TryHackMe: Pickle Rick

“This Rick and Morty themed challenge requires you to exploit a web server to find 3 ingredients that will help Rick make a potion to transform himself back into a human from a pickle.”

Link to Box:

Difficulty: Easy

There’s a web app for you to look at after you spawn the machine:

So it looks like I need to be on the lookout for a password. Also, if you inspect this webpage you can actually see that Rick left a comment with his username: R1ckRul3s

I tried to SSH in with this username but got denied:

After this I did an nmap scan:

Looks like ssh is open, and also that same web app I saw earlier.

After this I tried looking for different directories with gobuster. I found /assets and /server-status.

In the assets directory I found a few gifs and jpegs:

At /server-status I got this:

I then found this at /robots.txt

It could potentially be a password, so I’ll save it for later.

After this I used Nikto and got the following results:

It mentions the robots.txt stuff I already found, but also something more alluring, a login.php page. Don’t mind if I do…

I used the following:

username: R1ckRul3s

password: Wubbalubbadubdub

And it worked! Looks like I arrived at a “Command Panel”

Time to explore the other tabs first though. The potions tab just showed this and directed me to /denied.php

The same thing on all the others.

After some testing with the command panel, it appears to work just like a normal command line, with some limitations. I tried “cat flag.txt” and got this:

Interestingly though, after you get this failure gif there is what looks like some Base64 in a comment when you inspect the web page. However, I could not decode it.

This was displayed after I used the “ls” command.

This is showing other directories I’ve already been to, like /login.php and /assets, I just navigated to the new ones I wanted with my browser.

I found the first secret ingredient this way.

clue.txt just tells me to look around the file system for more ingredients:

What next? The “whoami” command shows I’m apparently logged in as www-data:

“ls /home” shows this:

“ls /home/rick” shows that he has the second ingredients

These are the permissions set for that:

Ok, so there is actually another way to get around the whole “cat” thing not working. You can use the “less” command, which is supposed to print the contents of a file page by page if you have a large volume of output.

With this I was able to show the second ingredient:

I used the same trick on the /etc/passwd file but didn’t get anything interesting:

It seems like the next step is to escalate privileges and maybe try to get into those other tabs. I’m still roaming around as “www-data”. I used “sudo -l” to see what I could actually do as this user.

What this basically says down at the bottom is that www-data can apparently do anything they want with no password.

Earlier I noticed I couldn’t see anything in the /root directory, but now that I know I can use sudo, it shows more information:

I used the less trick again here:

And finally got the third ingredient!

I kind of wanted to look at all those other tabs, especially the “Beth Clone notes”. But these were probably just a distraction.

--

--

CTF Writeups to facilitate cyber education.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store