TryHackMe: Pickle Rick
“This Rick and Morty themed challenge requires you to exploit a web server to find 3 ingredients that will help Rick make a potion to transform himself back into a human from a pickle.”
Link to Box: https://tryhackme.com/room/picklerick
There’s a web app for you to look at after you spawn the machine:
So it looks like I need to be on the lookout for a password. Also, if you inspect this webpage you can actually see that Rick left a comment with his username: R1ckRul3s
I tried to SSH in with this username but got denied:
After this I did an nmap scan:
Looks like ssh is open, and also that same web app I saw earlier.
After this I tried looking for different directories with gobuster. I found /assets and /server-status.
In the assets directory I found a few gifs and jpegs:
At /server-status I got this:
I then found this at /robots.txt
It could potentially be a password, so I’ll save it for later.
After this I used Nikto and got the following results:
It mentions the robots.txt stuff I already found, but also something more alluring, a login.php page. Don’t mind if I do…
I used the following:
And it worked! Looks like I arrived at a “Command Panel”
Time to explore the other tabs first though. The potions tab just showed this and directed me to /denied.php
The same thing on all the others.
After some testing with the command panel, it appears to work just like a normal command line, with some limitations. I tried “cat flag.txt” and got this:
Interestingly though, after you get this failure gif there is what looks like some Base64 in a comment when you inspect the web page. However, I could not decode it.
This was displayed after I used the “ls” command.
This is showing other directories I’ve already been to, like /login.php and /assets, I just navigated to the new ones I wanted with my browser.
I found the first secret ingredient this way.
clue.txt just tells me to look around the file system for more ingredients:
What next? The “whoami” command shows I’m apparently logged in as www-data:
“ls /home” shows this:
“ls /home/rick” shows that he has the second ingredients
These are the permissions set for that:
Ok, so there is actually another way to get around the whole “cat” thing not working. You can use the “less” command, which is supposed to print the contents of a file page by page if you have a large volume of output.
With this I was able to show the second ingredient:
I used the same trick on the /etc/passwd file but didn’t get anything interesting:
It seems like the next step is to escalate privileges and maybe try to get into those other tabs. I’m still roaming around as “www-data”. I used “sudo -l” to see what I could actually do as this user.
What this basically says down at the bottom is that www-data can apparently do anything they want with no password.
Earlier I noticed I couldn’t see anything in the /root directory, but now that I know I can use sudo, it shows more information:
I used the less trick again here:
And finally got the third ingredient!
I kind of wanted to look at all those other tabs, especially the “Beth Clone notes”. But these were probably just a distraction.