Pages

Friday, June 5, 2020

TryHackme:Pickle Rick

Room : https://tryhackme.com/room/picklerick

after nmap -p 1-65535 -T4 -A -v $IP

found two services 22,80

let's explore the webpage:
i found in first page as comment Username: R1ckRul3s
let's try some directory bruteforce :

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://10.10.191.238/FUZZ
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000098:  C=301      9 L       28 W          315 Ch        "assets"

Total time: 10.12029
Processed Requests: 950
Filtered Requests: 949
Requests/sec.: 93.87078


Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://10.10.191.238/FUZZ.php
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000502:  C=200     25 L       61 W          882 Ch        "login"
000635:  C=302      0 L        0 W            0 Ch        "portal"

Total time: 9.943372
Processed Requests: 950
Filtered Requests: 948
Requests/sec.: 95.54102

also i have also checked the robots.txt,  i found some weird word blada.......
login page also found so i need the password brute forcing the login page take a lots of time i don't think it s the right path : no result
i have tried sql injection to bypass login page not working.

It was stupid the word in the robots.txt is the password. :(

after login a found some sort of login page i think we have command injection run commad ls and read the secret file with navigator

so lets have shell now :so the shell was easy with gotfbin bash after sudo -l then you can understand that you have the possibility to run all sort of command with sudo and read all the files for ingredient two and three

when i was in the box the web application suffer from reflected xss in the login page and if you try to run ping it will hung and you have to restart the box also i have found in the portal.php page a comment like a hash or base64 but not used : Maybe a rabit hole


Thank you for reading my blog i know it s not very detailled or beautifull but it give you what you need or you are missing during pentesting this box.

Kind regards
 Abdel







at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Offensive Lab : simple Format string challenge

 Hi All  Today i will write about a very easy challenge from Offensive LAB where you can solve it through using reverse engineering techniq...

  • Tryhackme : Dav
    Hi All I m trying to do Dav box in Tryhackme so here s my note during the process of pentesting : after a scan with nmap i found http port 8...
  • TryHackme : Boiler CTF
    HI All Lets play another box in tryhackme and learn something new today it will be Boiler CTF room I used to start any box  enumeration wi...