Pickle Rick

Pickle Rick

####################
正在进行目录扫描..._|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12266Target: http://10.201.85.253/[23:30:49] Scanning: 
[23:31:18] 403 -   278B - /.php                                            
[23:32:29] 200 -    2KB - /assets/                                         
[23:32:29] 301 -   315B - /assets  ->  http://10.201.85.253/assets/        
[23:33:48] 200 -    1KB - /index.html                                      
[23:34:03] 200 -   882B - /login.php                                       
[23:35:05] 200 -    17B - /robots.txt                                      
[23:35:14] 403 -   278B - /server-status/                                  
[23:35:14] 403 -   278B - /server-status                                   Task Completed

主界面F12提示:

  <!--Note to self, remember username!Username: R1ckRul3s-->

/robots.txt中有:Wubbalubbadubdub,猜测是密码.

/login.php 登陆一下

登进去有rce:

-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 10  2019 assets
-rwxr-xr-x 1 ubuntu ubuntu   54 Feb 10  2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1105 Feb 10  2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1062 Feb 10  2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1438 Feb 10  2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2044 Feb 10  2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 robots.txt

但使用cat读取的时候发现Command disabled to make it hard for future **PICKLEEEE RICCCKKKK**

应该是被waf了,我们来尝试绕过一下或者换其他命令比如nl

读到Sup3rS3cretPickl3Ingred.txt为:mr. meeseek hair

clue.txt:Look around the file system for the other ingredient.

在home下找到原料2

利用sudo -l提权,发现任意命令都可以无密码获得root权限,在root下有原料3.