Pickle Rick — CTF — Walkthrough-TryHackMe
Visit https://tryhackme.com/room/picklerick and join the room.
VPN: 10.9.227.16
Attacker i/p: 10.10.199.174
Penetration Testing Methodology
Network Scanning
Nmap Scan
Enumeration
Enumerating HTTP Service
Extracting Username from Source Code
Directory Bruteforce using dirb
Extracting Password from robots.txt
Directory Bruteforce using dirb [Extension]
Logging into the Web Application
Exploitation
Exploiting Command Module
Enumerating for Ingredients
Invoking Reverse Shell
Extracting the First Ingredient
Enumerating Rick’s files
Extracting the Second Ingredient
Privilege Escalation
Enumerating Sudo Permissions
Exploiting Sudo Permissions
Getting Root Shell
Extracting the Third Ingredient
Network Scanning
nmap -Pn -A 10.10.199.174
And we get 2 ports are open. Since http has a bigger attack surface, I’ll start by enumerating it.
Opening the webpage 10.10.199.174
Look like a message from Rick. The three secret ingredients are inside Rick’s computer. I have to get it. Before that, let’s check with the source code for more information. We check the source code to find the username R1ckRul3s.
Since we got the username, let’s start looking for passwords using brute force techniques. You can use SSH or enumerating the Bruteforce using dirb, as shown in the image below. First, I did the directory brute forcing with tools like Gobuster and got /robots.txt with status: 200
We can use any of the following commands to see the hidden files
dirb http://10.10.199.174
gobuster dir -u http://10.10.199.174 -w /usr/share/dirb/wordlists/common.txt
gobuster dir -u http://10.10.199.174 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -t 30
Let us check these files. In many boxes, we got the clues in robots and html files. Let us start the exploration with that.
Hurray, I hope it's the password. We have to know the username and password. I tried to connect to the server via SSH with the collected login credentials, and the permission was denied.
Wubbalubbadubdub
User- R1ckRul3s, Password- Wubbalubbadubdub
So, I looked around in index.html and /assets in my browser, and nothing except gifs and images and nothing interesting.
I decided to continue enumerating the webpage. I can run gobuster, dirbuster gui, dirb, or nikto again to see the hidden files. You can use any of the following commands. But for ease, I ran dirbuster gui
nikto -h 10.10.199.174
dirb http://10.10.199.174 -X .php
Navigating to portal.php diverted to Login.php gives us a login page
Exploitation
We were able to log in using the credentials. There were a bunch of other pages and options on the menu. However, the Commands tab attracted our attention. As expected, a panel can be used to run system commands on the target machine. We ran the ls command to find a text file by the name of Sup3rS3cretPickl3Ingred.txt
on giving the above login details User- R1ckRul3s, Password- Wubbalubbadubdub, got the command panel
We get a command panel that looks like we can type commands, and it executes them. Now, we should execute some Linux commands to get the ingredients flags.
ls -lah command gives us the directory listing with hidden files in that current working directory
We hope so we will get answers for the THM tasks now.
What is the first ingredient Rick needs?
I tried to open text files
cat Sup3rS3cretPickl3Ingred.txt
We got the .txt file. If we use the cat command, we won’t get the flag because the command is disabled.
So, I used less command instead of cat and got the first flag.
less Sup3rS3cretPickl3Ingred.txt
OR
http://10.10.28.46/Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
Whats the second ingredient Rick needs?
I opened clue.txt, but I don’t think it's.beneficial
ls -la /home
ls -la /home/rick
less ‘/home/rick/second ingredients’
1 jerry tear
Whats the final ingredient Rick needs?
Now it’s time for 3rd and the last flag. To get this, I just checked the user permission by typing sudo -l, and we can see that there are no restrictions, and the existing user can run commands as sudo.
sudo -l
Cool, we can do everything using the sudo command. Let see what is inside the /root directory.
sudo ls -la /root
sudo less /root/3rd.txt
3rd ingredients: fleeb juice
Finally!!! All three flags were captured, and the task is completed successfully.
Done!!!!!! Let us see the answers to the challenge questions now.
Deploy the virtual machine on this task and explore the web application.
What is the first ingredient Rick needs?
mr. meeseek hair
Whats the second ingredient Rick needs?
1 jerry tear
Whats the final ingredient Rick needs?
fleeb juice
Thank you very much for reading. As I always mention in every blog, suggestions are always welcome and open for discussion to discuss other methods to complete the same task. I hope you find this is useful, and if there is something you would like to add or any suggestions, you can contact me anytime..”