP.
Command: nmap -T4 -sC -sV -A <IP Addr>
-T4: speed of nmap scan is 4/5 (for fast results)

-sC: Scan with default NSE scripts. Considered useful for discovery and safe.

-sV: To determine the version of the service running on port

-A: To do an extensive scan on these ports

From the Nmap scan we see that 2 ports are open, and it also gives the information about which services are running on them:
Port 22– ssh: Here ssh is not much vulnerable. But if we have some verified credentials, it can be. So, we will look for those to log in through ssh.
Port 80- http: A website is being hosted on port 80, so let us check that out to see if we can find something interesting!

Okay, it’s just a message for Morty about finding ingredients. Nothing useful here. But we can check out the page source code to see if it reveals something useful for us:

Yes, my guess was right…!!! Rick made a note of the username.
We found Username: R1ckRul3s
Now we need to find out the password for this username, So we can log in through ssh.
For that, we have to dig deep into this web application and DIRB can be very useful here.

 

What is DIRB ?

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analyzing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage, but we can use our custom wordlists as well. Also, DIRB sometimes can be used as a classic CGI scanner, but it is just a content scanner, not a vulnerability scanner. DIRB and preconfigured wordlists come pre-installed in Kali-Linux.

WARNING: Using DIRB or DirBuster (GUI of DIRB) on a website or application you do not have permission to use is ILLEGAL. Unless you are in a controlled environment and given a specific URL (like what we have here for TryHackMe machine or different CTF) or have a penetration testing contract with a company, DO NOT USE THIS ON ANY WEBSITE OR APPLICATION YOU WANT.
So, now we will run a dirb scan to find any hidden paths on this web application:
dirb http://10.10.114.185/

Not much has been revealed here but we got a robots file, assets, and server-status.
But as we can see above it also gave us CODE, an index.html, and robots.txt file, both have an HTTP status code 200 for successful HTTP requests, which is good. We also have a server-status that is returning a forbidden http code of 403.
HTTP response status codes are issued by a server in response to a client’s request made to the server.
We will go to all paths founded by dirb to hunt for something useful.

So here we found an interesting Phrase: Wubbalubbadubdub

We already knew this from the HTTP status code.
And Index.html gave me the front page with Help Morty! message, nothing new.
My guess is that phrase found in robot.txt might be a password. Let’s try to ssh.

Oh NO..!! It did not work. We need to look for another way to try these login credentials.
We can use the Nikto tool to enumerate further.

 

What is Nikto?

NIKTO is an industry-standard tool that is used by the penetration tester to find website vulnerabilities. It is also known as Nikto2, an open-source (GPL) and free-to-use web server scanner that performs vulnerability scanning against web servers for multiple items including dangerous files and programs, and checks for outdated versions of web server software.
It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. It also contains a pre-packaged list of potentially dangerous files.

You can get more information about the Nikto tool here:

Nikto | Penetration Testing Tools (kali.org)

It also has an online scanner found Online Nikto scanning tool – nikto.online scan

If you like me and want to listen all about Nikto tool in 10mins while taking a walk or cooking, go to the following website:

Nikto: a Practical Website Vulnerability Scanner (securitytrails.com)

Today we will use Nikto with host option, its usage is found here:
Command: nikto -h <IP Addr/URL>
-h: Host(s) to target. Can be an IP address, hostname, or text file of hosts.

After running nikto, we see that there is a login.php file which must be the login page we are looking for. So, I tried to navigate to that page and got the following:

Yes, This is good. We already had username: R1ckRul3s
And for the password, I’m trying that phrase “Wubbalubbadubdub”, which we got from robot.txt.

Hurray…!! We are into Rick Portal.

 

Finding 1st ingredient for Rick:

We landed on this page but let’s check out all the pages to see what is there.

We are not able to access any of the other pages, it has this message. So, the command panel is our only shot.

whoami command: displays system ownership
Okay, so we are not root.

I’m trying a bunch of basic commands here to get more information.

There it is. We found a text file named Sup3rS3cretPickl3Ingred. It must contain secret ingredient information, let’s open it.

Smart…!!! We will try one more time to open the clue file.

So now we know command cat will not work here.

But I can see the login.php and robot.txt files in the list here. Sup3rS3cretPickl3Ingred.txt and/or clue.txt file might be accessible the same way we did our robots.txt file.

So, I went to the following page http://<ipAddress>/Sup3rS3cretPickl3Ingred.txt

Ahha…!!! It worked….!!!
Our 1st ingredient is mr. meeseek hair
One down two to go!

 

Finding 2nd and 3rd ingredient for Rick:

Let’s see what’s inside the clue file.

Okay, so other ingredients are here in the file systems only. But we must find out their filename, to read the same way we read 1st ingredient.
Let’s hunt them.
Here I’m using the command ‘ls –la’ which would list out every file and directory in a detailed way as you can see below.

There is an assets directory here, which we haven’t checked.

I have opened and checked everything but nothing useful here, these all are CSS files, Javascript, gifs, and jpegs used in Rick Portal.
Let’s Dig deep in the home directory to find the root or other users that are on the system.
But before that let us understand command injection, as we are using that to exploit Rick Portal here.

 

What is Command Injection?

Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
You can get more information about command injection with examples in this PDF:
42593-command-injection—shell-injection.pdf (exploit-db.com)


So now as we have more understanding of command injection, let’s get back to helping Rick by finding the other 2 ingredients.
So, we can not use the command ‘cd’. We must use the command ‘ls’ to explore the system because, for command injection, a working directory will always be the path for us.

Okay… We found user ‘rick’. It’s time to find out what he has.

Sweet..!! There it is, our 2nd ingredient file.
But to open it, We need a different approach as it will not be accessed the same way we did 1st ingredient. Let’s go to Google for this problem.

 

Less Command:

less is a terminal pager program on Unix, Windows, and Unix-like systems used to view (but not change) the contents of a text file one screen at a time. You can find additional information here: https://en.wikipedia.org/wiki/Less_(Unix)

Find out more examples of how to use less command here: https://www.howtogeek.com/444233/how-to-use-the-less-command-on-linux/

To view the content of a file with less using syntax: less [options] [file_name]

The less command is mostly used for opening large files. But here cat command is disabled we will use less and see if it works.

Yes…!! It does work.
Our 2nd ingredient is: 1 jerry tear

 

Privilege escalation:

Now to find the last ingredient, I’m doing privilege escalation with command sudo -l.

This means the current user can execute anything without a password! This makes our task simple because we can just use ‘sudo’ before our command to see the contents of the root directory.

Okay, there it is. Let’s see what is the last ingredient.
Now are going to use our dear friend ‘less’, but we will need to add sudo to the front of our command and then the location of the file.

3rd ingredients: fleeb juice
With this, we complete the challenge successfully. I hope these ingredients help rick to transform back to humans.

 

Resources/Tools Used:

  • Nmap
  • DIRB
  • Nikto
  • Less Command utility

Conclusion:

This was a fun CTF. The main goal was to find 3 ingredients and I approached it this way:
1. The first phase of hacking is information gathering or reconnaissance. So here I have gathered as much information as I possibly can about target using different tools.
2. Nmap scan gave me open ports (port 22,80) and information about services running on them.

3. After going to the website hosted on port 80, found the username (R1ckRul3s) in the source code.
4. Using DIRB scan on the website gave me 3 different directories, one of them led me to a password (Wubbalubbadubdub).

5. As SSH was not working, I ran a NIKTO scan and got login page information Of Rick Portal. With a previously found username and password, I was able to log in successfully.

6. In the Rick portal, everything was denied except Command Panel. Navigating my way through that and found a file (Sup3rS3cretPickl3Ingred), which contained 1st ingredient. Here command ‘cat’ was disabled to make it challenging, but successfully navigated to that file on the website and collected the name of 1st ingredient “mr. meeseek hair”.

7. Used Command Injection attack to find the ingredients for Rick. Reading the clue.txt file gave the locations of the remaining ingredients, which was filesystem. So navigated my way to the home directory, found another use ‘Rick’.

8. Listing the contents of user ‘Rick’ gave the second ingredient’s file. Used ‘less’ command to get the contains of that file and found 2nd ingredient “1 jerry tear

9. Through Privilege escalation found that the current user can execute anything without a password. Used ‘sudo ls/root’ command to get the list of roots contains and got the 3rd.txt file.
10. Using the ‘less‘ command to see the 3rd.txt file, Found the 3rd and final ingredient “fleeb juice”.

 

Command Injection Prevention:

  • Here are several practices you can implement in order to prevent command injections:
  • Avoid system calls and user input—to prevent threat actors from inserting characters into the OS command.
  • Set up input validation—to prevent attacks like XSS and SQL Injection.
  • Create a whitelist—of possible inputs, to ensure the system accepts only pre-approved inputs.
  • Use only secure APIs—when executing system commands such as execFile()
  • Use execFile() securely—prevent users from gaining control over the name of the program. You should also map user input to command arguments in a way that ensures user input does not pass as-is into program execution.

Thanks for reading…!!!
Until Next time, Happy Hacking…!!!