Solving Pickle Rick: An Online CTF Challenge on TryHackMe

Sabid Mahmud — Sun, 25 Feb 2024 01:00:11 +0000

Hacking involves a different way of looking at problems that no one's thought of.

A CTF, or Capture The Flag, is a cybersecurity competition where participants solve a variety of challenges to find hidden flags, usually in the form of strings or codes. These challenges span different areas of cybersecurity, such as cryptography, web exploitation, reverse engineering, and more. CTFs are important as they provide a hands-on, practical way for individuals to enhance their cybersecurity skills, learn about real-world vulnerabilities, and stay sharp in an ever-evolving field. They simulate the experience of facing and solving security issues, making them a valuable training ground for cybersecurity professionals and enthusiasts alike.

This particular CTF Pickle Rick is a very easy and beginner level problem. Let's dive into the world of capture the flag whith this Pickle Rick challange on TryHackMe. If you're up for the adventure, click HERE to be redirected to the challenge.

As we click on the start machine button, we will get an IP address of the target machine.

We see that, the challenge is all about finding vulnerabilities in the website. We need to find 3 flag to help rick. Let's find out.

At first we need to find the open ports in the target server.
Before that, one thing to keep in mind that, we can not attack this particular machine from outside of it's network. To interact with this machine, either we need to use the online VM provided by tryHackMe or use the openVPN configuration to be accessible to that network.

Now, let's scan the ports of the machine using nmap.

From the nmap scan, we have found some valuable information about the open ports (port 22 which is used for ssh and port 80 for http) and the OS (linux) of the machine.

Now, let us see what we find inside the port 80. To do this we can use a tool named dirbuster.

DirBuster is a tool used for directory and file brute-forcing on web servers. It's designed to discover hidden directories and files by launching a dictionary-based attack against a web server. The primary goal is to identify paths or directories that might not be immediately visible but could potentially contain sensitive or interesting information.

Now, we will use another tool, Nikto to scan the webserver.
Nikto is a powerful and versatile tool that helps users identify misconfigurations, outdated software, and potential security risks.

Let's see what is in the file login.php that we found from the nikto scan. Just by browsing http://10.10.171.210/login.php we can see the page.

Interesting! We got a login page which might be the admin login interface of this webserver.

From the dirbuster scan we have found two files: index.html, and robots.txt with code 200 which means these files are accessible.

Let's see what we got in the index.html file. As I pasted the link http://10.10.171.210/index.html in the browser, we got an website.

Now, we should check the source code of this page to see if there is any clue.

Hey look, we have found a username in the source-code.

Let us explore other pages.. we found from the dirbuster scan.

I have found some random letters in the robots.txt file. These might be a password for the user we found in the source code.

Let us find out...

I will try the username and the string from robots.txt in the login.php page.

A new page appeared.. which is basically the webserver home page. We got a box to input the commands. Let's explore the files and find the hidden flag for Rick.

Here I have given the ls command to see the files. I have found a interesting txt file, Sup3rS3cretPickl3Ingred.txt.
Now I am going to browse this file and see what is inside. This might be the 1st ingredient for Rick.

We have found the first ingredient. Let us submit this and check.

Yes! this was the first ingredient.

We have to find the second ingredient now.
I looked into the clues.txt file and found this..

Lets check the file system for more ingredients.
By using the cd /; ls -al; command I moved up to the root directory and list all the elements.

Let's check the home directory first. Because it is the directory where all the user data is saved in a linux system.

By entering the command cd /home; ls -al I have listed the elements in the /home/ directory. There are two folder for two users; rick & ubuntu.

As we already have explored the elements of the ubuntu directory, let's change the directory to rick.

Look what have I found!! There is the second ingredient.
We can see the second ingredient using this command: less /home/rick/'second ingredient'.

After submitting the second ingredient, let's find out the third ingredient.
To find the third ingredient, we will check on another interesting directory which is /root. But this directory can not be accessible without admin or superuser privilege. We are going to check if we can use the sudo command from this command box. For this I am going to enter this command in the command box: sudo -l.
Why we did that?

ok.. The sudo -l command is used to list the allowed (or forbidden) commands that a user can execute with sudo privileges. When you run sudo -l, it shows the user's sudo (superuser do) privileges, indicating the commands and options they are permitted to run with elevated privileges.

Here's what the different outputs might mean:

User has no sudo privileges:
If the output is something like "User [username] is not allowed to run sudo on [hostname].", it means that the user does not have any sudo privileges.
User has sudo privileges with restrictions:
If the output shows specific commands and options the user can run, it means the user has sudo privileges, but only for the listed commands and options.
User has unrestricted sudo privileges:
If the output shows "User [username] may run the following commands on [hostname]:", followed by a list of commands, it means the user has sudo privileges for those commands without any restrictions.

For example, if the output is something like this:



User [username] may run the following commands on [hostname]:
    (ALL : ALL) ALL

That means that the user has unrestricted sudo privileges and can run any command as any user on any host.

In our case, after I have run this command, the output is:

It means that we have the sudo privilege of this application.
Now, let me check what is in the root directory by using the command sudo ls -al /root/.

Look what it is! We have just found the 3rd ingredient for Rick. We need to view what is writen in the 3rd.txt file by using the command less and submit it. Let's do it.

After submitting this, it was successfully accepted.

Voilà! We captured all the flags! Challenge solved.

DEV Community: Sabid Mahmud

Solving Pickle Rick: An Online CTF Challenge on TryHackMe