Tryhackme - Pickle Rick

Tryhackme – Pickle Rick

In this walk through, we will be going through the Pickle Rick room from Tryhackme. This Rick and Morty-themed challenge requires us to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle. Sounds interesting, So let’s get started without any delay.

Pickle Rick

Machine Info:

TitlePickle Rick
IPaddress10.10.185.193
DifficultyEasy
ObjectiveThis Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

Task 1 – Pickle Rick

Enumeration:

  • I started by pinging the target to check if the target is live or not yet. Got the response back, let’s move ahead.

Pinging the box
  • I started with the old school nmap ritual on the target. The response gives 2 ports open – HTTP (80) & SSH (22).
sudo nmap -T4 -p- -A 10.10.185.193
nmap scan
  • Let’s start by enumerating the web server running on port 80. Exploring the Home Page, I found a Username in the Page Source Code.
Home page
  • Username: R1ckRul3s
Page Source Code
  • Next, let’s perform some directory bruteforcing using gobuster on the target. Hopefully, we will find something useful.
gobuster dir -u http://10.10.185.193 -w wordlist

gobuster scan

  • The result shows “robots.txt” and “assets” that looks interesting. Let’s start with the “robots.txt”.
  • Exploring Robots.txt gave me a string – “Wubbalubbadubdub”. Maybe its a password, we already got a username before.
robots.txt
  • When I try to ssh with the previously found username R1ckRul3s. We were denied as the SSH is configured to login with SSH public key.
SSH login try
  • I also did started nikto in the background while i was doing the manual enumeration. Got a hit on that, – login.php. Looks like a login panel.
nikto -h 10.10.185.193
Nikto scan

Initial Access:

  • Next, navigated to the login panel on http://10.10.185.193/login.php and tried login with the following creds and got in successfully.

Username: R1ckRul3s

Password: Wubbalubbadubdub

Command Panel
  • The backend contains a command panel which can execute commands on the server. Pretty slick right ? Let’s try some common commands.
ls
Command Panel - ls
  • I tried the ls command and got a number of files on the server. Two files looks interesting – Sup3rS3cretPickl3Ingred.txt and clue.txt. Let’s see what’s inside them.
cat clue.txt
Command Disabled
  • Got an error – command disabled. Looks like the server is filtering the command that is being executed via the command panel. We have to have a workaround it. As “cat” was disabled by the server. So, I tried to the “less” command and got our first ingredient.
less Sup3rS3cretPickl3Ingred.txt
Sup3rS3cretPickl3Ingred.txt
  • Let’s peek into the clue.txt file.
clue.txt
  • The clue is directing us to look around the file system however is restricting us to break free the current directory. As we are unable to move freely within the file system. We should try out if the web application is vulnerable to Directory Traversal.
cd ../../../../../ ls -al; pwd
root
  • Looks like it is vulnerable as we were able to navigate to the root. Let’s look around.
cd ../../../../ && ls -al
root directory
  • Looking into the home directory of user rick gives us our second ingredient.
cd ../../../../home && ls -al
rick
cd ../../../../home/rick && ls -al
second ingredients
cd ../../../../home/rick/ && less "second ingredients"
1 jerry tear

Privilege Escalation:

  • To find the final ingredient, we have to escalate our privileges. Let’s see if there is any sudo misconfiguration on the server which we can take advantage of.
sudo -l
sudo -l
  • Looks like we can run sudo for all commands without any password. That’s some golden shit we got. Let’s get the final ingredient and turn rick back into his human form.
sudo ls /root/
3rd.txt
sudo less /root/3rd.txt
3rd ingredients

Question 1 – What is the first ingredient Rick needs?

mr. meeseek hair

Question 2 – Whats the second ingredient Rick needs?

1 jerry tear

Question 3 – Whats the final ingredient Rick needs?

fleeb juice
Task 1 - Pickle Rick

Also Read: Tryhackme – Pentesting Fundamentals

Conclusion:

Conclusion

So that was “Pickle Rick” for you. Let’s sum it up quickly. We started by performing a nmap Scan, found 2 ports open: HTTP and SSH. Next, Analyzed page Source code and found username – R1ckRul3s. Moving on, Performed Directory Bruteforcing with gobuster, found: robots.txt in which found string – Wubbalubbadubdub. While we were dealing with this, our nikto scan found – login.php. Logged into the Portal using creds found earlier. Further, Command Injection was found on the server which gives us the flag using less command. Next, Performed Directory traversal for the second flag. The third flag was found by escalating our privileges using sudo misconfiguration. Well, that was really a fun room and we all love Rick obviously. So, not helping him was never an option. That reminded me that i have to find the meaning of my life with the help of Mr. Meeseeks. So, “keep hacking” till then and wish me luck for my pursuit.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top