Open in app

Sign in

Write

Sign in

Pickle Rick CTF Writeup

Hacktivities
The Startup
Published in
7 min readMay 26, 2020

This writeup documents my approach to solving the “Pickle Rick” Capture The Flag (CTF) room available on the TryHackMe platform for free to members. The TryHackMe platform is an excellent place to learn new skills and have fun playing CTF’s! I have provided a link to the TryHackMe platform in the references below. So with that out of the way, let’s jump in to the writeup.

Disclaimer

I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article. There will obviously be spoilers in this writeup and I believe you will get more satisfaction from completing the CTF yourself! If you get stuck or you are not sure how to proceed, then I would advise the following:

  • Use multiple tools when enumerating the target machine.
  • Consider common methods used to escalate privileges.
  • Be patient and take regular breaks. You may notice something you didn’t see before with a fresh pair of eyes!

Background

The theme of this CTF challenge is based on the Rick and Morty TV show. Unfortunately, Rick has been transformed into a pickle and it is up to us to turn him back to his original human form! To accomplish this, we must find 3 ingredients and make a potion 🧪!

The requirements of this CTF is to exploit a web server and find these 3 ingredients (flags). For this writeup, I will be using Kali Linux and some tools that come pre-installed with it. I will begin this writeup after connecting to the target machine. With the background for the CTF out of the way, let’s move on to the writeup.

Enumeration

I started of by scanning the target web server with a tool called NMAP.

The NMAP command can be broken down as follows:

  • -Pn: Disables host discovery.
  • -sV: Performs version detection for the services.
  • -sC: Performs a script scan using default scripts available in NMAP.
  • -v: Provides verbose details about the NMAP scan.
  • -oN: Outputs scan results to a file.

This scan identified port 22 and port 80 open on the web server.

The scan also detected a number of other ports on the web server but these were all filtered and inaccessible.

I decided to check out the website hosted by the web server first. Looking through the website, I noticed a comment in the web pages source code.

The comment contained the username “R1ckRul3s” and is most likely intended to be used to login somewhere. I decided to enumerate the website for any hidden directories or pages. I started this by using GoBuster, a tool which can be used to find any hidden directories. This tool uses a word list of common directory names and attempts to load these directories.

The GoBuster tool found the following pages and directories:

/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/assets (Status: 301)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)

Looking at the pages found with status code 200 first, I found a strange looking string of text in the “robots.txt” file.

Looking at the other pages and directories, I did not find any other hints or clues about what to do next. I tried using the username I discovered earlier with the string of text found in the “robots.txt” file to SSH into the box but this failed to work.

I started scratching my head a little bit about what to do next and decided to go back to enumerating the web server for any other useful information. After some time, I used a tool called “Nikto” to scan the web server.

Reviewing the results from the scan showed that this tool was able to find a hidden PHP login page that my other tools failed to find.

This is a good example of why it is always a good idea to use more than one tool when testing a target 😉!

Navigating to the login page, I am presented the following:

I can now try to enter the credentials discovered earlier (R1ckRul3s : Wubbalubbadubdub). These credentials work and I successfully login.

Ingredient 1

After logging in, I am presented with a page that allows commands to be entered.

I tested this by typing in a common Linux command called “ls” to list the contents of the current directory.

Cool, so I can execute commands on the web server through this web command panel. I can also see a text file called “Sup3rS3cretPickl3Ingred.txt” which looks interesting. I try using the “cat” command to view it’s contents but this does not work.

It appears that this command has been disabled and cannot be used. I can circumvent this by using other commands such as “strings” to view the contents of the file.

Success! The first ingredient is found and we are one step closer to making that potion 😄.

Ingredient 2

Listing the contents of the directory also showed a file called “clue.txt”. I can use the “strings” command again to look at the files content.

As the name of the file suggest, we are given a clue to help find the next flag. The clue suggest I look around the file system for the other ingredient. I decided to see who I was logged in as on the web server using the “whoami” command.

The response shows that we are currently logged in as “www-data”. I decided to list the contents of the home directory to see if there were any other user folders on the web server.

I see that there are two other users called “rick” and “ubuntu”. I decided to see if I could list the contents of the “rick” folder and see what files might be in the directory.

Looks like there is a second file called “second ingredients” with spaces in it’s name stored in the “rick” users directory. I can use the “strings” command again to get the contents of this file.

Two ingredients down and one more to go 😃!

Ingredient 3

Unfortunately, there were no clues found to indicate where to search next for the final ingredient (flag). In CTF’s like this, the final task is to usually try and get root on the target machine. I decided to start looking for ways to gain root privileges on the web server. I quickly found that I could escalate my privileges on the target machine by exploiting “sudo” access. The “sudo” command allows you to run commands as a different user, usually with elevated privileges.

I started by first checking if I could escalate my privilege using the “sudo” command.

The figure above shows an entry from the “/etc” sudoers file. The text surrounded in red is of special importance as it denotes that any user can run all commands without having to provide a password, which includes the root user! I tried using the “sudo” command to list the contents of the “root” folder.

It worked and I can see two files stored in the directory. Using the “sudo” and “strings” command, I can view the contents of the “3rd.txt” file which looks promising.

Thus, we have our final ingredient and can turn Rick back to his original self 😃 💉!

Closing Remarks

This was another fun CTF that is perfect for getting beginners into cyber security through fun challenges and problem solving. The TryHackMe platform has lots of different rooms and is a great way to learn new skills or brush up on old ones.

For more cyber security related content, feel free to follow me on Twitter: @TheTMC113

Till next time 😃 🍻!

References

Capture The Flag
Technology
Cybersecurity
Ctf Writeup
Tryhackme

--

--

Hacktivities
The Startup

Written by Hacktivities

3.9K Followers
Writer for

Interested in all things Cyber Security and Technology.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams