TryHackMe! PickleRick - BYPASSING Blacklists

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is John Hammond and in this video I wanna showcase the pickle ric CTF from Troy Hackney calm so I'll hop on over to my screen and we'll get to the good stuff this is the pickle Rick room it says a rick and morty CTF help Rick turn back into a human I've joined the room here and we can start to roll through I'm gonna go ahead and deploy the machine deploy the virtual machine on this task and explore the web application so I will fire up a terminal here so I can move into the Tri hack made directory there and I will sudo Open VPN John Hamm NYT because that is the account that I'm using for this one this is a free room so I believe anyone even if you're not a subscriber should be able to access it let me get make a directory for whitey pickle Rick pickle Rick alright there we go pickle Rick and let's get a readme file going just so we can have a space to take notes throw stuff in and I'll also go ahead and make a nmap directory so I can end map the box I'll attack SC attack o n and initial and let's grab the IP address now that that should be spun up let me go ahead and ping this box yep okay he looks like he's good far up that nmap scan while that's going we can start to build out our notes I'll export the IP address so we can save that as a variable for the future let's do task 1 let's actually make a spot for n map results because I just kind of throw stuff in even though I already have specific files oh hey I said well looks like they're only three questions is room what are the what is the first ingredient that Rick needs ok second and final that's it so we're just trying to find pieces of the puzzle here there we go and let's see what we got so ssh is open a t is open on the web page okay and it says rick is super cool looks like that's it okay let's uh let me copy that export come in so I can work with that I'll do the same down here and because I know that eighty is running I will fire up a little neato scanner LT that results - nique toad log he can go and let's go check some things out we can poke around we could try and brute-force ssh with hydra that would be a little lame because we don't exactly know where we're going yet so let's just grab the IP address and go in iraq with the website it says help morty I need your help I've turned myself in a pickle again and this time I can't change back I need my password I don't know what it was help meeee already helped so it's not a whole lot going on on this page let's go check it out view the source here it looks like we have this image we might be able to download this image and maybe check it in case there are any strings in there or things that they might be trying to hide from us but I do see this giant gaping HTML comment says note to self remember the username username equals Rick rules ok so now we have a little bit of an inclination where maybe we could go with this if you wanted to use Hydra and like brute force this Rick rules username with some passwords to try and beat up ssh maybe potentially log in for other enumeration we could be running go buster or we could be running Neto as we're doing so now that I mentioned go bust so let's actually go ahead and slap that in get some enumeration going in the background so I will use go buster and it needs a URL so our IP address will use the word list op rocky I think my face is in the way no we don't you we don't want to use rocky because we're not cracking passwords we will use the directory listing that would come with der buster and I'm actually going to specify tac-x to specify some file extensions that I might want to look for I'll look for PHP only for SH Tex CGI I like to use SH and CGI in case there's any like shellshock stuff or some of the things that might be running obviously HTML JSS excuse me J s for JavaScript CSS maybe Python files to just amaze well and I found in Nix at HTML that's good that's where we already are let's go check out that robots.txt because I saw that Niq doe said robots that textures retrieve but it does not contain any disallow entries which is strange ok let's go check out our robots text and it says Wubba lubba dub dub so perfect let's save that in our notes and we also have that thing as well maybe that will the lub dub might be something if it's there it's probably there for a reason right our other go buster scan found a login dot PHP okay so assets portal dot PHP it looks like that has a status 302 so we might not be able to access that just yet but it seems to exist so let's hop on to go check those out I'll go to portal dot PHP Oh looks like we need to login first a redirected me to login login has this image and a username and login so the only pieces of information that we have thus far are this username Ric rules and whatever this string is what level dubbed obviously the Rick and Rory reference but maybe that's a password we could try to login okay looks like it logged in no I don't want to add that to the LastPass thank you so seemingly command panel we execute a command what else is in here only the real Rick can view this page potions creatures Beth alone okay so we can't do anything with that seemingly let's go poke around at this command panel and let