TryHackMe CTF: Pickle Rick — Walkthrough
Hi! It’s time for another CTF on TryHackMe. This time we are having a look at Pickle Rick, which is a nice thematic challenge. Let’s go!
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/picklerick
Task 1 (Pickle Rick)
This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
Deploy the virtual machine on this task and explore the web application: <ip>
You can also access the web app using the following link: https://10-10-216-57.p.thmlabs.com (this will update when the machine has fully started)
Enumeration
Let’s get going! The first thing we should do is take a thorough look at the machine. This includes both the homepage itself, as well as the server and network.
Home page
There is not much to see or do. So let’s move on straight ahead.
Source code
Let’s look at the source code. Here we find a username:
Let’s definitely remember this. But nowhere to use it for now.
But there is a warning in the console:
Burp Suite
It is also a good idea to do a simple GET request to the homepage, and intercept it in Burp. This gives the following info:
We can see a PHPSESSID, which points us to the fact that the server is running on PHP.
Wappalyzer
Wappalyzer is a plugin for Firefox that can be run to find out some info about the web server, frameworks, and more. This is an alternative to manually looking at the different aspect. It gives us the following info:
NMap:
Webpages normally run on port 80 (HTTP) and 443 (HTTPS), but can be run on any port, so let’s use NMap to find out more.
nmap -sS -Pn -T4 -p- 10.10.129.55
Now we know about port 22 and 80 we can get more info on them by using the -A flag:
sudo nmap -A -Pn -T4 -p22,80 TARGET_IP
We found out about the version of SSH running on port 22, the hostkeys, as well as more info on the webserver on port 80.
Nikto
Nikto is a web server scanner. It outputs the following (nikto -h <ip):
Interesting. It found a login page! This also confirms that we are dealing with PHP. Let’s look at that later after we used gobuster.
We also found a robots.txt file. A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. This can often be a source of valuable information in a CTF. In this case the robots.txt exists and contains the following text:
Wubbalubbadubdub
Hmmm?
Gobuster
Gobuster can be used to bruteforce directories and file on a web site. Let’s run a gobuster scan to get a feel for the directory structure of the website:
gobuster dir -u 10.10.129.55 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster found two directories, assets and server-status. We don’t have permission to visit server-status, but let’s take a look at assets:
The .js files seem normal, and so do te image.
Let’s run gobuster again, but now with specific file extension to look for. We know that the server is running PHP, and therefore we can search specific for that type of file, as well as other .html and .txt files.
Now we are talking:
Lots of interesting files and pages.
We found a login.php page:
And a portal.php and denied.php page which return a 302 (temporarily moved).
Let’s try the portal login page. We have a username: R1ckRul3s, and also have found the text Wubbalubbadubdub in the robots.txt file. Might this be a password?
HURRAH!
I guess it is time for some Command Injection!
Look at that! A text file called Sup3rPickl3Ingred.txt. That seems like something worth checking out.
We are not allowed to use the cat command :(
Luckily, we can use other commands to read a file. Nano? Nope.. Less? YES! Tac is possible as well.
Let’s continue entering commands. If we write tac portal.php we can read portal.php. We get to see some interesting code:
This shows us the commands that are blocked.
Seems like sudo is not blocked. We can use sudo -l to list all commands we can use:
This means that we can run all commands (well, except for the 7 mentioned above) without password!
Before moving on it is important to remember the clue.txt found. which says:
Look around the file system for the other ingredient.
So we should be looking more around in the file system!
Nothing in the root. Let’s look in the home directory.
Interesting. Let’s look in the rick home directory. There we are:
Read it to find the second ingredient:
Finally, we can look at the root user’s home directory. To see the files in that directory we need to use sudo before ls:
Read 3rd.txt with tac or less:
We are done!
Questions
What is the first ingredient Rick needs?
Answer: mr. meeseek hair
Whats the second ingredient Rick needs?
Answer: 1 jerry tear
Whats the final ingredient Rick needs?
Answer: fleeb juice
That was awesome. It was my first CTF done, and I definitely had to stop myself from overthinking :)
In the end all it took was some looking around in the source code and cookie.txt file, and then some command injection :)
Like my articles?
You are welcome to give my article a clap or two :)
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
