Vuk Markovic - BlogTryHackMe - Pickle Rick

Title Image

Pickle Rick Walk-through By V

  • Category: Easy

In this CTF we are going to exploit a vulnerable server.

We have a pretty much straight forward attack surface so we won't be going down the rabbit hole.

Let's begin:

Enumeration and Fingerprinting:

First of all, we are going to do enumeration and fingerprint web server.

In other words, we are going to identify the type and version of the web server.

Nmap Command: nmap -sC -sV -p- IP of the targeted machine

After the scan finishes we will get the following open ports:

  • 22/TCP SSH
  • 80/TCP HTTP

If we go to the web page of the CTF web app and we view the source code of the page we will find our username, which is:

  • R1ckRul3s

Next, we are going to try and enumerate the infrastructure with gobuster:

GoBuster Command: gobuster dir -u http://IP -x php,js -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

From the given results, we can use:

  • /login.php
  • /robots.txt

Just a reminder robots.txt is used to lookup the information in URL for leakage of meta-files from the server.

Informational:

In this case we are using Robots Exclusion Protocol or REP which is implemented through robots.txt file. It's a standard used by Network Admins to instruct web crawlers and search engines on which parts of their site should not be crawled or indexed.

In /robots.txt section of our URL we will find a password for a user R1ckRul3s, which is:

  • Wubbalubbadubdu

Login Portal:

Now, we can proceed to http://IP/login.php and enter user which is R1ckRul3s and password, which is Wubbalubbadubdub.

Searching for Ingredients:

Once we login, we will see a terminal with GUI interface, so, after some searching we can type in:

ls -la ( This will give us a list of directories and files that are accessible )

There we can see our 1st ingredient in .txt format. Let's display it and start answering our questions:

less Sup3rS3cretPickl3Ingred.txt

What is the first ingredient that Rick needs?

mr.meeseek hair

Let's see where we are by executing a command pwd, now let's execute a command ls ../../../home. We can see there that we get two users rick and ubuntu. Now let's do next:

ls ../../../home/rick

less ls ../../../home/rick/"second ingredients"

What is the second ingredient in Rick’s potion?

1 jerry tear

For the final ingredient we are going to use sudo command. So we are going to execute the next set of commands:

sudo ls ../../../root

sudo less ../../../root/"3rd.txt"

What is the last and final ingredient?

fleeb juice

Tip for the end:

Always document your findings and keep them organized in folders. It's a good practice for real-world cyber events, bug bounty, penetration tests etc. Use external hard drive or SSD if you want to save space on your disk, but always keep all findings documented.