our other things run in the background so I will run LS okay looks like I have some interesting files your super secret pickle and green at dot X let's see what that is my cat that out please no command disable to make it hard for future pickle Rick what okay what else do we have here CD assets clue I can't count out clewd can I just not cut out something that is a text file alright okay I can't seem to run command well what can I run the dir work yep I can head clue dot txt that's also to stay well that's annoying okay please stop losing my page when I hit the backspace button heard of the back back button so we know we seemingly can't run cat and I bumped around this for a little bit of time I did I was like what can I do to read files I like to use map file as one technique but since that seemingly doesn't work in our case we could echo something the output of clue dot text may be can we run echo that doesn't seem to work for me how about rally in line I can't run cat while reline do echo line while read not what am i doing well read line do echo that read in from clue dot text does that work oh okay excellent it does so that works one other technique that I thought of using was using grep and grep tack capital R is really nice because it can work recursively so this is gonna be a mess I'm gonna like get the results of every file in the actual file system or we could actually just try grep on that clue dot txt and match anything match any characters that work grep clewd txt period or is it patterned for a script period and then clue that X as the file name yeah that's okay so grep the pattern you're looking for and I'm using a period for the regular expression anything and I'm also going to be using that file name we could use that grep tack or in search for the anything and that will return all of the files in this folder which looks a little messy but if we go check out the source code we can probably make sense of it because it thankfully will showcase the lines that we're reading so this will actually let us see the source code as well because we're just catting out not really but using grep or using that Wow read technique to read a file I like the Wow read technique because those are all built-ins while as a built-in read as a built-in echo is a built-in so that technique might be useful in other situations even more than this but it looks like we can see that PHP code so we found robots.txt found our denied page I found the index I wouldn't also found the login page that's kind of cool okay so it's verifying the credentials that we found what else do we have okay super secret ingredient number one is mr. Missy care cool look around the file system for the other ingredients that's our clue we could navigate move stuff around but oh this is a portal page and that will check with the contains function if we have some string inside of another string some of the commands here okay so it looks like we have a blacklist in place for commands that we can run or can't run cat head more tail Nano vim and VI that's not a lot that's not a lot of commands it actually gives us a lot of options right so we also have some base64 string what is this let's try this let's make Neto go away for those of you that have already completed this room you might already know what this is and I'm just gonna showcase it because for completeness sake and being thorough but it looks like it's nested base64 like recursive base64 so I keep adding on a base64 tag D over and over and over again and you're seeing the output it's basically c4 it's also seeing some other missteps but I will base64 tag D repeatedly repeatedly repeatedly until I get the answer rabbit hole which is a little mean I spent all that time and we wasted it okay so that's it those there's no real results to get from that but we know we have command execution we know we have a blacklist for commands that we can't work with we've found our way to mitigate not being able to run cat we can still read files with that well read line to technique and we can use grep so now we want to probably leverage this more so we can actually move around the file system in a sane way not just through this stupid web interface so let's try and get a reverse shell let's see if we have net cat I think that's a fine option if we use net cat tack H maybe it doesn't seem to run netcat tactic version I don't seem to get any command output from that so maybe that's not actually there nope Oh cat isn't that name so that's just yell at it and I keep hitting the back button so what could we do to get a reverse shell we could try to use Python I'm just gonna verify that we actually have Python working whether that's Python 2 or Python 3 so if I print out which is regular Python it doesn't work for me I could specify Python 3 and that looks like it does get some some output for me so what we could do is we could use the pen test monkey reverse shell cheat sheet and we could just modify hey the Python one-liner that we have to go ahead and give us a shell by using not just Python as the command but Python 3 if I add that in there so I am going to need to I guess modify this to get our IP address so I do actually need that terminal what is my current IP address Showtime 0 8 9 1 12 weird oddball and let's