In this walk through, we will be going through the Pickle Rick room from Tryhackme. This Rick and Morty-themed challenge requires us to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle. Sounds interesting, So let’s get started without any delay.
Table of Contents
|Objective||This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.|
Task 1 – Pickle Rick
- I started by pinging the target to check if the target is live or not yet. Got the response back, let’s move ahead.
- I started with the old school nmap ritual on the target. The response gives 2 ports open – HTTP (80) & SSH (22).
sudo nmap -T4 -p- -A 10.10.185.193
- Let’s start by enumerating the web server running on port 80. Exploring the Home Page, I found a Username in the Page Source Code.
- Username: R1ckRul3s
- Next, let’s perform some directory bruteforcing using gobuster on the target. Hopefully, we will find something useful.
gobuster dir -u http://10.10.185.193 -w wordlist
- The result shows “robots.txt” and “assets” that looks interesting. Let’s start with the “robots.txt”.
- Exploring Robots.txt gave me a string – “Wubbalubbadubdub”. Maybe its a password, we already got a username before.
- When I try to ssh with the previously found username R1ckRul3s. We were denied as the SSH is configured to login with SSH public key.
- I also did started nikto in the background while i was doing the manual enumeration. Got a hit on that, – login.php. Looks like a login panel.
nikto -h 10.10.185.193
- Next, navigated to the login panel on http://10.10.185.193/login.php and tried login with the following creds and got in successfully.
- The backend contains a command panel which can execute commands on the server. Pretty slick right ? Let’s try some common commands.
- I tried the ls command and got a number of files on the server. Two files looks interesting – Sup3rS3cretPickl3Ingred.txt and clue.txt. Let’s see what’s inside them.
- Got an error – command disabled. Looks like the server is filtering the command that is being executed via the command panel. We have to have a workaround it. As “cat” was disabled by the server. So, I tried to the “less” command and got our first ingredient.
- Let’s peek into the clue.txt file.
- The clue is directing us to look around the file system however is restricting us to break free the current directory. As we are unable to move freely within the file system. We should try out if the web application is vulnerable to Directory Traversal.
cd ../../../../../ ls -al; pwd
- Looks like it is vulnerable as we were able to navigate to the root. Let’s look around.
cd ../../../../ && ls -al
- Looking into the home directory of user rick gives us our second ingredient.
cd ../../../../home && ls -al
cd ../../../../home/rick && ls -al
cd ../../../../home/rick/ && less "second ingredients"
- To find the final ingredient, we have to escalate our privileges. Let’s see if there is any sudo misconfiguration on the server which we can take advantage of.
- Looks like we can run sudo for all commands without any password. That’s some golden shit we got. Let’s get the final ingredient and turn rick back into his human form.
sudo ls /root/
sudo less /root/3rd.txt
Question 1 – What is the first ingredient Rick needs?
mr. meeseek hair
Question 2 – Whats the second ingredient Rick needs?
1 jerry tear
Question 3 – Whats the final ingredient Rick needs?
Also Read: Tryhackme – Pentesting Fundamentals
So that was “Pickle Rick” for you. Let’s sum it up quickly. We started by performing a nmap Scan, found 2 ports open: HTTP and SSH. Next, Analyzed page Source code and found username – R1ckRul3s. Moving on, Performed Directory Bruteforcing with gobuster, found: robots.txt in which found string – Wubbalubbadubdub. While we were dealing with this, our nikto scan found – login.php. Logged into the Portal using creds found earlier. Further, Command Injection was found on the server which gives us the flag using less command. Next, Performed Directory traversal for the second flag. The third flag was found by escalating our privileges using sudo misconfiguration. Well, that was really a fun room and we all love Rick obviously. So, not helping him was never an option. That reminded me that i have to find the meaning of my life with the help of Mr. Meeseeks. So, “keep hacking” till then and wish me luck for my pursuit.