Are you a fan of the popular show Rick and Morty and want to test your hacking skills? Well, you’re in for a treat!
In this beginner-friendly guide, we will walk you through the “Pickle Rick” Capture The Flag (CTF) challenge on TryHackMe. This themed room is inspired by the hilarious episode where Rick turns himself into a pickle. To help turn Rick back into a human, you’ll explore a web server, find vulnerabilities, exploit them, and gather three secret ingredients.
Getting Started: Deploy and Scan
To begin your adventure, you’ll need to deploy the machine and get the IP address. Just like any good hacker, our journey starts with information gathering. We kick off with an Nmap scan to uncover as much information as possible.
The scan reveals two open ports: port 22/tcp for SSH and port 80/tcp for the webserver (HTTP service). We also get a glimpse of the software versions running on these ports.
Scanning for Vulnerabilities
To identify vulnerabilities, we turn to Nessus (there are other scanners available). Using the Web Application Test policy, we scan the target’s IP address. The results unveil several potential issues, including browsable web directories, multiple vulnerabilities in the HTTP service and a web application sitemap, among others.
Exploring the Results
Our investigation leads us to the HTTP Information and its output.
While reviewing these findings, we discover a username, which we note for future reference — ‘R1ckRul3s.’
Now we have to figure out where we can use this username.
Scanning with dirsearch
To further delve into the website, we utilize the ‘dirsearch’ tool to scan it.
This scan reveals additional links, including the ‘/assets/’ directory that we identified during the Nessus scan. We also uncover the following links:
1. /index.html
2. /login.php
3. /robots.txt
Among these links, the ‘login.php’ page grabs our attention. As the name suggests, it’s a login page. This is where we can input the username we found earlier. Now, the challenge is to discover the corresponding password.
We also explore the ‘robots.txt’ page, which contains seemingly random text.
Without much to lose, we attempt to use this text as the password, and to our surprise, it works!
Entering the Dashboard
With our newfound credentials (R1ckRul3s as the username and the password from “/robots.txt”), we successfully log in. Upon login, a dashboard opens up. However, we realize that we can only access the command panel, as the other tabs are restricted to the REAL RICK!
The Command Panel
Within the command panel, Linux commands come into play. We start exploring our options. We use ‘ls -al; pwd’ to list the directory contents and print the working directory, revealing some interesting items, including a “Sup3rS3cretPickl3Ingred.txt” file and a ‘clue.txt’ file.
While attempting to use the ‘cat’ command to view the ‘clue.txt’ file and the “Sup3rS3cretPickl3Ingred.txt” file, we encounter some issues.
Recalling how we accessed the ‘login.php’ using the IP address, we try a similar approach with the “Sup3rS3cretPickl3Ingred.txt” file, and it works! We find the first ingredient.
Uncovering Clues
Next, we attempt to view the ‘clue.txt’ file using the same method, and it works as well, revealing the clue.
Note: As I progressed, I discovered I could’ve used the ‘less’ command to view the file so you can use that instead.
Now, our mission is to find the other ingredients. We know that command injection is possible, so we decide to change paths and navigate to the root directory. Since we are in ‘/var/www/html’ we first try ‘cd ../; ls -al; pwd’ This takes us back one directory, lists all items in that directory, and prints the working directory.
This attempt leads us to ‘/var/www'
Exploring the Root Directory
So, we modify the command to ‘cd ../../../; ls -al; pwd’ and it works. We can now see that we are in the root directory.
Our exploration continues, and naturally, we are drawn to the home directory. Here, we find two subdirectories: ‘rick’ and ‘Ubuntu.’
Unearthing Ingredients
Checking the ‘rick’ directory, we discover a ‘second ingredients’ file. To view its content, we try various commands like ‘more’ ‘head’ and ‘tail’ but none of them work. In the end, we use the ‘less’ command, and it works. We find the second ingredient.
Note: The quotation mark is used because of the space in the filename so the system will know it is one file.
With the second ingredient in hand, we are determined to search for the third. After exploring other directories, we are left with the root directory, which we can’t access as a regular user.
Elevating Privileges
To address this challenge, we use ‘sudo -l’ revealing that we can run commands without needing a password.
With this newfound knowledge, we use ‘sudo ls /root’ to list the contents of the root directory.
Note: I tried using sudo to cd into the directory but it didn’t work. Lol.
This action uncovers two items: ‘3rd.txt’ and ‘snap.’ However, trying to view ‘3rd.txt’ without ‘sudo’ proves unsuccessful. To finally access ‘3rd.txt’ we use ‘sudo less /root/3rd.txt’ and there it is, the third ingredient.
Congratulations! With all three ingredients in hand, we’ve successfully completed the challenge. Enjoy your journey through the Pickle Rick CTF, and remember, hacking can be fun and educational when done ethically!