đĨPickle Rick
Yes, the icon is a cucumber
Description
Rick has turned himself into a pickle, can you find him before its too late...
Download: https://drive.google.com/file/d/1ZULGK4p7cJQHNabmDHdtki-g1xNfHu0f/view?usp=share_link
Alternative Download Link: https://drive.google.com/file/d/1ZTp8qBLRfjitet8nOshTiqIwWDwonCh1/view?usp=share_link
7z Password: &y9PBYf8gZ^996s9
TL;DR
Scan victim machine with nmap to find http running on port 5000
The website allows uploading of pickle files, upload a pickle RCE reverse shell payload
Privesc from sudo /opt/clean_pickle.sh, replacing PATH env to a dir containing a file named 'rm', which creates a shell as root
Get aws creds from /root dir
Login to aws using aws cli and list the files in the storage, flag is in the container.
Solution
Setup
Unzipping the 7zip file with the password given, we are returned with a pickle-shop.ova
file which we can open as a virtual machine in VMWare.
After opening it, we start the virtual machine and we are prompted with a login screen. Since we don't know the password, we cannot login.
Let's treat this as a hackthebox kind of challenge. We will open an attacker vm, configure both machines to be in the same network, then nmap the victim machine to see what ports are open.
To configure both vms to be in the same network in VMWare, we have to go to the VM tab > Settings > Network Adapter, then select Custom > VMnet0. Do the same for the attacker machine.
Now the attacker and victim machines are in the same network, we can run ip addr
on the attacker machine to check the network we are in.
For me, my machine's ip address is 192.168.10.133
and it is in the 192.168.10.0.24
network.
To find the ip address of the victim machine, we can just do a ping sweep of the network by running nmap -sP 192.168.10.1-255
. This command tells us which hosts are up.
In my case, the victim's machine ip address is 192.168.10.142
. We now scan for open ports and their services by running nmap -sC -sV -T4 -p- 192.168.10.142
.
The results show that http is being hosted on port 5000
. Let's visit it through a web browser.
We find that it is a simple login page. Looking at the source code doesn't return any useful info, so let's perform the usual ritual of trying SQL Injection.
Inputting "
as the username returns an error message 'why u break my website smh :crying emoji:!'.
We can try the generic payload "or"1"="1
that returns true
for logging in, but another error message is returned 'Hacker Detected đ x7, mai geh siao, try harder leh'. It seems that this challenge creator is a hard sadist and included a bunch of words in his list of nono words đ¤Ļââī¸đ¤Ļââī¸đ¤Ļââī¸.
After trying different payloads, the simplest payload that bypasses the login is "or"
for the username and password.
Now we are logged in and we can upload a pickle đĨ.
Pickle RCE
We know the generic pickle insecure deserialization to RCE, so it is most likely it in this case.
I always refer to this article for python pickle RCE.
So we create our own python pickle serializer according to the article and create a payload that creates a reverse shell.
Start a netcat listener, upload the pickle file, and we have a shell!
Privesc
The first thing I tried to run is sudo -l
to check what commands I could run with sudo privilege.
This states that we can run /opt/clean_pickle.sh
with root privileges without needing a password. Let's check what is in clean_pickle.sh
.
The bash script uses runs rm
without an absolute path. What this means is that instead of running /usr/bin/rm -r ...
, it just runs rm -r ...
.
This is vulnerable to Command Forgery. We abuse this by creating our own rm
bash script under any directory, in this case we chose the /tmp
directory. The rm
file should contain:
This is to get a shell as root when root executes this rm
bash script.
Run chmod 777 /tmp/rm
to make it executable.
Now we can run sudo PATH=/tmp:$PATH /opt/clean_pickle.sh
to run clean_pickle.sh
as root, with the modified PATH
environment variable to where our rm
resides.
And now we have root!
Pivoting to Cloud
Looking at /root
, we see there is a .aws
directory and a credentials
file inside.
We can sign in to aws cli using this credential. I modified ~/.aws/credentials
to add the id and key (you will have to install aws cli first). You can also run aws configure
and input the id and key appropriately.
Now time to find where the flag actually is.
Finding the flag
The most common enumeration method for aws cloud is to list the buckets the account have access to. We can run aws s3api list-buckets
to list the buckets.
The aws key is now sadly revoked and invalid, so I can't show the last few steps.
The flag is in one of the buckets and you can just use aws cli to get it.
Unfortunately, there was no pickle rick at all đĨ
Last updated