Pickle Rick
CTF writeup for the box, Pickle Rick, available on TryHackMe
You're missing out if you've not watched the show Rick & Morty! It's not for everyone, but I find it hilarious. Anyways, the show inspired this box.
So, the first thing we need to do is start the machine. Once we've done that, go to the URL provided. Let's open this in our browser.
It doesn't appear there's much here to do. Let's look at the Page Source and see if anything is interesting.
Nice! We've got ourselves a username in the HTML comments. Let's make a note of that for later.
We can also pull up our browser developer tools and look through the CSS for any comments or if any scripts are running. However, there isn't anything notable. Let's go ahead and quickly check for robots.txt or sitemap.xml. These files may provide clues to other web directories we may want to visit.
Unfortunately, the sitemap.xml doesn't exist, but we did learn some information about the web server, which may be helpful later. We call this an "information disclosure." It may seem trivial, but this provides attackers with extra information about their targets. Ideally, these shouldn't occur.
The robots.txt file, unfortunately, didn't contain any web directories either. Perhaps "Wubbalubbadubdub" means something, so we'll note it for now.
Let's go ahead and launch Gobuster, a web scanner, to enumerate the webserver for additional directories.
gobuster dir --url https://10-10-169-113.p.thmlabs.com/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -o gobuster_findingsWhat we're doing here is using a wordlist to guess directories. For example, Gobuster will attempt
https://10-10-169-113.p.thmlabs.com/indexhttps://10-10-169-113.p.thmlabs.com/images
and so on until all the words in the text file have been tried.
Eventually, Gobuster will find /login.php Let's go take a look!
Let's try what we've found and see if they're credentials.
- Username: R1ckRul3s
- Password: Wubbalubbadubdub
And it works! We're in!
Poking around, we can see we cannot access anything other than the Commands tab. Since we know this is a Linux server (Ubuntu), let's try executing some commands.
ls allows us to list the directory contents and look what we've found!
We can try reading the file with the command
cat but unfortunately, that command is disabled. We'll need to try another command.
A few options that work are
tac Sup3rS3cretPickl3Ingred.txt or grep '' Sup3rS3cretPickl3Ingred.txtIt looks like we found our first ingredient! We can confirm this by copying / pasting it into TryHackMe.
Next, let's open that clue.txt file we came across earlier. Again, we'll run
tac clue.txtWe get a hint about looking around the file system.
Before we do that, though, let's see who we are first by running
whoami
Okay, so we're the webserver's user account.
Let's see where we are by running
pwd (print working directory). We see we're in /var/www/htmlLet's try listing directories and see if we can access any user's home directories.
Alright, so it looks like we found a new file, and we have rwx permissions to it. Use
tac ../../../home/rick/second\ ingredients to read the file.
Nice! 2 down, 1 to go! Where is it?
Let's try viewing the root user's home directory with
ls -alh ../../../root/Hmm, nothing shows up! Maybe we can sudo?
sudo -l
Nice! We're able to run any command with sudo without any passwords. Let's try rereading the root user's directory using sudo to elevate our privileges.
sudo ls -alh ../../../root/
Let's open that file!
Great job! We found all of the ingredients and beat the box!
Last modified 2mo ago