use a port 999 or quad 9 and let's use Python 3 so let's close that shell out and get back to a regular show and let's netcat ln vp quad 9 and now we can go try and go execute that command because we know that python 3 should work for us so if I execute looks like that's not responding it's probably executing it and we have a shell excellent ok so this is kind of a crappy shell just as we normally do when we run like net can't reverse shows we don't have our tab autocomplete or up and down command history or left and right arrow keys so it's very very frustrating and we could accidentally ctrl C so I've showcased in other videos the stabilized shell technique using Python taxi PTY and creating it with s TTY raw - echo and exporting the term and Barmer variable so I actually do that with my poor man's pen test project if you haven't seen that I it might come in handy poor man's pen test that's in Mike github it's just using wake to send some keys that could automate the process of your interaction on a web shell or on a reverse and shell and even upload and download files etc etc so gonna actually use awake and I will run my stabilized shell three script because if I actually check out what that is stable I still three let's go ahead and subl that so you can see what that source code looks like oh you just used Python three to run the PTY and make my terminal and raw mode and turn off echo so I get a stable shell it's just an automated way so I don't have to type it and miss type it all the time that I do and we know that it's going to be using Python three because we just tested in Python as a command itself doesn't really seem to be on the box so let's go ahead and do that let's go ahead and run stabilized shell which is in my prompt so I don't need a dot slash stabilized shell three and okay now we have a stable dub-dub-dub data this is also handy because we could actually use some of the other upload file functionalities so I don't have netcat do we actually have net cut did it just not want to work for me yeah it does whatever okay so let's go ahead and use some of the functionality that we have built out to upload lin piece and then i'll go ahead and put it in dev sh m kind of a hidden directory so if i wanted to do my enumeration i don't have to deal with creating the socket or net catting things and doing it it's just kind of finding my IP address and all that crap it'll just get lin piece or whatever file I really wanted to on the box as fast as I can so pretty helpful for king of the hill stuff as well scrolling through this we found some interesting information dub-dub-dub data may run the following command everything as sudo without a password so we could just as easily sudo bash and be root and that's it that okay now we've own the box we've owned that machine so what else we're gonna be looking for well in the home directory of route looks like we found our third ingredient that's that let's go ahead and I guess go submit that nothing to stop us oh and I never added the mister me see care is that right yeah cool what else do we have here what else could be fine for that second argument looks like he's in Rick maybe second ingredients yeah cat that out one Jerry tier and just like that we finished the room and on that box so to recap just some command injection to the web page some robots.txt to find stuff some der Buster with PHP extensions to find our login the command injection didn't allow us to run common commands like cat because it had a blacklist going we can still evade that my built-in technique that I really like is a well read line echo things out and redirect into it that is helpful because even in a command shell where you don't have grep that would work because those are all built-in commands we use grep to work because we can read out all the files nice and easily find the source code know that blacklist and then we were able to determine okay what can we use in this machine to get a reverse shell Python Python 3 in this case just needed to add that 3 there because pythons still on the box but not the just flat regular Python command used Python 3 get a reverse shell I like to use my poor man's pen test project because it just automates a lot of things we actually have the Python 3 reversal in there so I could just slap that in it and stabilize in the shell uploading limpy's and doing the reconnaissance that maybe we wouldn't have done naturally but if ok if I were dubbed up the data I could just simply sue attack l and know that so that's something maybe we could do manually we should do manually but Lynn peas will take care of that so ok that's that video that's pickle rick back that's the Troy hack me room kind of kind of fun kind of simple kind of good but I hope you guys enjoyed if you did like this video please do press that like button hit the subscribe button hit the comment button and then type things in and hit the enter button so you enter a comment all right love to see you guys in discord server love to see on patreon paypal Twitter Facebook Linkedin all of the things have a great day bye

Info

Channel: John Hammond

Views: 145,709

Rating: undefined out of 5

Keywords:

Id: oCAtfcr3iUw

Channel Id: undefined

Length: 17min 23sec (1043 seconds)

Published: Tue Apr 28 2020