2022-04-28 23:27:22 +00:00
# Pickle Rick
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
## Pickle Rick
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 16:17:23 +00:00
![](../../.gitbook/assets/picklerick.gif)
2020-07-15 15:43:14 +00:00
This machine was categorised as easy and it was pretty easy.
2022-05-01 13:25:53 +00:00
## Enumeration
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
I started **enumerating the machine using my tool** [**Legion** ](https://github.com/carlospolop/legion ):
2020-07-15 15:43:14 +00:00
2022-09-09 11:00:52 +00:00
![](< .. / . . / . gitbook / assets / image ( 79 ) ( 2 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)
2020-07-15 15:43:14 +00:00
So, I launched legion to enumerate the HTTP service:
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 234 ) . png > )
2020-07-15 15:43:14 +00:00
Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`
2021-11-30 16:46:07 +00:00
After some seconds I reviewed what `disearch` has already discovered :
2020-07-15 15:43:14 +00:00
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 235 ) . png > )
2020-07-15 15:43:14 +00:00
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 236 ) . png > )
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
And as you may see in the last image a **login** page was discovered.
2020-07-15 15:43:14 +00:00
Checking the source code of the root page, a username is discovered: `R1ckRul3s`
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 237 ) . png > )
2020-07-15 15:43:14 +00:00
Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`
2022-05-01 13:25:53 +00:00
## User
2020-07-15 15:43:14 +00:00
Using those credentials you will access a portal where you can execute commands:
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 241 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Some commands like cat aren't allowed but you can read the first ingredient (flag) using for example grep:
2020-07-15 15:43:14 +00:00
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 242 ) . png > )
2020-07-15 15:43:14 +00:00
Then I used:
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 243 ) . png > )
2020-07-15 15:43:14 +00:00
To obtain a reverse shell:
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 239 ) . png > )
2020-07-15 15:43:14 +00:00
The **second ingredient** can be found in `/home/rick`
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 240 ) . png > )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Root
2020-07-15 15:43:14 +00:00
The user **www-data can execute anything as sudo** :
2022-05-01 16:17:23 +00:00
![](< .. / . . / . gitbook / assets / image ( 238 ) . png > )
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >