TryHackMe: Pickle Rick

3thixs, Thu May 25 2023 • CTF

Task 1 (Pickle Rick)

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

Deploy the virtual machine on this task and explore the web application:

You can also access the web app using the following link: https://ip.p.thmlabs.com (this will update when the machine has fully started)

Enumeration

The first thing you should do is take a thorough look at the machine. This includes both the homepage itself, as well as the server and network.

Home page

There is not much to see or do. So let’s move on straight ahead.

Source code

Let’s look at the source code. Here we find a username:

Username: R1ckRul3s

Let’s definitely remember this. But nowhere to use it for now.

But there is a warning in the console:

Burp Suite

It is also a good idea to do a simple GET request to the homepage, and intercept it in Burp. This gives the following info:

We can see a PHPSESSID, which points us to the fact that the server is running on PHP.

Wappalyzer

Wappalyzer is a plugin for Firefox that can be run to find out some info about the web server, frameworks, and more. This is an alternative to manually looking at the different aspect. It gives us the following info:

NMap:

Webpages normally run on port 80 (HTTP) and 443 (HTTPS), but can be run on any port, so let’s use NMap to find out more.

nmap -sV -sC -oN nmap.txt TARGET_IP

Now we know about port 22 and 80 we can get more info on them by using the -A flag:

sudo nmap -A -Pn -T4 -p22,80 TARGET_IP

We found out about the version of SSH running on port 22, the hostkeys, as well as more info on the webserver on port 80.

Nikto

Nikto is a web server scanner. It outputs the following (nikto -h ip) :

Interesting. It found a login page. This also confirms that we are dealing with PHP. Let’s look at that later after we used gobuster.

We also found a robots.txt file. A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. This can often be a source of valuable information in a CTF. In this case the robots.txt exists and contains the following text:

Wubbalubbadubdub

Hmmm?

Gobuster

Gobuster can be used to bruteforce directories and file on a web site. Let’s run a gobuster scan to get a feel for the directory structure of the website:

gobuster dir -u 10.10.129.55 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster found two directories, assets and server-status. We don’t have permission to visit server-status, but let’s take a look at assets:

The .js files seem normal, and so do te image.

Let’s run gobuster again, but now with specific file extension to look for. We know that the server is running PHP, and therefore we can search specific for that type of file, as well as other .html and .txt files.

Now we are talking:

Lots of interesting files and pages.

We found a login.php page:

And a portal.php and denied.php page which return a 302 (temporarily moved).

Let’s try the portal login page. We have a username: R1ckRul3s, and also have found the text Wubbalubbadubdub in the robots.txt file which could be a password..

I guess it is time for some Command Injection!

Look at that! A text file called Sup3rPickl3Ingred.txt. That seems like something worth checking out.

We are not allowed to use the cat command :

Luckily, we can use other commands to read a file. Nano? Nope.. Less? YES! Tac is possible as well.

Let’s continue entering commands. If we write tac portal.php we can read portal.php. We get to see some interesting code:

This shows us the commands that are blocked.

Seems like sudo is not blocked. We can use sudo -l to list all commands we can use:

This means that we can run all commands (well, except for the 7 mentioned above) without password!

Before moving on it is important to remember the clue.txt found. which says:

Look around the file system for the other ingredient.

So we should be looking more around in the file system!

Nothing in the root. Let’s look in the home directory.

Interesting. Let’s look in the rick home directory. There we are:

Read it to find the second ingredient:

Finally, we can look at the root user’s home directory. To see the files in that directory we need to use sudo before ls:

Read 3rd.txt with tac or less:

We are done!

Questions

What is the first ingredient Rick needs?

Answer: mr. meeseek hair

Whats the second ingredient Rick needs?

Answer: 1 jerry tear

Whats the final ingredient Rick needs?

Answer: fleeb juice